WannaCry Malware and Medical Device Security

The WannaCry virus has infected and frozen computers in many industries around the world.  According to a news source report, the virus has extorted doctors and hospital administrators for the keys to unlock and regain access to their systems in order to treat patients.  The Telegraph reports that in the United Kingdom alone, up to 40 hospital trusts were hit by the WannaCry ransomware virus, which resulted in a wave of cancelled appointments and a general state of disarray.  Recently, the BBC has stated that at least 16 of these hospitals are still facing issues.  With the widespread damage associated with the WannaCry virus, many experts have advocated that the medical device industry should be on alert, now more than ever, regarding the cyber security of their medical devices.

Although the issues associated with medical device security have recently been discussed, some industry professionals believe there does not seem to be an adequate solution to the problem of device security.  Tressa Springman, the CIO of LifeBridge Health, explains:

“There’s a lot of talk in healthcare about device security. Discussions about what we’re comfortable pushing as endpoint security and what we’re unable to do – because certainly, we don’t want to create any harm to patients.  Many of these devices and the vendors who manage them, it’s very hard to go direct on patching and adding security.”

While medical devices are generally tested extensively for safety, some cybersecurity experts have observed the same cannot necessarily be said for security.  Brian NeSmith, co-founder and CEO of cyber security company Arctic Wolf Networks, has stated:

“Medical devices, similar to many other IoT devices, were not designed with rigorous security in mind and are more vulnerable to being hacked. They also do not fall under normal security operations procedures since they are used as needed by the medical practitioners and not deployed and maintained by the IT department.”

Security experts are emphasizing the importance of security patches.  Optimistically, Richard Staynings, the principal cybersecurity healthcare leader at Cisco’s Security unit, believes:

“This is going to cause a paradigm shift, at least for patching.”

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.