Cyber Attacks on Medical Imaging Systems

 

WannaCry Ransomware Attack

Cyber security is paramount in the protection of medical imaging systems.  In May 2017, a global cyber attack began to hit large organisations such as the UK’s National Health Service (NHS).  During these attacks, patient operations were cancelled, x-rays, test results and patient records became unavailable and communication channels did not function.  The WannaCry attack cost the NHS more than £92 million.  These cyber hackers infected computers in 150 countries using WannaCry ransomware.

The WannaCry infects computers and encrypts window files on the hard drive, making them impossible for users to access.  To access these blocked files, the hacker demands payment in bitcoin (digital gold) in order to decrypt them.  The WannaCry ransomware consists of several components.  The virus enters the windows system in the form of a dropper and starts to encrypt and decrypt data.  This windows system weakness was first uncovered by the United States National Security Agency (NSA).  The ransomware attack was linked to the cyber crime organisation, Lazarus Group (known as Hidden Cobra, Zinc) – a group of unknown individuals possibly linked to North Korea.

Interestingly, cyber security experts found that the programme code used to implement the WannaCry was not complicated.  The mode of operation was for WannaCry to access the coded URL known as the kill switch.  The ransomware hackers embedded this kill switch to check if a nonsense URL gave a live webpage response.

However, it was found that the domain name, www[.] ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com was not registered and inactive.  The domain status did not affect the spreading of ransomware.  When the URL was registered, it became active and resulted in the WannaCry virus being killed.

The two strategies that slowed down the spread of WannaCry was that Microsoft released a patch to help to shield Windows XP devices; this was a rare event because Microsoft had not supported XP since 2014.  This approach assisted the older computer system with unstable security and they were able to download the patch before WannaCry struck.

If the patch was not successful, the ransomware virus would search for the files and produce for example encrypted Microsoft Office files to MP3s (MPEG-1 Audio Layer-3) and MKV file extension (Matroska Video file).  The result was that the user would not be able to access files and a ransom notice would appear to demand $300 in Bitcoin to decrypt the files.  The WannaCry works by abusing the Windows implementation of the Server Message Block (SMB) protocol. The function of the SMB protocol is used for sharing access to files, printers, serial ports and other resources on a network.

The NSA discovered the vulnerability in Microsoft’s Windows operating system and developed a code called EternalBlue MS17-010 to exploit it.  They issued a security patch before the WannaCry ransomware had spread around the world and the computer systems which were updated had early protection from WannaCry.

Subsequently, the hacking tools used by NSA were stolen and published by the Shadow Brokers hacker group and appeared in the summer of 2016.

WannaCry made use of EternalBlue to infect computers and began spreading rapidly on May 12.  During this period, Microsoft had a conflict with the NSA because they did not disclose the vulnerability of the operating system.

In addition, a new strain of the Petya ransomware started spreading on June 27, 2017, infecting many organisations.  This ransomware is similar to WannaCry but uses the EternalBlue exploit as one of the means to spread itself.  Petya (known as GoldenEye; NotPetya) makes use of SMB (Server Message Block) networks and can spread within organisations seemingly resistant to the EternalBlue patch.  The infection vector for the Petya cyber attack was MEDoc, a tax and accounting software package used by corporate networks.

Interestingly, when the computer system becomes infected with WannaCry, it will not initiate the encryption of files straightaway because the virus first tries to access the nonsense URL before going to work.  Consequently, if the virus can access the domain, this would result in WannaCry shutting itself down.  The possible idea behind this mechanism could be the fact that hackers could stop the attack at any time.  WannaCry was attempting to make contact with the URL and make an analysis of the code more complicated.

Cyber researchers will run malware in a sandbox environment to enable any URL or IP address details to be reachable. Necessarily, these automated malware analysis systems known as sandboxes are one of the latest weapons in the arsenal for cyber security. These sandbox systems will execute an unknown malware program in an instrumented environment and then monitor their execution.

Medical Cyber Security

Since the destruction of WannaCry, healthcare facilities remain concerned about protecting their digital medical systems for imaging by employing medical cyber security and information technology professionals.

Just imaging a patient undergoing a CT scan and a hacker manages to change the scan and diagnosis!

The majority of medical imaging systems are part of internal and external networks and are at risk of cyber attacks which threaten the confidentiality, safety, and well-being of the patient.

The WannaCry outbreak emphasised the importance of robust cyber security practices in an increasingly connected US and Europe healthcare sectors.  In these unfortunate situations, the data was held hostage to ransomware and medical devices were compromised. These attacks highlighted the possible consequences for radiology in healthcare.  The problem with IT in healthcare is that it intends to focus on patching of known vulnerabilities (zero-day attacks) from the not sophisticated attacks because the regulatory requirements guide it.  A zero-day vulnerability is a result of a software security flaw known by the software vendor.  At the time, there is no patch in place to fix the flaw and therefore it can be exploited by cyber criminals.

The problem with some software vendors is that they do not have the expertise to address these issues. In these cases, the product remains a risk to security.  For example, the FDA criticised St. Jude Medical for failing to address known security issues with some of its implantable electrophysiology devices.  Nevertheless, medical device approval processes are still adjusting to changes in cyber security requirements.

Cyber Strategy

To reduce these malware attacks on computer systems, a cyber security strategy must be in place to counteract these threats. These potential cyber attacks can be categorised by relating the type of information the hacker wants to access or what they want to achieve.  For example, untargeted information could include large quantities of personal health data compared to more targeted attacks where the hacker can control an infusion pump resulting in patient harm.

Also, healthcare providers must take into account the sources of potential attacks within their organisation or external parties: if from employees or agency workers then there is already trusted access to the systems and therefore this is a significant security threat.  The drive behind external attacks is usually for financial gain and in some cases may result from malice towards the organisation.

The issues to consider regarding internal cyber security threats within organisations include limited encryption, system set-up configuration, applications, operational security gaps which may contain loopholes in processes and unpatched software and lack of authentication of user login credentials.  All these vulnerabilities can occur on any medical device and especially when connected to the internet and therefore pose a real danger to the technology used in various hospital departments.

To put this into perspective, the number of devices per patient bed between 1995 and 2010 has increased by 62%.  Today, a patient in a hospital bed will be monitored on average by the use of at least 13 devices.