It’s October, Halloween is coming, and it’s time for chilling stories.
In a post earlier this year I talked about the growing threat of ransomware in hospitals. The attacks continue unabated. Ransomware that prevents access to data and computer systems is magnificently disruptive, potentially dangerous, and is expensive to respond to and resolve. That is particularly true in the US now that the Office of Civil Rights of the Department of Health & Human Services has issued guidance confirming that ransomware attacks may violate the HIPAA Security and Privacy Rules.
The ransomware attacks we’ve seen so far have been bad, but those pale in comparison to others that may be on the horizon.
In recent months we’ve seen reports demonstrating the potential for ransomware attacks against Internet of Things (IoT) devices. White hat hackers have demonstrated that ransomware can infect smart thermostats. Medical devices may be next. A recent report from the Institute for Critical Infrastructure Technology (ICIT) entitled “Combatting the Ransomware Blitzkrieg” sums the problem up well:
IoT devices offer a potential growth bed to any ransomware operation because the devices are interconnected by design and many pointedly lack any form of security. A selection of traditional malware will be too large to ever run on a number of IoT devices, but ransomware, predominantly consisting of a few commands and an encryption algorithm, is much lighter. How much do you predict someone would pay to remove ransomware from a pacemaker? The scenario is not too far-fetched; in fact, it is much more deadly. Many medical devices, such as pacemakers, insulin pumps, and other medication dispersion systems are internet or Bluetooth enabled. Ransomware could utilize that open connection to infect the IoT device.
Before you decide that this scenario is the figment of a TV series writer’s imagination, you should know that such attacks are possible. The US Food and Drug Administration (FDA) has warned about lax cyber security in medical devices, and has issued draft guidance on the subject. Further, researchers have discovered malware infections in a variety of medical devices. According to two reports I’ve seen (here and here), the affected hospitals’ cyber security detection software did not detect the malware because the operating systems used in the computerized medical devices were outdated. The researchers’ most recent report speculates that the malware exists in the majority of medical facilities around the world.
It doesn’t take much imagination to envision the consequences of a ransomware attack on medical devices. They range from a troublesome inability to use hospital equipment while an attack is in progress to the life-threatening and potentially catastrophic effects of an attack on devices such as pacemakers.
What should hospitals and other healthcare providers do to address the ransomware threat to medical devices? In guidance provided in 2013 the FDA recommended that healthcare facilities:
- Restrict unauthorized access to the network and networked medical devices.
- Make certain that appropriate antivirus software and firewalls are up-to-date.
- Monitor network activity for unauthorized use.
- Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
- Contact the specific device manufacturer if the facility believes it has a cyber security problem related to a medical device.
- Develop and evaluate strategies to maintain critical functionality during adverse conditions.
These recommendations are sound, but given the boundless creativity of cyber criminals even healthcare providers that conscientiously follow the FDA’s recommendations and other relevant guidance could experience a ransomware or other malware attack on medical devices.
The good news for healthcare providers is that losses resulting from such an attack can be covered by a well-constructed insurance program. As I mentioned in my post earlier this year, a good cyber policy should cover a provider’s cost to investigate and terminate a ransomware attack. Policies can also cover the financial losses resulting from damage or loss of data, and from the interruption of the company’s business. While cyber policies typically don’t cover bodily injury resulting from a cyber event, I would expect bodily injury claims to be covered under medical professional liability policies.
The insurance picture may be gloomier for manufacturers of medical devices. If an injured claimant alleges that the manufacturer was negligent in producing a device that is vulnerable to a cyber attack, the manufacturer would rely on its general liability policy to respond to the claim. Unfortunately, general liability insurers are seeking to attach exclusions published in 2014 that may eliminate coverage. In the event a general liability policy does not respond for any reason, manufacturers may have no other source of insurance recovery. All is not lost though. Insurers and brokers like Lockton have developed new solutions to provide the necessary coverage.
If you aren’t in the healthcare business, please don’t make the mistake of thinking this post isn’t relevant to you. Ransomware and other malware have been found in other types of IoT devices. The potential for economic losses as well as bodily injury and property damage resulting from such malware is very real. This is a risk that healthcare providers take very seriously. Every company should do the same.
All of that being said, as artists at the Joy of Tech site suggest, there is a lighter side to this.