200,000 Systems Shutdown by Ransomware Attack

In May 2017, a hacking tool was used to access 200,000 Windows systems in hospitals. The hack affected a Bayer Medrad medical device that improves medical imaging for radiology equipment. The device delivers a contrast agent to patients receiving MRI scans, to facilitate the detection of strokes, brain trauma, tumors, etc.
The coordinated attack made the device unusable during a period of time, until Bayer sent out a microsoft patch to remedy the problem. Although the ransomware attack did not directly affect patient health, it delayed care to patients. Poor medical device security can cause serious problems. Devices such as blood glucose monitors, heart monitors, COPD inhalers for medical conditions, or a heart rate variability monitor for stress and other behavioral issues, can all be connected to the internet, making them vulnerable to cyberattacks.

Medical Device Security and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 requires organizations working in healthcare, including behavioral health practices, to have safeguards in place securing protected health information (PHI). To adequately safeguard PHI, medical device security is imperative. Many medical devices connect to healthcare networks, posing a cybersecurity risk.
As such, The Food and Drug Administration (FDA) recently released guidance for medical device manufacturers to increase cybersecurity. The FDA requires medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ during premarket reviews. Within the document, manufacturers must include a list of areas in which the device may be vulnerable.
Although this may limit attacks on new devices, devices released to market before the new guidance continue to be vulnerable. Some of the vulnerabilities can be addressed by software patches, however, it may be necessary to recall some older devices.

This is Part X of the XI-part blog series. You can also read Parts I to IX below:

Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the tenth of which is medical device security. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).