Mitigating Ransomware Risks in Medical Applications and Devices

If you’ve followed the news lately you’ve undoubtedly seen the numerous reports of ransomware attacks. Ransomware attacks are not necessarily new. In fact, the malware that locks your computer and essentially prevents you from accessing your files until a ‘ransom’ is paid (recently in bitcoin which is untraceable), has been around for more than a decade, but lately ransomware has targeted hospitals and other healthcare facilities.

According to a Wired article – Why Hospitals are the Perfect Targets for Ransomware – these facilities are coming under attack because they are ideal opportunities for hackers:

Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

In fact, just earlier this week, Healthcare IT News announced the ransomware attacks of two new hospitals; San Diego-based Alvarado Hospital Medical Center and Indiana-based King’s Daughters’ Health. The FBI states it’s received 2,453 complaints about ransomware just last year costing victims more than $24 million, and with the FBI unable to stop them victims are often forced to pay the hijackers to gain access to their critical systems and data.

Mobile medical and wellness applications are a prime target for ransomware hackers, and as their use grows there needs to be application security protocols in place to prevent this malware. The FDA has recently released guidance designed to provide a framework for the management of cybersecurity in medical devices. The draft guidance goes into great detail, but the key points are:

  • Device and application creators need to incorporate security elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity: Identify, Protect, Detect, Respond, and Recover.
  • Incorporate detection mechanisms into their device design and device features to increase the detectability of attacks and permit forensically sound evidence capture.
  • Design the devices to ensure that risks inherent in remediation are properly mitigated including ensuring that the remediation is adequate and validated and that the device designs incorporate mechanisms for secure and timely updates.

Our enterprise-level solution, Cryptanium, has two main components that can help medical device manufactures introduce the security needed to prevent malware threats like ransomware. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase security protection against these types of malware threats.

Ransomware is real, scary and a big problem for healthcare facilities today. Tackling device and application security is a step toward protecting not only hospitals but the patient data that they depend on.