Hospitals and medical device companies are on heightened alert for cyberattacks from Russian-sponsored hackers looking to target U.S. critical infrastructure after Russia's invasion of Ukraine last week, experts say.
While cybersecurity threats to healthcare and the medtech industry — including ransomware — have grown during the pandemic, the conflict has raised the threat level.
Nick Yuran, CEO of medical device security consulting firm Harbor Labs and who has worked in U.S. intelligence as a Russian linguist-analyst for 10 years before moving to the private sector, contends that given the "talents and resources" available to a state-sponsored actor such as Russia, the damage to America's healthcare system potentially could be catastrophic.
"We typically think of energy and finance as the most high-profile targets of a state-sponsored cyberattack, but an attack on healthcare infrastructure could be equally as disruptive," Yuran said. "A targeted cyberattack against military healthcare organizations, such as Military Health System or VA facilities, might be intended as a military operation. But, there would be no way to guarantee that such an attack would not inadvertently make its way into civilian healthcare since there are so many common resources and assets."
However, the American Hospital Association (AHA) on Feb. 23 issued a cyber advisory soon after Russia’s invasion of Ukraine warning that U.S. hospitals and health systems may be targeted "directly" by Russian-sponsored cyber actors, while also potentially "become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates" healthcare organizations.
Chris Gates, director of product security at medical device engineering firm Velentium, says the world is already seeing Russian data-wiper malware being used in Ukraine, coupled with ransomware, "in what appears to be a tactic akin to throwing the 'kitchen sink' at them." Gates argues that "such tools could easily spread beyond the intended targets" and impact hospitals and medical devices.
The first ransomware attack on a medical device was reported during the worldwide 2017 WannaCry attack, which successfully encrypted radiology equipment drives at hospitals and demonstrated the vulnerabilities of medtech. Hundreds of thousands of computers were compromised by the WannaCry ransomware in at least 150 countries, including the National Health Service in the United Kingdom, where the cyberattack froze computers at hospitals and closed emergency rooms. North Korea is widely believed to have been behind the attack.
"If cyberattacks begin, no one can tell for sure how wide the fallout might be, but what we have seen in the past is that it is usually wider than expected and not necessarily isolated to the target," Mac McMillan, CEO of cybersecurity consulting firm CynergisTek, wrote in an email. He pointed to the WannaCry attack as an example.
"Once started, these things are not always easily contained," McMillan said.
Mike Rushanan, director of medical security at Harbor Labs, believes that Russian-sponsored malware could exhibit the same characteristics as worms like WannaCry, which spread beyond their intended target to impact a broad set of Internet of Things (IoT), consumer and hospital IT devices, as well as associated healthcare systems and services.
"Russian state-sponsored actors are certainly capable of producing a similar type of attack, and even if healthcare is not the primary target, hospitals could be negatively affected potentially putting patients at risk," Rushanan said. "It's my opinion that any state-sponsored hacking campaign will be indirect. Malware will spread via a worm ... It'll be difficult to directly attribute to Russia."
Last month, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation and the National Security Agency issued a joint advisory providing an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques and procedures.
CISA followed that advisory with its own "Shields Up" alert earlier this month meant to convey a heightened national cybersecurity posture in an effort to better safeguard U.S. critical infrastructure, including healthcare.
"While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia's unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies," CISA said.
Kevin Fu, acting director of cybersecurity at the FDA's Center for Devices and Radiological Health, recently said that attacks on healthcare facility networks are causing medical device "outages" that put patient lives at risk.
"Nation states and organized crime — real threat actors — are causing harm, damaging the safety and effectiveness of medical devices," Fu warned at AdvaMed's 2021 MedTech Conference in late September, around the same time The Wall Street Journal reported the first alleged death in a hospital attributed to ransomware.
Legacy, connected devices
While the AHA didn't specifically call out medical devices in its Russia cyber advisory last week, the hospital group has warned for years about the challenges of defending older legacy devices that were not built with security in mind against growing and sophisticated hacker threats. Making matters worse is the number of connected medical devices being used in hospital networks is rapidly increasing, leaving them vulnerable to cyberattacks.
According to the FDA, medical device manufacturers (MDMs) are responsible for "remaining vigilant" about identifying cybersecurity risks and hazards related to their devices, while healthcare delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
The problem is that device security continues to be a casualty of a hospital-medtech divide that often results in finger pointing between these two stakeholders and at times a lack of coordination.
However, Velentium's Gates said that in conversations with both MDMs and HDOs over the past couple of weeks, prior to Russia's invasion of Ukraine, he has been "heartened" that both stakeholder groups seem to be taking the Russian hacker threat seriously.
"Removing offices in Ukraine and Russia from direct connections into the organizations. Implementing their 'playbooks' for a more secured posture. It's about all that can be done," Gates noted. "As this war heats up and other countries are brought into it, what will Putin feel is the correct response? Since the reasons for this war seem illogical, I would expect his continued actions to reflect this as well. A lot more questions than answers at this point."
The FDA has yet to issue an alert on the potential cybersecurity threats to medical devices following Russia's invasion of Ukraine or to provide recommendations on reducing the cyber risks and vulnerabilities.
The agency, in an emailed response to MedTech Dive, said it "respectfully declines to comment at this time" on the implications of the Russia-Ukraine conflict for device security.
Nonetheless, the FDA's cybersecurity webpage states that medical devices "are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve healthcare and increase the ability of healthcare providers to treat patients" but those "same features also increase potential cybersecurity risks" making it "especially challenging" to safeguard devices while soberly noting "threats and vulnerabilities cannot be eliminated."
Watchdog group ECRI last month issued its annual report on the biggest medtech hazards, finding that cyberattacks are the top patient safety concern for medical devices in 2022, while noting that all healthcare organizations are subject to cybersecurity incidents.
The organization in particular emphasized the problem was a patient safety issue, noting that an incident could threaten network-connected medical devices and data systems.
So far, ECRI has not seen any reports from its members, which are mostly providers, of attacks related to the ongoing cybersecurity concerns. Nor has it seen specific recalls or alerts from medical device manufacturers. However, the organization still recommended that hospitals and device manufacturers be on alert.
"We’re not seeing anything from them coming to us and saying, 'we’re getting hit,'" said Chad Waters, a senior project officer with ECRI. "Everyone should be vigilant, and watching the logs in your organization. Do what you’re supposed to be doing all this time, just make sure you’re actually doing it."
Specifically, ECRI said hospitals should have an incident-response plan that takes medical devices into account, including ensuring that if a device loses functionality as a cascading effect from an outage, that facility still has a means to provide care. Communication lines also need to be open, with manufacturers monitoring for potential vulnerabilities, flagging those to the providers that purchase their devices as well as potential fixes.
Medical device manufacturers also should keep an eye out for potential impacts further up in the supply chain. For instance, if they rely on a vendor for network management, or a cloud services provider, they should ensure those vendors are vigilant and up-to-date with security practices, said ECRI Principle Project Officer Juuso Leinonen.
Many companies also have programmers, hosting sites, call centers and tech support in the Ukraine, wrote CynergisTek's McMillan. As those entities are disrupted, it could affect the companies they support.
"Attacks on infrastructure can also present risks to organizations as their ability to communicate with their supply chain is disrupted," McMillan wrote. "We’ve seen this already with attacks on Kaseya, the Colonial Pipeline, JBS Foods and most recently Kronos."
Rob Suárez, Becton Dickinson's chief information security officer, makes the case that hospitals and health systems as well as medical device manufacturers and external partners "need to be extra vigilant and on high alert to potential cyberattacks," given that "there’s a patient at the end of everything we do."
Suárez notes that CISA's "Shields Up" alert earlier this month offers "actionable guidance for strengthening cybersecurity, from verifying endpoint protections for critical systems to addressing known vulnerabilities, monitoring for unusual activity and confirming up-to-date offline backups to ensure resilience."
BD's security chief also advises that hospitals and health systems take additional steps to protect against cyberattacks, including using strong network and system access controls, securing critical services behind separate firewalls and disabling unnecessary accounts, protocols and services.
"We always recommend that hospitals and health systems also train their staff to be extra vigilant. For example, restrict system access to authorized personnel only and equip employees to recognize and report suspicious activity, including social engineering and phishing attacks. Increasing cyber awareness across all levels of the organization can help protect patients from potential cyberthreats," Suárez said.
Still, Velentium's Gates contends that it's not just medical device manufacturers and healthcare delivery organizations that could be potentially affected by Russian-sponsored hacking. Cyberattacks on hospitals could also disrupt their mission-critical service providers, as AHA has suggested, Gates said.
"I don't think that anyone is 'out of scope' from intentional or unintentional consequences. So not just service providers but all vendors. And the overall supply chain is already in pretty miserable shape, so it wouldn't take much before shortages could become real problems," Gates added.
Elise Reuter contributed reporting to this article.