The ECRI Institute released new guidance in its article: “Ransomware Attacks: How to Protect Your Medical Device Systems” on May 18, 2017. The report recommends various protective actions for hospitals to take and points to critical differences in the protection of medical device systems as opposed to general hospital systems.

According to the report, ransomware makes data, software, and IT assets unavailable to users. The report describes ransomware as using the encryption of data to hold systems hostage, where the hacker promises to give the victims access to their data if a ransom is paid. One previous ransomware example reported on the Knobbe Medical Device Blog was the WannaCry virus, a ransomware that caused disruptions for several hospitals in the United Kingdom. The International Business Times reported that security researchers had found that the WannaCry ransomware was not limited to computers but also capable of exploiting medical devices.

The ECRI Institute report explains that an IT department can use new security patches for some medical device systems; however, some systems will remain susceptible because they are based on an older version of an operating system and can’t be upgraded or they have not been validated for clinical use with the latest security patches.

The report includes a list of dos and don’ts for quickly responding to emerging threats. The “Dos” mentioned in the report include:

  • Identify medical devices, servers or workstations that may be affected.
  • Contact the device vendor.
  • Request written copies of the manufacturer’s recommended actions for dealing with a current ransomware threat.

The “Don’ts” mentioned in the report include:

  • Don’t overreact.
  • Don’t install unvalidated patches. Unvalidated patches can make medical devices faulty or inoperable. Ask the manufacturer for documentation of the validation.

The ECRI Institute is a nonprofit organization that has its U.S. headquarters in Plymouth Meeting, Pennsylvania.