Why hospitals are so vulnerable to ransomware attacks

These are the victims of a ransomware cyberattack
These are the victims of a ransomware cyberattack

A computer virus could put people in mortal danger if the target is healthcare facilities.

The WannaCry ransomware that targeted around 300,000 machines in 150 countries first came on the public radar when 48 U.K. medical facilities were infected by the virus.

Though the impact has lessened since the ransomware was released on Friday, healthcare organizations that run outdated technology should expect this kind of attack to happen again.

Experts say old machines and outdated software at hospitals contributed to the spread of the ransomware, and that could put patient safety further in jeopardy if the situation isn't remedied.

Billy Marsh, a 10 year veteran of healthcare IT and now a security researcher at The Phobos Group, says hospitals need to be much more active in correcting their security.

"There are pretty big consequences" if a hospital has vulnerable software, Marsh said. "If they're in the middle of an operation, whatever machines they're using could go down and they'll have to fall back on manual methods."

A 2016 report from Motherboard found many U.K. hospitals run outdated software and therefore they do not receive security updates.

Related: Attack sparks debate on when spy agencies should disclose cyber holes

Many people don't realize that healthcare hardware -- like MRI machines, ventilators, and some types of microscopes -- are actually computers. Those computers, like our laptops, come with software that the makers are responsible for supporting. Sometimes the people who make the machines stop supporting them after an extended period. That means the old software can become vulnerable to attacks.

At the RSA security conference in February, security expert Jeanie Larson said medical devices with bad security are dangerous for patients.

Larson said she once observed children at an unnamed hospital connected to EEG machines infected with malware. The machines were running on an unsupported Windows operating system. Disconnecting them to update the software would have impacted the children's care, because physicians used the machines to monitor brain activity and prescribe medicine. Eventually, she worked with the hospital to fix the machines, but she said that incident demonstrated the risks of running outdated software -- hackers could have done much more damage.

Microsoft (MSFT) issued a patch for the software vulnerable to WannaCry in March. But often large firms don't update immediately because it might affect operations running on old, legacy technology. For FDA-regulated equipment, vendors test patches before they're deployed to make sure the machines can still function -- a safeguard, but also an additional time-suck.

"Pushing patches is important, but if it breaks equipment -- and you've got a ventilator that's an expensive paperweight -- it's not going to do the patient any good," said Marsh.

After WannaCry, Microsoft made the surprising decision to issue patches for old Windows systems it no longer supports because so many firms -- including those in healthcare and infrastructure -- run old software that was vulnerable to the attack.

Moving forward, Marsh said, hospitals should set up regular audits of their machines, and segment their networks so if one piece of the network is compromised, it doesn't spread throughout the entire system.

Social Surge - What's Trending

Mortgage & Savings


CNNMoney Sponsors