WannaCry ransomware infected Bayer U.S. medical devices

Bayer logo and dark clouds
Bayer received two reports of WannaCry ransomware affecting U.S. sites.

The WannaCry ransomware attack that took out the United Kingdom healthcare service also hit at least two Bayer medical devices in the U.S., Forbes reports. An image received by the business magazine shows the now-familiar WannaCry ransom message obscuring the display of a Bayer radiology system.

Bayer confirmed it received two reports of WannaCry affecting U.S. customers. The confirmation is the first time ransomware is known to have directly affected medical equipment in the U.S. In both cases, Bayer said operation was restored within 24 hours.

Full fixes will take longer. Bayer plans to send out a patch for devices running Microsoft Windows “soon.” But experts have noted the use of the Microsoft Windows Embedded family of operating systems on many medical devices makes the speedy, painless patching of equipment unlikely.


Like this story? Subscribe to FierceBiotech!

Biopharma is a fast-growing world where big ideas come along every day. Our subscribers rely on FierceBiotech as their must-read source for the latest news, analysis and data in the world of biotech and pharma R&D. Sign up today to get biotech news and updates delivered to your inbox and read on the go.

“These systems are not always easy to patch for a variety of reasons. Security fixes on embedded devices commonly require a complete firmware update from the vendor which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device,” Craig Young, computer security researcher at Tripwire, said in an emailed statement.

Young also flagged up the need to stop using devices while the firmware is installed and updated. Many hospitals, including those in the U.K., are overstretched and can ill afford to reduce capacity. Young suspects hospital administrators under appreciate the dangers posed by outdated software. Faced with the predictable difficulties that will arise from taking a device offline for maintenance and the nebulous threat of a security breach, administrators may opt against patching technology.

“This “if it ain’t broke don’t try to fix it” mentality can be tremendously detrimental to hospital security,” Young said.

The fallout of the WannaCry attack is likely to have made healthcare systems more amenable to taking preventative measures. Device manufacturers are stepping up to help these responses.

BD and Siemens both released statements detailing recommendations for users of their devices without explicitly stating whether their equipment has been affected by the ransomware. Users can protect some devices by installing a patch from Microsoft but this defense is only applicable to certain product lines.

Recognizing this, Siemens has provided guides for six groups of products that will require different fixes. Siemens said it is working on updates for the vulnerable products, which include CT and MRI devices. In the meantime, the company recommends hospitals use firewalls to block access to certain network ports or, if that is impossible, disconnect the device from the network until a patch or other fix is installed.

Suggested Articles

The FDA warned healthcare providers about cybersecurity vulnerabilities within certain clinical information systems made by GE Healthcare.

Weeks after receiving FDA approval for its in-office eardrum tube device, Tusker Medical has been picked up by Smith & Nephew for an undisclosed sum.

As public fascination with at-home DNA tests begins to wane, 23andMe announced that it will lay off about 100 of its staff, according to CNBC.