WannaCry Response Coordination

NOTE: Information will be actively collected across key stakeholders globally throughout WannaCry response and will be reviewed, evaluated, and pertinent information posted as soon as it has been vetted.

The Medical Device Security Information Sharing Council (MDSISC) is engaged with networks of hospitals and manufacturers in active surveillance for the WannaCry outbreak.

If you are a manufacturer, health care organization or other organization that could facilitate the collection of data for WannaCry surveillance, please contact MD-VIPER

Medical Device Cybersecurity Communications and Updates

Protecting the health and safety of patients by preventing ransomware attacks on medical devices is a MDSISC priority. This is accomplished by ensuring that patient safety and health is addressed systemically during all phases of a cybersecurity attack.

Engaged stakeholders includes, but are not limited to medical device manufacturers, healthcare delivery organizations, and our Federal partners responsible for medical device emergency response activities. When responding to emergency situations, they can navigate the proper channels to provide assistance to those healthcare delivery organizations and medical device stakeholders in need.

These communication and update activities are a part of the MDSISC functions and are closely coordinated with and/or leverage content from general NH-ISAC activities, ICS-CERT, FDA, US-CERT, HHS, and many private sector partners.

Medical Devices Protected from WannaCry with a Firewall  – Sharing of an approach that might be useful

Source: A small group of MDSISC members provided this possible action.

A hardware firewall that isolates the medical device network functions from the WannaCry ransomware infection is an alternative to applying the recommended operating system patch. If a medical device is a closed system (e.g. cannot be used for email or browsing the web) and has been segregated from the Healthcare Delivery Organization (HDO) network through the use of a hardware firewall configured to block the ports used by the WannaCry ransomware, then the operating system patch is not necessary because the firewall protects the medical device from infection.

A firewall deployed with the medical device by the device manufacturer should not be modified and the configuration should remain as specified by the device manufacture to ensure critical or essential communications functions of the device will not be blocked. An HDO installing a firewall to segregate a device should check with the manufacturer or the device manual to verify critical or essential communications functions of the device will not be blocked.

Questions and Answers

Q:  The report says to install the Windows patch and then in the same paragraph says you don’t need to install the Windows patch if you have a firewall.  I would hesitate recommending people not to patch even if they have a properly configured firewall.

A: The intent was in situations where it is not practical to immediately apply the patch, that the firewall can protect from infection. For example, with some medical devices a customer does not have access to the O/S and cannot apply the patch. Ultimately the manufacturer must implement the patch in accordance with their formal release procedures, and will rely on the secure configuration of the firewall to provide protection until that time. Revised and consolidated the wording to clarify the intent.

Q: Blocking port 445 for SMB v1 will only stop the worm from propagating across the network but single workstations potentially could still be infected via usb or phishing email.  I would not want to provide a false sense of security by suggesting that if you block the port you don’t need to take other defensive measures.

A: The statement of the medical device being a “closed system” was intended to narrow the applicable devices to those that cannot be used for browsing, reviewing email, etc. Additional clarification was added about a closed system.

Q: Do any medical devices depend on SMB v1 to function properly?  There have been several medical devices affected by Wannacry that do not function if SMB v1 is blocked.  I would add a caveat to the statement regarding blocking SMBv1 ports, if there would be a functional impact to certain products.

A: Consideration of this was given by the statement that if an HDO installs the firewall, then they need to review any settings with the manufacturer. Minor changes were made to clarify manufacturer deployment from HDO installation.

Medical Device Manufacturers

The following product vendors have reported that they support products that use Microsoft Windows and have proactively issued customer notifications with recommendations for users (ICS-CERT will update the list of vendors that have released customer notifications as additional information becomes available):

Manufacturer Link to WannaCry Outbreak Statement & Recommendations Comments/Notes
ABB http://search.abb.com/library/Download.aspx?DocumentID=9AKK106930A9737&Action=Launch  
Accuray http://www.accuray.com/service/service-support  
Beckman Coulter (select region and country to view) https://www.beckmancoulter.com/wsrportal/wsr/support/WannaCry-Ransomware-Cyber-attack/index.htm  
Becton, Dickinson and Company (BD) http://www.bd.com/aboutbd/productsecurity/wannacry-ransomware.aspx Updated product information
Drager http://static.draeger.com/security  
Emerson Automation Solutions http://www.emerson.com/documents/automation/584888.pdf  
GE Healthcare https://digitalsupport.ge.com/communities/en_US/Article/GE-Security-Bulletin-Regarding-WannaCry  
Honeywell https://www.honeywellprocess.com/en-US/support/Pages/security-updates.aspx  
Johnson Controls http://www.johnsoncontrols.com/productsecurity  
Johnson & Johnson http://www.productsecurity.jnj.com/advisories.html  
Medtronic http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/wannacry-publicstatement-5-17-17.pdf  
Philips Healthcare http://www.usa.philips.com/healthcare/about/customer-support/product-security Updated product information
Rockwell Automation https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1047348  
Samsung http://www.neurologica.com/security-advisory  
Schneider Electric http://www.schneider-electric.com/en/download/document/SEVD-2017-135-01/  
Siemens https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479.pdf”
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701903.pdf”
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-286693.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701903.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-286693.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-774661.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-709509.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-354910.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-492736.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-966341.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-161640.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-408571.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-832636.pdf
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-740012.pdf
 
Smiths-Medical https://www.smiths-medical.com/company-information/news-and-events/news/2017/may/17/wannacry-malware-infection-and-outbreak-statement  
Spacelabs Healthcare https://www.spacelabshealthcare.com/wp-content/uploads/2017/05/WannaCry-Malware-Assessment-and-Compatibility-Statement_23_May_2017.pdf  
Stryker Please see statement listed below.  
Toshiba Corporation http://www.toshiba.co.jp/info/170529_e.htm  
Toshiba Medical Systems Corporation http://www.toshibamedicalsystems.com/news/cyber_attack.htm  
Tridium https://www.tridium.com/~/media/tridium/technical bulletins/2017/ransomware wannacry cyberattack update.ashx  

If you’d like to be added to the list or provide updates on the WannaCry outbreak, please email MD-VIPER.

Manufacturer-provided advisories and recommendations regarding WannaCry Impact and remediation:

Accuray:
Service Bulletin for “WannaCry” Ransomware
On Friday, May 12, 2017, the malware WannaCry (also referred to as WCRY) was launched and quickly spread to computers across the Internet. Accuray has not identified any increased safety risks from the malware at this time. Accuray is continuing to monitor information related to this malware as it develops to understand the potential impact to safety and security risks for Accuracy systems. At the time of this letter, no Accuray systems have been reported to be infected by this malware. This situation is developing, and Accuray will issue additional communications as new information becomes available. Download our full letter with more information.

BD:
Thank you for contacting the BD Corporate Product Security Office. We are currently evaluating and validating appropriate measures for products regarding the WannaCry ransomware. We have posted a bulletin on our Product Security website, which can be found at http://www.bd.com/aboutbd/productsecurity/wannacry-ransomware.aspx

If we have additional recommendations or actions, we will update this page and notify our customers as appropriate. If you believe a BD product has been affected, please email us at product.security@bd.com and contact your BD service representative immediately.

Siemens:
Official advisory on the issues regarding WannaCry: https://www.siemens.com/cert/en/cert-security-advisories.htm

Smiths Medical:
May 17, 2017
You will have seen over the weekend the extensive cyberattack known as the WannaCry malware infection and outbreak that impacted healthcare organizations, financial institutions and universities globally.

The Smiths Medical Cyber Security Engineering and Operations teams have been monitoring our systems for any signs of the WannaCry malware malicious software infections; no indicators of compromise or malware infections have been thus far discovered. In addition, we are educating our software engineering teams, and are working closely with our information services to ensure all necessary software patches are in place to protect our environment. To our knowledge, no Smiths Medical product has been affected by the WannaCry Malware infection and outbreak.

According to Microsoft this ransomware spreads either by attachments/links in phishing emails or on malicious websites (“system zero infection”) or via an infected system that exploits a vulnerability in a Windows component used in the context of open file shares of other systems reachable on the same network. Certain details may be found on the following Microsoft page:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt- attacks/

For products that are listening on network ports 139/tcp, 445/tcp or 3389/tcp, their exploitation exposure depends on the security measures within the network. In order to protect a product from exploitation it should be isolated from any infected system within its respective network segment (i.e., product deployed in a network segment separated by firewall control blocking access to network ports 139/tcp, 445/tcp and 3389/tcp).

If the above cannot be implemented we recommend the following:
•If patient safety and treatment is not at risk, disconnect the uninfected product from the network and use in standalone mode
•Reconnect the product only after the provided patch or remediation is installed on the system

In addition, Smiths Medical Cyber Security Engineering recommends:
•Ensure you have appropriate backups and system restoration procedures
•For specific patch and remediation guidance information contact your local Smiths Medical sales or technical representative
•Use of Active Directory (AD)
•Use of Managed Services Accounts within AD
•Network isolation for medical pumps and software applications via: ◦Virtual Local Area Network (VLAN)
◦Network address translation (NAT)
◦Dynamic Host Configuration Protocol (DHCP)
◦Use of Secure Socket Layer (SSL) Certificates issued from a bonafide Certificate Authority (CA) NOT Open SSL within your network when connecting to our software applications
◦Use of 2048 bit encryption as minimum within the SSL certificate environment

The Smiths Medical Cyber Security Engineering team will continue to monitor the situation and provide further updates and/or suggestions if needed.

Stryker:
Our product and global security operations teams are taking precautions to ensure our infrastructure and products are patched and secured from WannaCry. At this time, we are not aware of any impact from this event and are actively monitoring this situation and collaborating with other organizations.

We will continue to take actions as needed to keep our systems and products secured.

For more information, please see the alert issued by the US Computer Emergency Readiness Team (US-CERT).

Customers with additional questions should contact their respective Stryker service representatives.

 


Public sector

Organization Website Link
DHS (Department of Homeland Security) https://www.dhs.gov/
FDA (Food and Drug Administration) https://www.fda.gov/
HHS (Department of Health and Human Services) https://www.hhs.gov/
ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01G
NH-ISAC (National Health Information Sharing and Analysis Center) https://nhisac.org/
US-CERT (United States Computer Emergency Readiness Team) https://www.us-cert.gov/ncas/alerts/TA17-132A

If you’d like to be added to the list or provide updates on the WannaCry outbreak, please email MD-VIPER.

Public Sector-provided advisories and recommendations regarding WannaCry Malware Outbreak:

ICS-CERT:
In addition to the WannaCry ransomware, there is reporting of other malware exploiting the vulnerabilities in the Windows SMB server, identified in Microsoft Security Bulletin MS17-010. Some of these additional samples of malware identified in the reporting are UIWIX, Adylkuzz, and EternalRocks.

The ransomware UIWIX(link is external) is reported to be executed in memory(link is external) and terminates(link is external) itself if it is able to determine that it is running in a virtual machine or sandbox, making it more challenging to detect and analyze. The Adylkuzz Trojan(link is external) is malware that consumes resources of infected systems to create a botnet(link is external) for cryptocurrency mining. EternalRocks(link is external) is a network worm that spreads(link is external) through seven exploits(link is external) and does not have a malicious payload. There is also reporting(link is external) that the EternalRocks campaign may have ended(link is external); however, information about EternalRocks is still useful, as the exploits utilized in this campaign could potentially be used in future campaigns.

The impacts of these additional malware have not been fully assessed; however, since they appear to be exploiting vulnerabilities in the Windows SMB server, the mitigation guidance remains the same. These additional threats further emphasize the need for the implementation of effective prevention and protection mechanisms, such as those provided in the US-CERT alert.

In an effort to support critical infrastructure asset owners/operators, ICS-CERT has published a What is WannaCry/WanaCrypt0r? Fact Sheet.

To assist healthcare providers with mitigation efforts, ICS-CERT offers the following information regarding the patch management of medical devices, which comes directly from the FDA Fact Sheet – FDA’s Role in Medical Device Cybersecurity:
•Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
•The FDA recognizes that Healthcare Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.

The FDA has provided recommendations to protect healthcare systems in their Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication. The FDA recommends that healthcare providers consider taking the following steps:
•Restricting unauthorized access to the network and networked medical devices.
•Making certain appropriate antivirus software and firewalls are up-to-date.
•Monitoring network activity for unauthorized use.
•Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
•Developing and evaluating strategies to maintain critical functionality during adverse conditions.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.


Stakeholder Organizations

Organization Website Link
HIMSS (Healthcare Information and Management Systems Society) http://www.himss.org/xx
CHIME (College of Healthcare Information Management Executives) https://chimecentral.org/
AAMI (Association for the Advancement of Medical Instrumentation) http://www.aami.org
ACCE (American College of Clinical Engineering) http://accenet.org/
CE-IT Community (A Clinical Engineering/IT Collaboration) http://www.ceitcollaboration.org/
AdvaMed (Advanced Medical Technology Association) http://www.advamed.org/

If you’d like to be added to the list or provide updates on the WannaCry outbreak, please email MD-VIPER.