Britain on Friday blamed North Korea for a ransomware attack this year that a new report revealed affected a third of English hospitals and could have been prevented with “basic” IT security.

“This attack, we believe quite strongly that it came from a foreign state,” Ben Wallace, a junior minister for security, told BBC Radio 4′s Today programme.

“North Korea was the state that we believe was involved in this worldwide attack,” he said, adding that the government was “as sure as possible”.

The WannaCry attack in May infected some 300,000 computers in 150 countries, including in Britain’s National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.

Britain’s National Audit Office revealed the attack had hit NHS England particularly hard, forcing the cancellation of some 19,500 medical appointments.

Computers at 81 hospital groups across England were affected — a third of the total number of 236.

Some 600 general practitioners were also affected.

A researcher who has analyzed the software installed on infusion pumps manufactured by Hospira says several models are plagued by the vulnerabilities disclosed earlier this year.

Worrisome Chicken Little or savvy observer of truth?

This may have been your question while reading my previous article about the security of connected medical devices, “Sobering Thoughts When a Connected Medical Device Is Connected to You.” Did laying in a hospital bed, connected to an infusion pump like the one used by security researchers to demonstrate how breaching such a device could be used to administer a fatal dose of medicine, create unnecessary angst? Or, did it draw the facts into clear focus?

Medical device network vulnerability

Now let’s consider the network vulnerability of hospitals and other medical providers using that favorably timed news I mentioned. On Friday, May 12th, the WannaCry ransomware attack infected more than 230,000 computers in over 150 countries. The attack used two components: a propagation routine and a module used to perform extortion activities. The worm leveraged a Windows Server Message Block (SMB) vulnerability. This is a well-known attack tradecraft.

An industry unprepared to defend

We now have proof of network vulnerability and an actual documented attack in hand. Two points for the savvy observer. Thus, leaving the actual vulnerability of the medical devices in question. In May 2017, the Ponemon Institute issued a report (PDF) titled “Medical Device Security: An Industry Under Attack and Unprepared to Defend,” addressing this very subject. In the interest of full disclosure, the report was sponsored by Synopsys, my employer.

Some highlights include:

• 67 percent of medical device manufacturers and 56 percent of HDOs believe an attack on a medical device built or in use by their organization is likely to occur over the next 12 months.

• 80 percent of device makers and HDOs report that medical devices are very difficult to secure. The top reasons cited include lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.

• Only 9 percent of manufacturers and 5 percent of HDOs say they test medical devices at least once a year. Meanwhile, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

The most compelling evidence for my case is that the report cites that “38 percent of respondents in HDOs say they are aware of inappropriate therapy/treatment delivered to the patient because of an insecure medical device and 39 percent of device makers confirm that attackers have taken control of medical devices.”

https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf