The global ransomware attack that crippled the NHS in the UK highlighted an important fact: Many hospitals do not have an available software patch that could have protected their computer systems. 

The impact of the ransomware attack has lessened since it was released on 12 May; nonetheless, experts warn that hospitals that run on outdated software should expect the attack to recur.

Old machines and outdated software at hospitals have greatly contributed to the spread of the ransomware and further jeopardise patient safety if the situation is not addressed quickly, says IT experts.

Billy March, a 10-year veteran of healthcare IT and now researcher at The Phobos Group, say that hospitals needed to take initiatives to correct their digital security.

"There are pretty big consequences" if a hospital has vulnerable software, Marsh said. "If they're in the middle of an operation, whatever machines they're using could go down and they'll have to fall back on manual methods."

Ransomware attack may result in legal consequences

Legal experts on the other hand, say that cyber attacks have become increasingly common and such breakdowns can easily turn into digital malpractice as well.

"Just as patients routinely sue hospitals and doctors for bad outcomes, it's not a huge leap to see patients suing health providers for bad outcomes that resulted from the hospital's systems going down," said Creighton Magid, co-chair of the product liability practice for the international law firm, Dorsey & Whitney.

Such claims may seem outlandish, but the 'WannaCry' ransomware attack has highlighted the consequences of failing to update outdated software, and the potential liabilities hospitals have to bear for failing to protect their data and patients from hackers.

Particularly for the NHS, legal experts say a lawsuit over such a meltdown seemed inevitable, either after this attack or at the very least, in a future attack. In addition, the software patch was available for a couple of months and the NHS was aware for years that the operating system was not supported.

"There is no question someone is going to try to make a case out of this," said Dianne Bourque, a member of the health law practice at the Boston-based law firm, Mintz Levin. She added that regulators have little sympathy to entities that are hit by such attacks as the organisation should have recognised the possibility of such vulnerabilities.

First case of ransomware attack on medical device reported in the US

In the US, it has also been found that the ransomware managed to infect medical devices as well. A source in the healthcare industry released an image of an infected Bayer Medrad device in a US hospital. The specific hospital nor the Bayer model that was hacked, is still unknown.

The medical device was radiology equipment known as a "power injector" that was designed to help improve imaging by delivering chemical "contrast agents" to a patient.

"Operations at both sites were restored within 24 hours," the source said. "If a hospital's network is compromised, this may affect Bayer's Windows-based devices connected to that network."

Hospitals need to implement measures as soon as possible

The Bayer infections represent the first known instance of the ransomware directly affecting the operation of a medical device. So, now in addition to protecting medical records, hospitals have to implement measures to safeguard digitally controlled equipment – particularly pacemakers and infusion pumps that if hacked, could easily result in severe harm or patient death.

Furthermore, pieces of equipment are increasingly connected via the Internet of Things, increasing exposure for hospitals and patients.

"If someone with a vendetta decided they were going to manipulate the amount of medicine pumps were providing to patients or take out medical records so physicians were flying blind, you could imagine that could be a real problem for patients," he said.

Moving forward, Marsh suggests that hospitals should set up regular audits of their data systems and machines, as well as segment the networks so if one part of the network was compromised, it would not affect the whole system. MIMS

Read more:
Ransomware: growing threat to healthcare institutions
Cyber security: Why should healthcare professionals care?
MOH says Malaysian hospitals will not be affected by global cyberattack