The UK trade association AXREM recognises that many of its customers face impacts from the recent major cyber-attack known as “WannaCry”. Select products of AXREM’s members may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware. The exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product.
As of Friday 12th May 2017, AXREM communicated with its members calling for companies to “work collaboratively to support our mutual customers, and facilitate communications between members if this helps to address the current problems, and also assist in preventing further attacks.” Appropriate technical information was duly shared by members in a collaborative manner to serve the best interests of our mutual customers.
Suppliers have been focusing on restoring operation of systems compromised by the Ransomware attack, and protecting systems from further risk of compromise.
Medical imaging systems differ from standard personal computers and server systems that can often receive cumulative updates (or “patches”) in a prompt manner. Medical imaging systems are classified as Medical Devices and are accordingly subject to strict regulation. This means that suppliers are obliged to rigorously test software updates and patches to ensure that functionality and safety is not compromised. For this reason, the reliance upon provision of clinical product software patches for defending against malware attacks does not provide a sustainable option, given that this would mean releasing a new regulatory approved and clinically tested software release for multiple assets on as much as a daily or weekly basis to keep pace with evolving malware. Therefore robust network defences are strongly recommended to prevent against future attacks and AXREM members are keen to support the NHS in achieving and maintain this status going forward.
Suppliers are consequently balancing the obligation and responsibility to test (validate) patches and software updates, as well as providing additional network security provisions, with the requirement to promptly apply appropriate protective measures in addition to those applied within customers’ own networks. NHS Digital is providing guidance for the NHS with respect to protecting against cyber attack.
Responsible suppliers are affording the appropriate focus and urgency to mitigate the risk of further disruption, and to support their customers in providing continuity of patient care and safety.