1. Identify networked medical devices/servers/workstations that are operating on a Windows OS.
Useful sources for this information may include:
a) Medical device inventory (i.e., computerized maintenance management systems)
b) Change management systems
c) Manufacturer Disclosure Statement of Medical Device Security (MDS2) forms obtained during device purchase
d) Medical device manufacturers
e) Alerts from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)—a list of some medical devices impacted by WannaCry and Petya can be found here: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01I
2. Identify whether connected medical devices/device servers have the relevant Microsoft Windows OS security patches.
(All Windows versions without the MS17-010 security patch may be vulnerable to the WannaCry and Petya ransomware.)
3. Consider running a vulnerability scan on your medical device networks to identify affected medical devices.
a) Vulnerability scanning can be used to identify devices that may be vulnerable to malware.
b) This method should only be used if (1) information is not available through other sources about the existence of a Windows OS and the associated vulnerabilities on your medical devices and (2) you already have a list of which devices and systems are compatible with vulnerability scanning. ECRI Institute is aware of medical device failures that occurred when systems incompatible with vulnerability scanning were scanned.