Healthcare devices vulnerable due to legacy Windows operating systems: survey
May 21, 2019
by Thomas Dworetzky, Contributing Reporter
California-based Forescout Technologies has reported that healthcare is “riddled with devices running legacy Windows,” and that “71 percent of Windows devices will no longer be supported by Microsoft in January 2020.”
The researchers determined that these legacy Windows systems were mostly Windows 7, Windows 2008 or Windows Mobile.
The San Jose-based firm based its conclusions on analysis of data in its Forescout Device Cloud — one of the world’s largest databases of anonymized data, from over 8 million healthcare devices of more than 1,000 customers.
“The Forescout Device Cloud provides us with game changing data from millions of devices around the world, and what we are releasing today is just the tip of the iceberg,” said Elisa Costante, head of Operational Technology (OT) and Industrial Technology Innovation at Forescout in a statement. “Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks. Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with lifesaving devices and extremely sensitive environments.”
Other findings from the survey included that:
Other operating system woes include a sprawling diversity of vendors and software that adds complexity and hacking vulnerabilities. In fact, “40 percent of healthcare deployments had more than 20 different operating systems,” according to Forescout. Roughly 60 percent of systems are Windows, but the other 40 percent include a mix of mobile, embedded firmware and network infrastructure. The level of complexity is highlighted by the conclusion that “30 percent of healthcare deployments had 100 or more device vendors on their network,” the report found.
“Patching in healthcare environments, especially acute care facilities, can be challenging, and require devices to remain online and available,” advised the researchers, adding that, “some healthcare devices cannot be patched, may require vendor approval, or need manual implementation by remote maintenance personnel.”
Beyond these challenges, protocols for running secure systems remain challenging. The survey determined that “eighty-five percent of devices on medical networks running Windows OS had Server Block Messaging (SMB) protocol turned on, allowing uncontrolled access for attackers to get beyond the perimeter and move laterally,” noting that it is not all the hospital IT staff's fault. “Device manufacturers sometimes leave network ports open by default — often unbeknownst to IT and security staff,” according to Forescout.
The global attack in 2017 by the WannaCry ransomware was a recent, prime example of the exploitation of legacy systems. The malware struck over 300,000 computers worldwide, mostly running Windows 7, according to Kaspersky Labs via The Verge.
Albany Medical Center's vice president and chief information security officer Kristopher Kusche said about healthcare IT at an HIMSS 2018 presentation in the wake of WannaCry that, “because of our position and because of the way we have elaborated our infrastructure not to keep up with sectors like banking, we have become targets, accidental targets.” He added, “There’s not one federal agency that will say that health care was in the attack vector on these things. We weren’t in the plan. These things wouldn’t have targeted us, which kind of makes it a little more difficult because these things were random. Now, we have to protect against everything because we’re not the target, we’re not the target of this stuff. But where somebody finds a hole, they take advantage of it.”
The researchers determined that these legacy Windows systems were mostly Windows 7, Windows 2008 or Windows Mobile.
The San Jose-based firm based its conclusions on analysis of data in its Forescout Device Cloud — one of the world’s largest databases of anonymized data, from over 8 million healthcare devices of more than 1,000 customers.
“The Forescout Device Cloud provides us with game changing data from millions of devices around the world, and what we are releasing today is just the tip of the iceberg,” said Elisa Costante, head of Operational Technology (OT) and Industrial Technology Innovation at Forescout in a statement. “Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks. Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with lifesaving devices and extremely sensitive environments.”
Other findings from the survey included that:
- The traditional computers account for 53 percent of all devices on medical networks.
- IoT (Internet of Things) devices make up 39 percent and include VoIP phones, network printers, tablets and smart TVs.
- OT (Operational Technology) systems, such as critical care systems, building automation systems, facilities, utilities and physical security, account for eight percent of all networked devices.
- The most common OT devices are for patient tracking and identification systems (38 percent), infusion pumps (32 percent), and patient monitors (12 percent).
Other operating system woes include a sprawling diversity of vendors and software that adds complexity and hacking vulnerabilities. In fact, “40 percent of healthcare deployments had more than 20 different operating systems,” according to Forescout. Roughly 60 percent of systems are Windows, but the other 40 percent include a mix of mobile, embedded firmware and network infrastructure. The level of complexity is highlighted by the conclusion that “30 percent of healthcare deployments had 100 or more device vendors on their network,” the report found.
“Patching in healthcare environments, especially acute care facilities, can be challenging, and require devices to remain online and available,” advised the researchers, adding that, “some healthcare devices cannot be patched, may require vendor approval, or need manual implementation by remote maintenance personnel.”
Beyond these challenges, protocols for running secure systems remain challenging. The survey determined that “eighty-five percent of devices on medical networks running Windows OS had Server Block Messaging (SMB) protocol turned on, allowing uncontrolled access for attackers to get beyond the perimeter and move laterally,” noting that it is not all the hospital IT staff's fault. “Device manufacturers sometimes leave network ports open by default — often unbeknownst to IT and security staff,” according to Forescout.
The global attack in 2017 by the WannaCry ransomware was a recent, prime example of the exploitation of legacy systems. The malware struck over 300,000 computers worldwide, mostly running Windows 7, according to Kaspersky Labs via The Verge.
Albany Medical Center's vice president and chief information security officer Kristopher Kusche said about healthcare IT at an HIMSS 2018 presentation in the wake of WannaCry that, “because of our position and because of the way we have elaborated our infrastructure not to keep up with sectors like banking, we have become targets, accidental targets.” He added, “There’s not one federal agency that will say that health care was in the attack vector on these things. We weren’t in the plan. These things wouldn’t have targeted us, which kind of makes it a little more difficult because these things were random. Now, we have to protect against everything because we’re not the target, we’re not the target of this stuff. But where somebody finds a hole, they take advantage of it.”