Healthcare faces 'double-barreled' threat from Microsoft vulnerabilities

Healthcare organizations and hospitals need to patch a critical vulnerability and beef up their cybersecurity defenses in the face of several new cyber risks, security experts say.

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging organizations to patch up critical vulnerabilities impacting Microsoft Windows operating systems. 

Tech giant Microsoft last week released software fixes to address 49 vulnerabilities, among them critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway) and Windows Remote Desktop Client.

The National Security Agency discovered the bug and reported it to Microsoft. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities, the NSA said in a cybersecurity advisory.

"The consequences of not patching the vulnerabilities are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time," the NSA said.

In response, the HHS Office of the Assistant Secretary for Preparedness and Response issued a bulletin urging healthcare organizations to use the patch based on the "likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the sector and high potential for a compromise of integrity and confidentiality of information."

RELATED: Microsoft warns flaw in Windows legacy systems 'likely to be exploited' similar to WannaCry

CISA recommends organizations install critical patches as soon as possible starting with mission-critical systems, internet-facing systems, and networked servers.

And these developments are on top of the increased risk of cyber attacks due to the recent escalating friction with Iran. 

"It's a tremendously challenging time for IT security teams," John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association (AHA), told FierceHealthcare.

For hospitals and health systems, with hundreds of servers and thousands of connected medical devices, implementing a security patch can be a long process, Riggi said.

"For safety and technical reasons, each medical device has to be tested separately to ensure that the patch doesn't cause the device to malfunction," he said. "Take for example a life support medical device, you want to make sure the patch or any upgrades doesn't conflict with the existing firmware or software applications on the device."

Microsoft ends support for Windows 7

These critical vulnerabilities in Microsoft Windows operating systems are occurring at the same time that Microsoft ended support for the Windows 7 operating system, meaning computers using it will be more vulnerable to malware and hacking. 

The tech giant announced last March it would end support for Windows 7 in January 2020, which means Microsoft no longer offers updates of security fixes for the operating system.

Microsoft also discontinued support last week for Windows Server 2008 or 2008 R2 operating systems.

"Healthcare is facing a double-barreled threat with the expiration of Windows 7 support on the same day that the NSA issued an advisory about a major flaw in Windows 10," Riggi said.

The security risks for healthcare are potentially huge as the industry is still reliant on legacy operating systems, according to David Finn, executive vice president of strategic innovation at cybersecurity firm CynergisTek.

The biggest risk is another attack like the WannaCry ransomware attack in 2017.

The WannaCry ransomware attack hit more than 300,000 machines in 150 countries targeting Windows operating systems and succeeded where those operating systems lacked security updates.

Healthcare organizations need to accelerate their migration plans to a supported version of Windows, such as Windows 10, before vulnerabilities are found and exploited, Finn said. 

RELATED: Ransomware attack shuts down NHS hospitals as malware spreads globally; 'evidence' of U.S. attack, says HHS

In September, Microsoft announced enterprise customers could pay for extended support on Windows 7. But this can come with a hefty price tag for healthcare organizations with a large inventory of devices, experts say.

"Healthcare leaders should be looking at what is the most critical and what needs to be migrated and even consider paying for additional support. IT leaders also should move obsolete servers behind firewalls," Finn said.

Cybersecurity vendor Cynerio estimates that nearly 50% of all medical devices running Windows use Windows 7.

"Due to the long life cycles of medical devices critical to patient care, more than 20% of all device models in the global medical ecosystem now run on the unsupported operating system. This includes a significant portion of imaging devices, placing radiology departments at even higher risk," Cynerio executives said in a statement. 

Switching from Windows 7 to Windows 10 is not a simple process for the average hospital, due to technical and financial reasons, Riggi said.

"Many hospitals and health systems, for economic reasons, will continue to maintain medical devices in their inventory that are run on Windows 7. Some devices are not technically capable of being upgraded, as the manufacturer doesn't allow the option for them to be updated," he said.

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

Riggi recommends healthcare organizations strengthen their defenses by implementing risk control measures, such as using network segmentation for devices still running Windows 7. 

The need to prioritize cybersecurity and IT

Finn contends that healthcare organizations are lagging behind other industries in migrating to Windows 10 and he believes it's part of a broader problem in healthcare.

"Healthcare doesn’t spend a lot of money on IT and it gets back to cost and effort. When you're rolling out a new electronic medical record system, you don’t have the IT resources to roll out a new desktop operating system, so that drops to the bottom of the list," he said.

Hospitals and health system executives need to factor major IT upgrades into their budgets as they would budget for major building upgrades, Finn said.

"We know operating systems get upgraded and organizations need to build these upgrades into their dollar budgets and into their plans, both from an IT perspective and a business perspective," he said. "IT needs to be viewed as core to the operation of the business."