70% of medical devices will be running unsupported Windows operating systems by January: report

The number of connected medical devices being used in hospitals and healthcare organizations continues to grow at a rapid pace, representing a vulnerable surface for cyberattacks.

Raising the cyberrisks even further, 70% of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020, according to a new cybersecurity report.

Microsoft support for devices running Windows 7, Windows 2008 or Windows Mobile is planned to expire by January 14, according to a cybersecurity report from Forescout, a medical device and internet of things (IoT) cybersecurity company. Running unsupported operating systems poses a risk that may expose vulnerabilities and has the potential to impact regulatory compliance.

The WannaCry ransomware attack back in May 2017, which hit more than 300,000 machines in 150 countries, targeted Windows operating systems and succeeded where those operating systems lacked security updates. According to data from Kaspersky Lab, roughly 98% of computers affected by the ransomware were running some version of Windows 7. A major concern for hospitals around the world is the use of old operating systems that are no longer upgraded or supported. 

To better understand the security risks facing healthcare organizations, Forescout researchers analyzed 75 real healthcare deployments with more than 10,000 virtual local area networks (VLANs) and 1.5 million devices within the company's device cloud, a crowdsourced device repository that now contains more than 8 million IT, IoT and operational technology (OT) devices.

RELATED: Ransomware attack shuts down NHS hospitals as malware spreads globally; 'evidence' of U.S. attack, says HHS

The number of connected devices is growing at hyperspeed, and these devices include healthcare devices like patient tracking and identification systems, infusion pumps and imaging systems. It also includes infrastructure devices such as building automation systems, physical security systems, uninterrupted power supplies, backup generators and other OT systems and devices that are increasingly joining IT networks.

Consequently, the responsibility for OT is moving under the purview of IT, according to the report. According to Gartner, by 2021, 70% of OT security will be managed by the chief information officer, chief information security officer or chief security officer departments, up from 35% today.

This rapid adoption of connected devices is creating serious side effects: It expands the attack surface, creates significant cybersecurity gaps and makes it difficult to scale security.

"Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks. Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with lifesaving devices and extremely sensitive environments," Elisa Costante, head of OT and industrial technology innovation at Forescout, said in a statement.

The most common devices on medical networks are still traditional computing devices (53%) followed by IoT devices (39%) including VoIP phones, network printers, tablets and smart TVs. OT systems including medical devices, critical care systems, building automation systems, facilities, utilities and physical security comprise 8% of the devices on medical networks.

RELATED: FDA updates medical device premarket guidance to include cybersecurity recommendations

Within the OT device category, the three most common connected medical devices found were patient tracking and identification systems, infusion pumps and patient monitors. The growing number of vulnerabilities in OT environments increases the attack surface in healthcare environments, according to the report.

The diversity of device vendors and operating systems present on medical networks adds to the complexity and increases security challenges. Forty percent of healthcare deployments had more than 20 different operating systems, according to the report. When looking at the different types of operating systems found on medical VLANs, 59% were Windows operating systems and 41% were a mix of other variants including mobile, embedded firmware and network infrastructure.

In addition, more than 30% of healthcare deployments had 100 or more device vendors on their network. Patching in healthcare environments, especially acute care facilities, can be challenging and requires devices to remain online and available. Some healthcare devices cannot be patched, may require vendor approval or need manual implementation by remote maintenance personnel, the report said.

The researchers also found that vulnerable protocols are leaving a door open for cyberattackers. Most devices (85%) on medical networks running Windows OS had server block messaging protocol turned on, allowing uncontrolled access for attackers to get beyond the perimeter and move laterally. Device manufacturers sometimes leave network ports open by default, with IT and security staff often in the dark about this default setting.

The report also indicates that many healthcare organizations have yet to sufficiently invest in segmentation. "At the most basic level, VLANs can be employed to segment the network based on organization needs and priorities, effectively isolating critical data, segregating similar devices by function or limiting access to data, systems and other assets based on user credentials," the report said.

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

When it comes to healthcare cybsersecurity, the costs of inaction can be staggering. Every second a device remains noncompliant extends the window of vulnerability and increases the risk factor—exposing healthcare organizations to significant patient safety, financial and business consequences, according to the report.

"Healthcare organizations have a choice: invest in proactive risk planning and mitigation efforts now or pay later and face the wrath of security-conscious regulatory agencies, patients and legislators," the security researchers wrote in the report.

The report provides recommendations on how organizations can develop and implement an enterprise-wide security and risk-management strategy. That includes:

  • Enabling agentless discovery of all devices. Although devices with software agents make it easier for security and IT management to communicate with devices and monitor their activity, most medical devices do not support agents. Agentless detection of all IP-connected devices across the extended network is critical.
  • Identifying and auto-classifying devices. It’s not sufficient to simply detect a device’s IP address. Rapid and granular auto-classification is essential for extracting contextual insights from each device on the network and determining its purpose, owner and security posture. This information must feed into a real-time asset inventory to drive access control policies and help security teams quickly respond to targeted attacks on specific operating systems or devices.
  • Continuously monitoring devices. Medical devices must be continuously monitored to detect any change in device posture. A point-in-time analysis can result in a set-it-and-forget-it mentality whereby compliance fatigue sets in and risk propagates. Nonstop network monitoring using passive and/or active techniques provides security teams with real-time situational awareness to continuously track asset information and behavior while increasing the efficiency of security teams.
  • Enforcing segmentation. Network segmentation is a known best practice, but it isn’t easy to manage or enforce throughout the network. High-risk devices such as known-to-be-vulnerable legacy systems should be segmented to contain a potential breach and limit risk.