It has been reported that a huge proportion of internet-connected imaging devices at hospitals run outdated operating systems, according to research released today. The researchers found that 83% of these devices run on outdated software that can’t be updated even when it contains known vulnerabilities that hackers can exploit. The number increased significantly from 2018, which coincides with Microsoft ending support for Windows 7 earlier this year. A significant number of machines run even older operating systems, including Windows XP, which Microsoft stopped supporting in 2014. The imaging devices include machines that take X-rays, MRIs, mammograms and CAT scans.
If these machines are hooked up to unsupported and out-of-date operating systems, they are in a seriously dangerous position – effectively playing Russian roulette with their cyber security. These machines are could be extremely vulnerable to new threats and will be a direct target for cybercriminals. If 83% of these devices are running outdated software, they have clearly not learnt from the WannaCry fiasco in 2017, and are leaving themselves open to new attacks.
However, organizations that still use Windows 7 may be paying for extended support, which may not be clear at first. All I can suggest is that they have a scheduled plan in place for when they decide to move over to more up-to-date systems to better protect themselves from future threats.
Healthcare providers face many of the same software security challenges as everyone else. This includes having an inventory of assets, understanding what software is running where, and applying updates expeditiously.
Keeping devices and systems up to date is good security hygiene, but it can be challenging in a healthcare environment. Patient safety is paramount, so an attitude of “if it ain’t broke, don’t fix it” often prevails. Unfortunately, this is exactly opposite to software—if it ain’t broke, it will be soon.
The situation is more complicated for device manufacturers, where an update to software or the underlying operating system might have regulatory consequences. This means that device manufacturers might be slow to produce updates, leaving devices and systems vulnerable in the meantime.
For healthcare providers, the best option available is often containment. If a device is running an operating system version with known vulnerabilities and no update is available yet, then the best option might be to remove that device from the network, or place it on its own network segment and protect it with a firewall, or limit access in some other way.
For device manufacturers and software providers, carefully managing a software bill of materials and monitoring for new vulnerabilities is the proactive approach that will produce the best results for customers and patients.