In the aftermath of the WannaCry attack, Medical devices at U.S. Hospitals have now been hit by ransomware by a stolen National Security Agency Hacking tool. Craig Young, Security Researcher at Tripwire was on hand to comment and gives his reasoning to why these hospital vulnerabilities were not fixed beforehand.
Craig Young, Security Researcher at Tripwire:
“Medical devices often use operating systems from the Microsoft’s Windows Embedded product line. Unfortunately, these systems are not always easy to patch for a variety of reasons. Security fixes on embedded devices commonly require a complete firmware update from the vendor which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with intended operation of the medical device. Another hindrance on keeping these systems up to date with security updates is that it requires that the devices (which may be in continuous use) are unavailable for some period of time while someone from IT installs and tests the firmware update. In many cases, devices will never receive updates either because the OS is no longer supported and memory, storage, and processing constraints may prevent the device from operating effectively with the latest software. Finally, I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices and simply avoid patching because the device works. This “If it ain’t broke don’t try to fix it” mentality can be tremendously detrimental to hospital security.”