silversurfer

Level 63
Verified
Trusted
Content Creator
Malware Hunter
More than 55 percent of medical imaging devices – including MRIs, XRays and ultrasound machines – are powered by outdated Windows versions, researchers warn.

While Microsoft issued patches for the infamous BlueKeep vulnerability almost a year ago, researchers warn that almost half of connected medical devices in hospitals run on outdated Windows versions that are still vulnerable to the remote desktop protocol (RDP) flaw.

Researchers said they found that 22 percent of a typical hospital’s Windows devices were vulnerable to BlueKeep. Even worse, the number of connected medical devices running Windows that are vulnerable to BlueKeep is considerably higher — around 45 percent, they said. Vulnerable medical devices can include MRIs, ultrasounds, X-rays, and more, which run on operating systems — typically Windows – allowing their operators to more easily collect and upload data.

“For hospitals, the task of monitoring vulnerabilities, identifying affected devices, chasing down suitable patches, and distributing those patches across a sprawling campus is tedious, to say the least,” said researchers with CyberMDX in their “2020 Vision” report on medical security, released Tuesday. “This process is slow and inefficient, as the hospitals usually do not know which devices or security issues to attend to first.”
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
These security issues are leading to real-life attacks. In 2019, for instance, hospitals reported security incidents, from a server misconfiguration exposing data of 973,024 patients at UW Medicine, to phishing attacks compromising data at UConn Health and Oregon Department of Human Services; all the way up to full fledged ransomware attacks at the Columbia Surgical Specialist of Spokane, Sarrell Dental and Hospital Pavia Hato Rey.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
What I don't understand is why..........................hospitals don't take this seriously and do something about it???? Or do they feel their untouchable??? You would think they would be on top of this to protect the patients.
That's partially answered in the article.
So why haven’t organizations updated their medical devices? This is due to a variety of reasons. Patch management, for one, is a big issue for hospitals. Researchers said that four months after a major vulnerability is disclosed, most hospitals will still not have patched more than 40 percent of their vulnerable devices.

According to previous CyberMDX research, 80 percent of device manufacturers and healthcare orgs report that medical devices are “very difficult to secure,” citing a lack of knowledge and training on secure coding practices, and pressure on development teams to meet product deadlines. The study also pointed to a lack of quality assurance and testing procedures for medical devices, which lead to more vulnerabilities slipping by when products go to market. In fact, nearly one in three organizations surveyed by CyberMDX said that they never audit their medical devices for known vulnerabilities.
Chris Morales, head of security analytics at Vectra, told Threatpost that part of the problem also stems from a lack of accountability on the manufacturer, as devices are often brought in by medical staff and no one bothers to inform IT or security.
One vendor/company always seems to stand out from the others. At least from the reports I read. Medtronic.
 
Top