Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Healthcare Security Management: How Legacy OS and Firmware Could Endanger Patients

David Wolf, Principal Security Researcher | December 9, 2019

The Internet of Medical Things (IoMT) continues to offer exciting possibilities for healthcare organizations to improve patient care. However, this digital transformation and increase in connectivity is also introducing new privacy and security risks. The device landscape is growing exponentially, adding to the complexity of networks and making it difficult to manage and improve overall security posture. Cloud adoption is bringing us much needed innovations in terms of control and visibility of crucial devices controlling our everyday lives, but in recent months, the industry has seen a steady growth in attacks targeted at connected IoMT devices.

What Keeps Healthcare Up-and-Running?

The number of connected devices is growing too, expanding the attack surface and making it difficult to scale security. These include healthcare devices like patient tracking and identification systems, infusion pumps and imaging systems. This also includes infrastructure devices like building automation systems (BAS), physical security systems, uninterruptible power supplies, backup generators and other OT systems and devices that are increasingly joining IT networks. All of these devices are instrumental to keeping the healthcare industry running, since advanced medical machinery depends on the stability of its environment.

What Do Healthcare Security Operations Lack?

This constant connectivity gives hackers an ideal gateway to exploit vulnerabilities in devices that could not have been accessed before. Even though many operations and business stakeholders are aware of this threat, there continues to be a lack of complete network visibility, which could give full situational awareness to security officers to let them see any unwanted traffic in their system. Another problem is a lack of network segmentation – under the guise of simplicity of use, many operations throw all their assets into one easily accessible network without the much-needed levels of security and roadblocks between them.

Ransomware on the Rise

Without full network oversight and proper security measures, malicious actors can disrupt operations relatively easily. Ransomware, which is a malicious code injected into the system that stops it from operating and holds it hostage for money, spreads mostly through phishing attempts and human error. If one employee makes a mistake and the network isn’t properly segmented, the chance that malware will spread among all the devices connected to the local network grows dangerously fast. While stalling operations at a hospital is already a threat that should make people scared – who knows how many people in a healthcare facility have their lives depending on their medical devices working properly and without disruptions? – there’s also the growing issue of leaking or irreversibly losing patient data. This extends to facilities that many would not expect to be a target – like veterinary clinics.

Why Legacy OS Might Become a Vulnerability

Many healthcare facilities still depend on dated equipment with legacy operating systems, increasing the chances of old vulnerabilities being ruthlessly exploited. The BlueKeep exploit that currently threatens hundreds of thousands of devices preys on the fact that they weren’t updated because it targets older, unpatched versions of Windows. Microsoft claims that support for devices running Windows 7 and Windows Server 2008, will expire by January 14, 2020. Running unsupported operating systems can also negatively impact compliance with many regulations. This problem goes far beyond Windows – many devices run on unpatched manufacturer firmware that either isn’t updated or isn’t supported anymore.

Networks will most likely continue to have medical devices running legacy operating systems and firmware since updates are costly, and downtime associated with an operating system update might not be acceptable for critical-care systems. In addition, certain legacy applications simply will not work on more recent versions of operating systems due to lack of support, compatibility or licensing issues.

The need to run legacy operating systems on medical devices isn’t going away any time soon, which brings us back to visibility and segmentation – these devices must be segmented appropriately to protect access to critical information and services, and networks should be monitored by proper tools to detect anomalies that could disrupt operations and endanger human lives that these organizations are entrusted with.

To learn more about Internet of Medical Things (IoMT) and the security risks it faces, read the “Putting Healthcare Security Under the Microscope” report.

Demo Request Forescout Platform Top of Page