Cybersecurity warning: Almost half of connected medical devices are vulnerable to hackers exploiting BlueKeep
Connected medical devices are twice as likely to be vulnerable to the BlueKeep exploit than other devices on hospital networks, putting patients and staff at additional risk from cyber attacks. This is especially concerning when healthcare is already such a popular target for hacking campaigns.
BlueKeep is a vulnerability in Microsoft’s Remote Desktop Protocol (RDP) service which was discovered last year, and impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Microsoft issued a patch for BlueKeep after it came to light in May 2019, and security authorities including the US National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC) issued urgent warnings about patching vulnerable systems.
It was feared that BlueKeep could be deployed as a worm in a similar fashion to EternalBlue — the exploit that powered WannaCry. This cyber attack affected organisations around the world, but one of the most high-profile victims was the UK’s National Health Service, which saw a number of hospital networks taken offline by the incident.
However, despite warnings over a potential repeat, large numbers of standard Windows systems – and bespoke medical devices running Windows — remain vulnerable to BlueKeep attacks.
According to figures in a new report from researchers at healthcare cybersecurity company CyberMDX, 22% of all Windows devices in a typical hospital are exposed to BlueKeep because they haven’t received the relevant patches. And when it comes to connected medical devices running on Windows, the figure rises to 45% – meaning almost half are vulnerable.
Connected devices on hospital networks can include radiology equipment, monitors, x-ray and ultrasound devices, anesthesia machines and more. If these devices aren’t patched, it’s possible that destructive cyber attacks searching for machines vulnerable to BlueKeep could put hospital networks — and patients — at risk.
“Unfortunately, this isn’t a ‘what if’ thought experiment around a worst case scenario, but a real present-day predicament that we need to take more seriously. In 2019, at least 10 hospitals were forced to turn away patients as a result of cyber attacks. And even when hospitals don’t need to turn away patients, cyber insecurity can bear a serious impact on care,” Ido Geffen, vice-president of product at CyberMDX, told ZDNet.
However, patching is a particular challenge for hospitals because in many cases devices must keep running to provide patient care, and can’t be taken offline to apply an update. Hospital networks are also so vast that it’s easy for the IT department to lose track of assets, which could lead to devices missing out on patches.
One of the key problems for hospitals is that many devices are classed as obsolete: Windows 7, for example, is vulnerable to BlueKeep and no longer supported by Microsoft, but remains common across hospital networks.
Any further vulnerabilities uncovered in Windows 7 — and other out-of-support operating systems — aren’t guaranteed security patches, leaving networks potentially at further risk going forward.
If it’s vital to keep medical devices running on older systems on the hospital network, researchers recommend that the devices are segregated from the rest of the network or closed off from the external internet where possible.
“It can be helpful to block traffic coming to operationally unnecessary ports on the network or VLAN level through a NAC solution or internal firewall,” said Geffen.
“In some rare cases when a device cannot be patched and the available mitigations are unrealistic or insufficient, de-networking should be considered,” he added.
Perhaps most importantly, when devices can be patched, this should happen as soon as possible because BlueKeep and other vulnerabilities prey on networks that haven’t been updated with live patches to protect against attacks. Patching these systems in a timely fashion goes a long way towards preventing incidents.
READ MORE ON CYBERSECURITY