Rising Number of Medical Devices are Vulnerable to Exploits Like BlueKeep

The healthcare sector is digitizing business operations and data management procedures. New technology is being employed to enhance efficiency and save money. However, that technology, most of the time, is integrated with infrastructure, processes, and software programs from another time and consequently introducing many vulnerabilities.

Cybercriminals are targeting the healthcare industry more than any other industry with one-third of U.S. data breaches happening in hospitals. They are seeking any loophole to launch their attacks, and plenty of those attacks are succeeding.

Based on the latest published CyberMDX 2020 Healthcare Security Vision Report, about 30% of healthcare delivery organizations (HDOs) had encountered a data breach last year, obviously showing the struggle of the healthcare industry to deal with vulnerabilities and stop cyberattacks.

One reason is the huge attack surface considering the number of hard-to-secure devices connected to the healthcare network. Approximately, there are 450 million medical devices hooked up to healthcare networking globally with 30% of the devices located in the U.S.A. That equals about 19,300 linked medical devices and clinical assets for every U.S. hospital. It’s not unusual for big hospitals to have over 100,000 {connected|linked} devices. Typically, one out of 10 devices connected to hospital networks is medical equipment.

The report shows 80% of device manufacturers and HDOs noted the difficulty of securing medical devices because of a lack of (1) understanding about the ways to secure them, (2) training about protected coding practices, and (3) pressure to fulfill product due dates.

71% of HDOs state they lack an extensive cybersecurity plan that involves medical equipment, and 56% think a cyberattack targeting medical devices would happen next year. That number gets to 58% if you ask medical device producers. Although an attack happened, only 18% of HDOs state they would be able to discover the attack.

Medical Devices Vulnerable to BlueKeep

CyberMDX’s study showed that 61% of medical devices are vulnerable to a level of cyber risk as follows:

  • 15% are vulnerable to BlueKeep
  • 25% are vulnerable to DejaBlue
  • 55% of imaging devices operate on out-of-date software that is prone to exploits like BlueKeep and DejaBlue

In general, about 22% of Windows medical devices linked to hospital networks are susceptible to BlueKeep.

An attacker can exploit the BlueKeep and DejaBlue vulnerabilities via Remote Desktop Protocol (RDP) and take complete control of vulnerable devices. And because BlueKeep is wormable, malware can be deployed to infect other vulnerable devices connected to a network without the need for user interaction.

BlueKeep impacts earlier Windows versions including Windows XP, Windows, Windows Server 2003 to 2008 R2. However, a lot of medical devices use those outdated OS and were not updated to safeguard against exploitation. DejaBlue impacts Windows 7 as well as subsequent versions.

Linux-based OS is also vulnerable. Around 30% of medical devices and 15% of linked hospital assets are susceptible to a vulnerability called SACK Panic. About 45% of medical devices are susceptible to at least one vulnerability.

Prompt Patching Needed

CyberMDX’s research discovered that 11% of HDOs fail to fix their medical equipment and when applying patches, the process is slow-moving. After 4 months from the discovery of BlueKeep, a typical hospital had patched just about 40% of vulnerable gadgets.

The report further reveals that 25% of HDOs have no full inventory of their linked devices and 13% have no reliable inventory. 36% have no official BYOD policy and CyberMDX states a typical hospital is not tracking about 30% of its linked devices.

It’s not easy to patch medical devices. Patching these devices requires technicians to personally investigate and physically inspect the impacted devices.

Alarmingly, although medical devices are prone to attack, most of HDOs overlook granular network segmentation. They segment their networks not considering security, therefore the segments have many different connected devices open to the web.

In case of an attack of the vulnerability, a lot of HDOs would have difficulty detecting it. Over 33% of HDOs don’t continually track their connected devices and 21% tag, profile, and track their devices physically.

The Solution

Strengthening the security of medical devices needs a consistent review of a lot of things including configuration practices, network restrictions, segmentation, credential administration, vulnerability tracking, patching & updating, access and function controls, compliance assurance, live context-aware traffic monitoring & analysis, and third-party security practices. Additionally, not being aware that the devices have networked, it would be impossible to fully fully grasp their specific attack vectors.

Fortifying security is surely a challenging task, however, the goal is not to have a 100% secure organization 100% secure. The goal must be to deal with the most crucial concerns and to substantially minimize the attack surface.