You'd think that mammography machines, radiology systems, and ultrasounds would maintain the strictest possible security hygiene. But new research shows that a whopping 83 percent of medical imaging devices run on operating systems that are so old they no longer receive any software updates at all.
That issue is endemic to internet of things devices generally, many of which aren't designed to receive software improvements or offer only a complicated path to doing so. But medical devices are an especially troubling category for the issue to show up in, especially when the number of devices with outdated operating systems is up 56 percent since 2018. You can attribute most of that increase to Microsoft ending support for Windows 7 in January. As new vulnerabilities are found in the operating system, any device still running it won't get patches for them.
The findings don't necessarily mean that 83 percent of medical imaging devices are in immediate danger of attack. It's possible to manage the risk by making sure vulnerable devices aren't exposed to the open internet, are protected behind a firewall, and are in a contained part of a network that can be monitored for unusual activity and access. But those measures take planning, and with so many medical imaging devices lurking in health care organizations around the world—and so many exposed by old operating systems—the chances are high that not all are adequately protected.
"Windows 7 has been a stable operating system for a lot of people for a long time and that’s what folks look for when they’re building an IoT device," says Ryan Olson, vice president of threat intelligence at the enterprise security firm Palo Alto Networks, which produced the research. "It’s just that, eventually, operating systems go out of support. Windows 7 has been out in the market for a long time and people have known this was coming for a while, but updating IoT devices in general, including medical IoT devices, is challenging for a lot of organizations."
Researchers at Palo Alto Networks found indications that health care providers are increasing aware of the need to separate medical devices from other computers on health care networks—a promising trend. They found that only 12 percent of hospitals maintained a significant number of sub-networks to separate devices in 2017, but that 44 percent were doing it in 2019. Olson emphasizes, though, that this still means a majority of hospitals, not to mention other types of health care facilities, have yet to take the step. Without it, attackers with a foothold into a health care network could access medical imaging devices with unpatched operating system bugs and exploit them to bore deeper into the system. Even if the malware isn't targeting medical devices in particular, operating system vulnerabilities still put devices at risk for infection by any indiscriminate worm that infects all manner of networked computers.
Beyond the protective measures that health care providers can take, device manufacturers themselves should take steps to mitigate the potential damage. Some may design their products to run securely even when an operating system loses support, but given the track record of Internet of Things security overall and medical device security in particular, it's unlikely that many or even most manufacturers have been building their devices with a specific defense plan.
And there’s a more basic issue at play, too, says Beau Woods, a cybersafety innovation fellow at the nonprofit Atlantic Council. Even when their operating systems are current and fully supported, many medical devices are not even receiving the available updates they could be getting. Retired operating systems only compound the problem.
"The incremental risk is there," Woods says. "What the sunsetted operating systems mean, though, is if there were some type of an emergency and medical device makers had to issue a patch and hospitals had to apply the patch there’s an even less clear and clean pathway to patching."
Products that are already in use are virtually impossible to retrofit with better update mechanisms, but health care providers can make updatability a major priority in procurement to push manufacturers toward more flexible designs. In the meantime, they need to take stock of the aging infrastructure in their midst.