83% of medical imaging devices lack a supported operating system, putting them at risk of being attacked and having their data exploited
Over 80% of medical imaging devices lack supported operating systems
March 17, 2020
by John R. Fischer
, Senior Reporter
More than 80% of medical imaging devices run on unsupported operating systems, according to Palo Alto Networks’ 2020 Unit 42 IoT Threat Report.
The multinational cybersecurity enterprise found that 83% of medical imaging solutions face this vulnerability while using its Zingbox solution to assess 1.2 million IoT devices in thousands of physical locations belonging to U.S. enterprise IT and healthcare organizations. This raises the risk of attacks that can disrupt care or expose sensitive medical information, and is a 56% jump from 2018, brought on by the Windows 7 operating system reaching the end of its life.
"Upgrading operating systems can be a lengthy and expensive process," Ryan Olson, vice president of threat intelligence for Unit 42 at Palo Alto Networks, told HCB News. "There's also the chance that the programs that healthcare organizations using are not yet supported on a newer operating system, so upgrading may not be an option. With regard to cost, a healthcare provider typically has limited funding and therefore often chooses (logically) on investing in patient care rather than upgrading IT systems."
Fifty seven percent of IoT devices are vulnerable to medium-or high-severity attacks, according to the report. This is due to a weak device and network security posture, as well as the fact that 98% of all IoT device traffic is unencrypted, which exposes personal and confidential data on the networks. In addition, 72% of healthcare VLANs mix IoT and IT assets, which enables the spread of malware from users’ computers to vulnerable IoT devices on the same network.
Of the threats healthcare organizations face, 51% involve exfiltrating patient data stored on imaging devices and 41% of attacks exploit device vulnerabilities, with attacks scanning through network-connected devices in an attempt to exploit known weaknesses.
IoT devices, however, are often not the only target and act as an opening for hackers to move to and attack other systems on a network. Attackers are also moving away from running botnets to conduct DDoS attacks via IoT devices, and are now spreading malware across the network via worm-like features that allow them to run malicious code to conduct a large variety of new attacks.
One specific vulnerability found was weak manufacturer-set passwords and poor password security practices, though the authors of the report expect this to change somewhat with the enforcement of California’s SB-327 IoT law, which requires businesses to take all steps necessary to dispose of customer records that contain personal information when the records are no longer to be retained by it. This can be done by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable.
To protect information that is still under an organization’s control, the report recommends that stakeholders should know the risks and track IoT devices on their network. They also should patch printers and other easily patchable devices, segment IoT devices across VLANs, and implement active monitoring of their IoT devices.
"Hospitals should look to update legacy operating systems to the most current version and also make sure the backups for these systems are also updated," said Olson. "We often find hospitals reload outdated backups of these IoMT devices when they need to reformat them. Hospitals should also separate IoMT devices from the regular network. This helps prevent an attacker from infiltrating an IoMT device to gain broader access to patient data or infiltrate the hospital's network."