Medical Devices Intro Major Bluekeep Risk to Hospitals

Written by

Medical devices represent a major risk to healthcare organizations (HCOs), and are twice as likely as standard network devices to be vulnerable to Bluekeep, according to CyberMDX.

The security vendor’s 2020 Healthcare Security Vision Report claimed that a third (30%) of US HCOs have experienced a cyber-attack in the past 12 months.

Connected devices are an increasing source of risk, as many are left unpatched and unmanaged, the report claimed. For example, 55% of imaging devices run unpatched or outdated Windows versions which could leave them vulnerable to Bluekeep.

This is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine to spread malware or launch info-stealing attacks. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers, and could spread without user interaction in a way similar to the EternalBlue exploit that enabled WannaCry to do so much damage to the NHS.

CyberMDX uncovered a range of security issues among HCOs, claiming that 11% don’t patch devices at all, and that a typical hospital will have patched only 40% or fewer vulnerable devices four months after a bug disclosure.

There’s more: a quarter (25%) don’t possess a full inventory of connected devices, while a further 13% admit theirs is unreliable. A third (34%) say they don’t identify, profile or continuously monitor medical devices and a further 21% do this manually, which is is not sustainable given the explosion in such endpoints.

It’s perhaps no surprise that the average hospital has lost track of 30% of its devices, according to the report.

The challenges extend to staff cybersecurity training and awareness: 23% of respondents said they have no such program in place and 17% claimed they do but it hasn’t launched yet.

Over a third (36%) still lack a formal BYOD policy.

According to IBM’s latest Cost of a Data Breach report, HCOs suffered the highest cost of a breach – nearly $6.5m on average – for the ninth year in a row in 2019. CyberMDX also claimed that at least 10 hospitals had to turn away patients last year due to ransomware attacks.

What’s hot on Infosecurity Magazine?