Ultrasound technology using an outdated operating system is vulnerable to attack, according to new research from Check Point.
In a video demonstration, researchers revealed that connected ultrasound machines running Windows 2000 are able to be exploited. Because the Windows 2000 platform no longer receives patches or updates, the machines were rather easy for researchers to exploit.
“Due to old and well known security gaps in Windows 2000, it was not difficult for our team to exploit one of these vulnerabilities and gain access to the machine’s entire database of patient ultrasound images,” researchers wrote in today’s blog post.
If it's exploited, a hacker could reportedly have full-range access and be able to edit medical data. While an attacker would not be able to access personal information about pregnant women, they could theoretically change patient results and use medical information to blackmail people.
Having access to the ultrasound system would also enable an attacker to put ransomware on the system. “Ultrasound technology has made huge advancements over recent years to provide patients and doctors alike with detailed and potentially lifesaving information,” researchers wrote.
“Unfortunately, though, these advancements have not extended to the IT security environment in which these machines sit, are now connected to and transfer images within.”
According to the research, healthcare organizations are at an elevated risk of cyber-attack because of the complexities of updating and patching systems. Hospitals and medical facilities rely on a wide range of devices from a vast number of manufacturers, and each device comes with its own inherent risks.
“Healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach. Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions while providing another layer of security to network and data protection, without compromising performance or reliability.”