The vulnerability BlueKeep discovered last year and which affects the service Microsoft Remote Desktop Protocol in operating systems Windows 7, Windows Server 2008 R2 and Windows Server 2008 it can represent a serious security risk for connected medical devices, going to aggravate the framework for the healthcare sector already heavily targeted in the context of hacking campaigns.
The BlueKeep patch was released by Microsoft in May 2019, after the vulnerability became known. Then authorities of the caliber of the US National Security Agency and the British National Cyber Security Center issued urgent warnings calling for patching vulnerable systems as soon as possible: the fear was that BlueKeep could be a so-called "wormable" vulnerability similar to EternaBlue ( the vulnerability that paved the way for WannaCry, which in turn has brought various realities around the world to their knees, including the British national health system with various hospitals with operational difficulties).
Despite the precedents and warnings, a very large number of Windows systems – and with them medical devices that use Windows as an operating system – can still be vulnerable to BlueKeep attacks precisely because they are not updated.
The alarm specifically launched by the CyberMDX company, specialized in the field of cybersecurity for the healthcare world: the data emerging from a recent research show that 22% of all Windows devices present in hospital structures are exposed to BlueKeep because they have not received the necessary patches. And when it comes to medical devices connected and running Windows, the proportion grows to 45%.
Devices connected within networks of hospital facilities may include radiology machines, monitors, x-ray and ultrasound machines and much more: if these devices have not been updated, it is possible that they can be identified in the context of massive scan campaigns on the Internet by cybercriminals, thus putting clinics and patients at risk.
Being able to update all devices within a hospital in a timely and widespread manner for a particularly difficult challenge: firstly because many of these devices cannot be taken offline for updating as they provide patient care, secondly, the networks of hospital structures are particularly vast and "crowded" and it is quite common for the IT department to lose track of some device. To this already complicated basic situation, there is also the problem that many of the devices currently in use in healthcare facilities are obsolete and equipped, that is, with operating systems now in the state of End Of Life, therefore without any type of official support, as is the case with Windows 7. This means that for this type of device, if other serious vulnerabilities are discovered, there can be no guarantee that corrective patches will be issued.
In the event that the road to updating medical devices is not practicable, it is possible resort to another type of countermeasure, for example trying to isolate them from the external network or block traffic on ports that are not operationally necessary through a firewall or by adopting appropriate VLAN architectures. If none of the options realistically applicable, it is necessary to consider the possibility of isolating the device from the network. Obviously, where possible, timely updating remains the master solution for this kind of situation.
Ido Geffen, vice president for CyberMDX, commented: "Unfortunately this is not a theoretical experiment on the worst possible situation, but a difficult real situation that needs to be considered with greater seriousness. In 2019 at least 10 hospitals were forced to reject patients to following cyberattack episodes. And even when it doesn't go that far, cyber-insecurity can have a very serious impact on the ability to deliver care. "
