Cybersecurity warning: Almost half of connected medical devices are vulnerable to hackers exploiting BlueKeep

A new report suggests that vulnerabilities in medical devices could put hospital patients at risk from hackers - but there are some simple ways to protect against these attacks.
Written by Danny Palmer, Senior Writer

Connected medical devices are twice as likely to be vulnerable to the BlueKeep exploit than other devices on hospital networks, putting patients and staff at additional risk from cyber attacks. This is especially concerning when healthcare is already such a popular target for hacking campaigns.

BlueKeep is a vulnerability in Microsoft's Remote Desktop Protocol (RDP) service which was discovered last year, and impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008.

Microsoft issued a patch for BlueKeep after it came to light in May 2019, and security authorities including the US National Security Agency (NSA) and the UK's National Cyber Security Centre (NCSC) issued urgent warnings about patching vulnerable systems.

It was feared that BlueKeep could be deployed as a worm in a similar fashion to EternalBlue – the exploit that powered WannaCry. This cyberattack affected organisations around the world, but one of the most high-profile victims was the UK's National Health Service, which saw a number of hospital networks taken offline by the incident.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

However, despite warnings over a potential repeat, large numbers of standard Windows systems – and bespoke medical devices running Windows – remain vulnerable to BlueKeep attacks.

According to figures in a new report from researchers at healthcare cybersecurity company CyberMDX, 22% of all Windows devices in a typical hospital are exposed to BlueKeep because they haven't received the relevant patches. And when it comes to connected medical devices running on Windows, the figure rises to 45% – meaning almost half are vulnerable.  

Connected devices on hospital networks can include radiology equipment, monitors, x-ray and ultrasound devices, anesthesia machines and more. If these devices aren't patched, it's possible that destructive cyberattacks searching for machines vulnerable to BlueKeep could put hospital networks and patients at risk.

"Unfortunately, this isn't a 'what if' thought experiment around a worst-case scenario, but a real present-day predicament that we need to take more seriously. In 2019, at least 10 hospitals were forced to turn away patients as a result of cyberattacks. And even when hospitals don't need to turn away patients, cyber insecurity can bear a serious impact on care," Ido Geffen, vice-president of product at CyberMDX, told ZDNet.

However, patching is a particular challenge for hospitals because in many cases devices must keep running to provide patient care, and can't be taken offline to apply an update. Hospital networks are also so vast that it's easy for the IT department to lose track of assets, which could lead to devices missing out on patches.

One of the key problems for hospitals is that many devices are classed as obsolete: Windows 7, for example, is vulnerable to BlueKeep and no longer supported by Microsoft, but remains common across hospital networks.

Any further vulnerabilities uncovered in Windows 7 – and other out-of-support operating systems – aren't guaranteed security patches, leaving networks potentially at further risk going forward.

SEE: Healthcare has many use cases for 5G and IoT but no infrastructure to support it

If it's vital to keep medical devices running on older systems on the hospital network, researchers recommend that the devices are segregated from the rest of the network or closed off from the external internet where possible.

"It can be helpful to block traffic coming to operationally unnecessary ports on the network or VLAN level through a NAC solution or internal firewall," said Geffen.

"In some rare cases when a device cannot be patched and the available mitigations are unrealistic or insufficient, de-networking should be considered," he added.

Perhaps most importantly, when devices can be patched, this should happen as soon as possible because BlueKeep and other vulnerabilities prey on networks that haven't been updated with live patches to protect against attacks. Patching these systems in a timely fashion goes a long way towards preventing incidents.


Editorial standards