BlueKeep Posing a Risk to Healthcare

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

The healthcare industry continues to adopt new technologies to improve efficiency and cut costs. In many cases, these new technologies have been added to infrastructure, processes, and software from a different era, introducing new vulnerabilities. Researchers found 22% of a typical hospital’s Windows devices were vulnerable to BlueKeep. Even worse, 45% of connected medical devices running Windows are vulnerable to BlueKeep. Vulnerable medical devices can include MRIs, ultrasounds, X-rays, and more. Many run on Windows, allowing their operators to more easily collect and upload data. Beyond BlueKeep, outdated Windows versions are also exposing medical devices to other vulnerabilities. For instance, up to 11% of connected medical devices are exposed to DejaBlue, a set of RDP flaws affecting Windows 7, Windows 8.1, and Windows 10 (as well as Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019). Although these numbers seem alarming, they aren't surprising. Charles Ragland is a security engineer at Digital Shadows. He has worked in emergency rooms and on ambulances for 10 years. During that time, he witnessed a number of outdated medical devices including cardiac catheterization lab systems running on Windows Server 2003. “With the level of complexity that involves managing networks with vast amounts of connected devices, it is not surprising that many of these devices have slipped through the cracks and remain vulnerable to threats such as BlueKeep,” Ragland told Threatpost. “As always, the most effective risk mitigation techniques involve turning off unnecessary services, implementing network level authentication [for RDP], blocking access to sensitive ports, and ensuring timely security updates.” Chris Morales, head of security analytics at Vectra, cited another reason for outdated or unpatched software that is a little more concerning, because there isn't an easy fix. "Most medical devices are not updated as they serve a specific lifesaving function,” he told Threatpost. “While an OS update might seem benign, any interruption with the functioning of a medical device could have serious implications. Now this isn’t a total excuse for not updating. Manufacturers need to update testing processes that enable [sic] a timeline for validation and updating." In that same vein, IoT devices are notorious for being difficult to patch. The systems built using them are designed for hospital medical staff, not maintenance. IoT devices get built for the target use case, which makes them difficult to maintain. A single doctors’ office can be using many different devices; an entire hospital - even more. This all leads to the healthcare industry being highly targeted by cybercriminals. According to the recently published 2020 Healthcare Security Vision Report from CyberMDX, almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating the healthcare industry is struggling to address vulnerabilities and block cyberattacks.