Early last year, a vulnerability now known as BlueKeep (CVE-2019-0708) was published that affected Microsoft Windows Remote Desktop Services. It could be exploited via Remote Desktop Protocol (RDP), and had the potential to allow an attacker to execute arbitrary code on the target system. An attack could possibly install programs, view or manipulate data, or create new accounts with full user rights. 
The vulnerability affected Microsoft’s Windows 7, XP and Server 2003, Server 2008 and Server 2008 R2 operating systems and was quickly patched by Microsoft in their May 2019 Patch Tuesday Security Bulletin. These operating systems are very much still in use in the enterprise. However, being such a high-risk vulnerability, many organisations would have had the patch installed through regular security patching rounds. As a result, most core Windows-based servers and end-user systems are not vulnerable a year later in 2020.
Despite this, it has recently been discovered that the medical industry could be at risk of having their medical imaging equipment fall victim to the BlueKeep vulnerability. Researchers have warned that more than 55 percent of connected medical devices in hospitals run outdated Windows versions that are still vulnerable to the RDP flaw. Researchers have also found that 22 percent of a typical hospital’s Windows systems were vulnerable to BlueKeep. The affected medical devices include medical imaging equipment such as MRIs, ultrasound and x-rays that utilise the Windows operating system.
As to how so many medical devices are affected compared to core or end-user Windows systems, it is known that patch management is a big issues for hospital IT. Another factor could be that these medical devices are simply being overlooked or neglected when it comes to ensuring that the Windows operating system is maintained. They are connected to the network as a means to collect and upload data from the device, however it is likely that they are not treated with the same concern as regular systems, and often overlooked during update procedures.
Chris Morales, head of security analytics at Vectra, told Threatpost, a leading news website on IT security vulnerabilities, that part of the problem also stems from a lack of accountability on the manufacturer, as devices are often brought in by medical staff and no one bothers to inform IT or security.
“Most medical devices are not updated as they serve a specific lifesaving function,” he told Threatpost. “While an OS update might seem benign, any interruption with the functioning of a medical device could have serious implications. Now this isn’t a total excuse for not updating. Manufacturers need update testing processes that enable them to have a timeline for validation and updating.”
It is critical that these devices are properly updated and maintained on a regular basis. Medical imaging equipment is very expensive to both run and maintain, and to have the system suffer an attack resulting in downtime could be detrimental to patients seeking urgent medical care. It could also result in in financial implications for the hospital. At Agilient, we provide expert advice on developing robust IT management strategies, policies and procedures and we custom tailor our solutions to meet your organisation’s requirements. If you’d like to learn more about how we can help secure your organisation, contact us today.
Author: Jack Schofield, Agilient Consultant