BlueKeep: Still a serious threat to medical devices

The BlueKeep vulnerability discovered last year and affecting Microsoft’s Remote Desktop Protocol service in Windows 7, Windows Server 2008 R2 and Windows Server 2008 operating systems can pose a serious security risk for connected medical devices, aggravating the framework for the healthcare sector already heavily targeted in the context of hacking campaigns.

The patch for BlueKeep was released by Microsoft in May 2019, after the vulnerability became known. Then authorities of the caliber of the US National-Security Agency and the British National Cyber Security Center issued urgent warnings calling for the patch to be vulnerable as soon as possible: the fear was that BlueKeep could be a so-called ” wormable ” vulnerability similar to EternaBlue ( the vulnerability that paved the way for WannaCry, which in turn has brought various realities around the world to their knees, including the British national health system with various hospitals with operational difficulties).

Despite the precedents and warnings, a very large number of Windows systems – and with them, medical devices that use Windows as an operating system – can still be vulnerable to BlueKeep attacks precisely because they are not updated.

The alarm is specifically launched by the CyberMDX company, specialized in the field of cybersecurity for the healthcare world. In essence, the data emerging from recent research show that 22% of all Windows devices present in hospital structures are exposed to BlueKeep because they do not have received the necessary patches. And when it comes to medical devices connected and running Windows, the proportion grows to 45%.

Devices connected within networks of hospital facilities can include radiology machines, monitors, x-ray and ultrasound machines, and much more. If these devices have not been updated, it is possible that they can be identified in the context of massive scan campaigns on the Internet by cybercriminals, thus putting clinics and patients at risk.

Being able to update all devices within a hospital in a timely and widespread manner is a particularly difficult challenge: firstly, because many of these devices cannot be taken offline for updating as they provide patient assistance, secondly. The networks of hospitals are particularly large and ” crowded,” and it is quite common for the IT department to lose track of some device.

To this already complicated basic situation, there is also the problem that many of the devices currently in use in healthcare facilities are obsolete and equipped with operating systems now in the state of End Of Life, without any type of official support, as is the case with Windows 7. This means that for this type of device, if other vulnerabilities are discovered, although serious, there can be no guarantee that corrective patches will be issued.

If the way to update medical devices is not practicable, it is possible to resort to another type of countermeasures, for example, by trying to isolate them from the external network or block traffic on ports that are not operationally necessary through a firewall or by adopting appropriate architectures VLAN. If none of the options are realistically applicable, you should consider isolating the device from the network. Where possible, timely updating remains the master solution for this kind of situation.

Ido Geffen, vice president for CyberMDX, commented: ” Unfortunately, this is not a theoretical experiment on the worst possible situation, but a real difficult situation that needs to be considered more seriously. In 2019, at least 10 hospitals were forced to reject patients as a result of cyberattack episodes. And even when it doesn’t go to that far, cyber-insecurity can have a very serious impact on the ability to deliver care. “