HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

83% of Medical Devices Run on Outdated Operating Systems

The current state of IoT device security has been investigated by the Unit 42 team at Palo Alto Networks which identified major risks to the confidentiality, integrity and availability of healthcare data and serious vulnerabilities that could easily be exploited in devastating cyberattacks.

The Unit 42 team analyzed more that 1.2 million IoT devices of 8,000 different types across a range of industry sectors for the 2020 IoT Threat Report. Data was gathered from its Zingbox IoT inventory and management service, which included 73.2 billion network sessions.

The researchers found high numbers of IoT devices that use legacy protocols and unsupported operating systems, a problem that has now got worse since support for Windows 7 stopped in January 2020. Unit 42’s research revealed only 17% of devices have active support for their underlying operating systems. In healthcare, 83% of IoT devices were running on unsupported operating systems, which increased 56% from last year following the end of support for Windows 7. 27% of IoT medical devices are still running on Windows XP and decommissioned versions of Linux.

51% of all cyberthreats in healthcare concern imaging devices, attacks on which can disrupt the care provided to patients. Exposure of sensitive data is a real issue, especially considering 98% of IoT device traffic is not encrypted. Sensitive data is transmitted in plaintext and can be intercepted by anyone who knows where to look.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Network segmentation has improved since last year when the study was last conducted. The Unit 42 team found that the number of hospitals that had more than 20 VLANs had tripled since last year to 44%. However, 72% of healthcare VLANs include standard IT assets as well as IoT devices. An attack on a vulnerable IoT device could allow malware to be transferred to computers and servers on the same network. A doctor opening a malicious email attachment could see malware transferred to medical devices such as infusion pumps, MRI machines, and other medical imaging systems.

The researchers found 57% all IoT devices are vulnerable to high or medium severity attacks. It is common for default passwords to remain in place, even though the passwords can easily be found online. When passwords are changed, they are often changed to easy to remember passwords which are vulnerable to brute force attacks. Patching was found to be poor and the use of unsupported operating systems means patches are no longer released to correct known vulnerabilities.

IoT devices used to be attacked and added to botnets to conduct DDoS attacks but is now it is common for the devices to be attacked to give cybercriminals a foothold in healthcare networks. Once a device has been compromised the attackers move laterally and compromise other systems on the network, either manually or through worm-like attacks.

IoT devices are also not being monitored so compromised devices are often not identified. The Unit 42 team identified a mammogram machine that was infected with the Conficker worm – a malware variant that was first identified in November 2008.

Unit 42 recommends action be taken to ensure vulnerabilities are identified and addressed to make the devices harder to attack. That process must start with a complete inventory of all IoT devices on the network. A recently published report from the Enterprise Strategy Group revealed 77% of organizations do not have full visibility into all of the IoT devices on their networks.

Patches should be implemented on all devices that can be patched, with priority given to the types of devices that carry the highest level of risk – medical devices – and those with the most vulnerabilities – security cameras and printers.

Networks segmentation is necessary to make it harder for attackers to move laterally, with IoT devices kept separate from standard IT assets. IoT devices should also be monitored to detect attacks in progress.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.