A huge proportion of internet-connected imaging devices at hospitals run outdated operating systems, according to research released Tuesday by Palo Alto Networks, a cybersecurity firm. The company found that 83% of these devices run on outdated software that can't be updated even when it contains known vulnerabilities that hackers can exploit.
The number increased significantly from 2018, which coincides with Microsoft ending support for Windows 7 earlier this year. A significant number of machines run even older operating systems, including Windows XP, which Microsoft stopped supporting in 2014. The imaging devices include machines that take X-rays, MRIs, mammograms and CAT scans.
The findings are a reminder that internet-connected devices need proper maintenance, just like any computer, said Ryan Olson, who heads a research team at Palo Alto Networks. Plenty of household devices, like smart lightbulbs and thermometers, run on relatively simple operating systems, custom-built just for the machine. More complex devices, like the imaging devices Olson's team looked at, are underpinned by the same operating systems that run your desktop computer.
"While they might not look like a computer, they all act like a computer in one way or another," Olson said of the devices.
Keeping your operating systems updated is one of the most important steps security experts say you can take to keep hackers out of your devices. But when the updates stop coming, bad guys and researchers alike don't stop looking for flaws to exploit. When someone eventually finds a new way to compromise an outdated operating system, the manufacturer will still sometimes offer an update, but there's no guarantee that they will, Olson said.
Hackers could have a variety of motivations for targeting devices in hospitals. Imaging and other medical devices, such as infusion pumps and patient monitoring systems, could all be vulnerable to ransomware attacks, Olson said, noting that hospitals have already suffered ransomware attacks that locked down their systems and demanded payment to get them back. They could also use the machines' computing power to mine for cryptocurrency, an attack called cryptojacking. That could cause overheating or malfunction in the device.
The devices are vulnerable to hacking not just because they run outdated software. Often, medical staff open emails on computers that run on the same network as the devices, and phishing attacks on email users remain one of the most effective hacking techniques on the internet. A hacker who gets into a doctor's email could use that position to try to access everything else on the network, including the imaging devices.
The research looked at 1.2 million internet-connected devices total in hospitals and other businesses. It's a small portion of the 4.8 billion internet-connected devices that business analysis firm Gartner said existed in 2019. The data comes from Palo Alto Network customers, who use a service called Zingbox to examine all the devices connecting to their networks. The research doesn't name specific brands of imaging devices.
Hospitals may struggle to update their imaging devices because they can't get them directly from software makers like Microsoft, Olson said. Instead, they have to rely on the third-party vendors who sold them the devices to supply the patches. That's a system that needs to improve, he added.
"These devices are playing an important role in the hospital," Olson said, "and they need to be functional at all times."