According to CyberMDX, medical devices pose a serious threat to healthcare organizations (HCOs) and are twice as likely as general network devices to be vulnerable to Bluekeep.
The 2020 Healthcare Security Vision Report found that thirty percent of US healthcare organizations have experienced a cyber-attack over the last 12 months. These breaches reportedly cost an average of $6.45 million - a figure sixty-five percent higher than that of the cross-industry average. This is the ninth year in a row that HCOs suffer the highest cost of a breach.
Connected devices are a growing source of risk for these organizations as many are left unpatched and unmanaged. Eleven percent of organizations reportedly do not implement patches or software updates and nine percent only apply patches and updates after an attack. Additionally, the report found that a typical hospital will have patched only forty percent or fewer vulnerable devices over four months after a bug is disclosed.
The report found that 55% of imaging devices run unpatched or outdated versions of Windows, leaving them vulnerable to Bluekeep. Bluekeep is an RCE flaw found in Windows Remote Desktop Services (RDS) that allows an attacker to take control of a machine to spread malware or launch data-stealing attacks. It affects Windows XP to Windows 7 as well as Server 2003 and Server 2008 R2 computers. Bluekeep spreads without user interaction in a way that's similar to the EternalBlue exploit that allowed WannaCry to wreak havoc at the NHS.
Shockingly, the report found that over twenty-five percent of HCOs do not possess a full inventory of connected devices, while 13% claim theirs is unreliable. Even worse, a third of organizations reportedly do not identify, profile or continuously monitor medical devices, while twenty-one percent do this manually, something that's not sustainable given the massive amount of endpoints. Given this information, it should come as no surprise that the average hospital has lost track of thirty percent of its devices.
Things get even more uncomfortable when you learn that at least ten hospitals had to turn away patients last year due to ransomware attacks. Three of those hospitals were US-based, while the remaining seven were in Australia. This threat is projected to only get worse moving forward, posing a fundamental threat to patient safety.
If you're a hospital executive, these stats should have you very concerned. Hospitals are not doing nearly enough to defend against these threats and to protect against these attacks HCOs will need to continuously review configuration practices, implement network segmentation, vulnerability monitoring, patching and upgrading, as well as access controls.