Hospital devices exposed to hacking with unsupported operating systems

More than four out of five medical imaging devices examined by cybersecurity researchers were running on unsupported operating systems, making them vulnerable to hackers.

Getty Images

A large portion of Internet-connected imaging devices in hospitals use outdated operating systems, according to research released Tuesday by Palo Alto Networks, a cybersecurity firm. The company found that 83% of these devices are running outdated software that cannot be updated even though it contains known vulnerabilities that hackers can exploit.

The number has increased significantly compared to 2018, which coincides with End of Microsoft support for Windows 7 earlier this year. A significant number of machines run even older operating systems, including Windows XP, which Microsoft stopped supporting in 2014. Imaging devices include machines that take x-rays, MRIs, mammograms and CT scans.

The results are a reminder that internet-connected devices require proper maintenance, just like any other the computersaid Ryan Olson, who leads a research team at Palo Alto Networks. Many home appliances, like light bulbs and smart thermometers, run on relatively simple operating systems, tailor-made just for the machine. More complex devices, like the imaging devices examined by Olson’s team, rely on the same operating systems that run your desktop computer.

“While they may not look like a computer, they all act like a computer in one way or another,” Olson said of the devices.

Updating your operating systems is one of the the most important steps security experts say you can take to keep hackers out of your devices. But when the updates stop coming in, the bad guys and researchers keep looking for loopholes to exploit. When someone eventually finds a new way to compromise an outdated operating system, the manufacturer will still occasionally offer an update, but there’s no guarantee they will, Olson said.

Hackers could have various motivations for targeting devices in hospitals. Imaging and other medical devices, such as infusion pumps and patient monitoring systems, could all be vulnerable to ransomware attacks, Olson said, noting that hospitals have already suffered ransomware attacks who locked down their systems and demanded payment to get them back. They could also use the computing power of the machines to mine cryptocurrency, an attack called cryptojacking. This could cause the device to overheat or malfunction.

Devices are vulnerable to hacking not only because they are running outdated software. Often, medical staff open emails on computers that are on the same network as the devices, and phishing attacks against email users remain one of the most effective hacking techniques on the Internet. A hacker who breaks into a doctor’s email could use this position to try to gain access to everything else on the network, including imaging devices.

The search looked at 1.2 million internet-connected devices in hospitals and other businesses. This is a small portion of the 4.8 billion internet-connected devices that, according to business analytics firm Gartner, existed in 2019. The data comes from Palo Alto Network customers, who use a service called Zingbox to review all devices connecting to their networks. The search does not name specific brands of imaging devices.

Hospitals can struggle to update their imaging devices because they can’t get them directly from software makers like Microsoft, Olson said. Instead, they have to rely on the third-party vendors that sold them the devices to deliver the fixes. It is a system that needs to be improved, he added.

“These devices play an important role in the hospital,” Olson said, “and they need to be functional at all times.”

Now Playing:
Look at this:

Windows 10: Features to try now


The information in this article is for educational and informational purposes only and is not intended to constitute medical or health advice. Always consult a physician or other qualified health care provider with any questions you may have about a medical condition or health goals.

Comments are closed.