71% of medical devices still run on Windows 7, Windows 2008, and Windows mobile
The Internet of Medical Things (IoMT) has exploded across the healthcare industry, with connected medical devices giving providers the ability to improve patient care, provide better clinical data, increase efficiency, and reduce healthcare costs. However, the rapid adoption of connected medical devices has largely failed to consider cybersecurity impacts, according to a Wednesday report from Forescout.
The report examined Forescout Device Cloud data from 75 healthcare deployments with more than 10,000 virtual local area networks (VLANs) and 1.5 million devices. The variety of device operating systems in use makes managing security a challenge, it found. Some 40% of device deployments had more than 20 different operating systems on their medical VLANs. More than half of these (59%) were Windows operating systems, and 41% were a mix of others, including mobile, embedded firmware, and network infrastructure.
SEE: Telemedicine, AI, and deep learning are revolutionizing healthcare (free PDF) (TechRepublic)
Patching and updating these operating systems in a healthcare environment can be challenging, as devices often need to be online and available. Some of the devices studied could not be patched, required vendor approval, or needed patches to be manually implemented, the report found.
Legacy Windows operating systems, in particular, act as a major vulnerability for medical devices, the report found. Of the systems running Windows analyzed, 71% were running versions that will expire by January 14, 2020, including Windows 7, Windows 2008, and Windows Mobile.
Running unsupported operating systems poses a clear security risk, which also impacts compliance with many regulations, the report noted. However, because updates are sometimes costly and complicated, it's likely that networks will continue to have medical devices running on legacy operating systems, it added.
"It's inevitable: The number of devices connecting to healthcare networks will continue to rise, and the environment will become more complex," the report said. "The time to begin developing and implementing a proactive and enterprise-wide security and risk-management strategy is now."
The report offered the following four recommendations for securing medical devices and networks:
1. Enable agentless discovery of all devices
2. Identify and auto-classify devices
3. Continuously monitor devices
4. Enforce segmentation
For more, check out Top 5 things to know about IoT in medicine on TechRepublic.