83% of medical imaging devices running on outdated operating systems, report finds

An overwhelming majority of medical imaging devices are running on old operating systems with little-to-no ability to receive crucial software updates, according to a new report. It’s a small piece of the larger security problem plaguing internet-connected devices.

That’s according to new research from enterprise security firm Palo Alto Networks which analyzed more than 1.2 million devices stationed across thousands of healthcare institutions in the U.S. The 83% of imaging devices running on outdated platforms represents a large uptick from the 56% figure reported in 2018.

Imaging devices run on a wide variety of operating systems, such as Linux and Unix, but much of the jump seen over the past few years is attributable to the Windows 7 operating system reaching its end of life, the report authors noted. And these vulnerable in radiology equipment may open the door for criminals to attack the wider healthcare field.  

“Imaging systems are particularly susceptible to this kind of attack due to support for their underlying OS expiring well before the devices are retired or decommissioned,” authors wrote.

It’s not all doom and gloom, however. Palo Alto Network researchers found evidence that healthcare providers are growing more aware that they must run medical devices separately from other systems functioning on their overarching network. In 2017, for example, only 12% of hospitals were using sub-networks to separate devices; that practice jumped to 44% in 2019.

Palo Alto Network pointed out one example in which hackers used legacy operational technology protocols to gain access to sensitive information. A vulnerability in the DICOM protocol allowed attackers to change the header in a DICOM packet to substitute the image taken using a device with a dangerous file. And once a different DICOM device opened that phony image, the viewer triggered a malware file to run.

“Because DICOM images tend to store patient information, antivirus software is not allowed to scan the file locations for privacy reasons—essentially, this malware was protected by design,” the researchers wrote.

So what can healthcare systems do to mitigate their risk? Knowing which points are most vulnerable is the first step. Prioritizing updating legacy systems should also be a priority, and one that can push device manufacturers to implement more stringent security measures of their own.

Read the report for free here.