Outdated Operating Systems Remain Key Medical Device Security Challenge

March 01, 2023 - Microsoft’s support of Windows 8.1 ended on January 10, meaning that the company will no longer provide software updates and technical assistance for that version of its operating system (OS).

To reduce risk, Microsoft recommended that users upgrade to Windows 11. Continuing to use Windows 8.1 “may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the company stated.

This occurrence is not uncommon or unexpected for IT and IT security professionals – ending support for older operating systems after a number of years is ordinary, and Microsoft typically announces end-of-support dates years in advance. For example, Windows 10 will retire on October 14, 2025.

But in healthcare, many medical devices remain in use for a decade or longer and may rely on operating systems that are no longer receiving patches or updates. Replacing expensive devices every time an operating system goes out-of-date is not a sustainable strategy, Ordr CEO Jim Hyman, said in an interview with HealthITSecurity.

Instead, organizations should focus on what they can reasonably control, Hyman recommended. For example, implementing a zero trust security architecture and network segmentation can help the healthcare sector reduce risk.  

The Prevalence of Legacy Operating Systems in Healthcare

“The healthcare industry, unfortunately, is just different when it comes to end-of-life gear, software, devices, and embedded systems,” Hyman noted.

“For an industry that is already under pressure from a budgetary perspective, the thought of replacing a ton of devices that are running outdated systems without patches, unfortunately is just not an option for a lot of these organizations.”

More than 73 percent of healthcare providers use medical equipment that runs on a legacy OS, a 2021 report by Kaspersky revealed. Survey respondents cited upgrade costs, compatibility issues, and a lack of internal knowledge on how to upgrade as common reasons for continuing to operate devices on legacy operating systems.

A 2019 Forescout report also highlighted the prevalence of medical devices running on outdated systems, but noted that the downtime associated with updating an operating system might not be feasible for critical-care systems.

Additionally, Forescout explained that “certain legacy applications simply will not work on more recent versions of Windows due to lack of support, compatibility or license schema issues.”

Using outdated equipment means that if a new software vulnerability pops up, there may be no patch available to remedy it. This creates a perfect opportunity for threat actors to leverage vulnerabilities in outdated systems and infiltrate networks.

In fact, the Federal Bureau of Investigation (FBI) released a private industry notification in September 2022 urging the healthcare sector to remain vigilant against vulnerabilities found in unpatched medical devices.

“Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities,” the FBI noted.

“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyber attacks.”

In addition to the task of managing an inventory and maintaining visibility into hundreds of medical devices, healthcare organizations must consider the security and compliance risks associated with relying on legacy operating systems.

“This is not a problem that a CIO wakes up to and is surprised by. People are planning for this scenario and how to solve it,” Hyman acknowledged.

“But that doesn't mean it's easy to solve, especially in a hospital system where you have certain devices that are owned by the biomed team, certain devices that are owned by the IT team, and certain security groups that don't necessarily have purview over both. It's a concerted effort between groups to solve it.”

Legislation’s Role in Reducing Security Risks 

Legislation could be a key to solving some of these systemic issues. In December 2022, Congress approved a government funding bill that had sweeping implications for the healthcare sector and beyond. The bill was more than 4,000 pages long and even included some key medical device security provisions that healthcare security experts have been championing for years.

Section 3305 of the omnibus bill included language that would require medical device manufacturers to ensure that their devices meet select cybersecurity requirements. Specifically, manufacturers must “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the bill stated.

The omnibus bill also required manufacturers to provide a software bill of materials (SBOM) to the Secretary including off-the-shelf, open-source, and commercial components.  

“If you think about the latest legislation, the government is doing what they should be doing by trying to solve this problem in a different way, and that is to make sure that the manufacturers are building security into the devices in the first place,” Hyman explained.

“I think it's good that they're doing it, and I think the legislation is fantastic. But I think it takes a really long time for that to become a reality in any sort of scalable protected way.”

Leveraging Network Segmentation, Zero Trust

In the meantime, Hyman suggested, organizations should consider focusing on network segmentation and zero trust strategies as a means of reducing risk.

Forescout’s aforementioned report similarly encouraged the use of network segmentation to tackle this issue.

“Segmentation significantly reduces system attack surfaces. Users only ‘see’ the servers and other devices necessary to perform their daily tasks” the report noted. “Segments are created by grouping common user types and limiting network access to those resources that users require to do their jobs.”

From Hyman’s perspective, segmentation is a powerful tool when it comes to managing legacy systems, but it is also generally a good cyber hygiene practice.

“If you have a device running Windows 8.1 and it's going to be end-of-life, how do you make sure you identify what that device is, what it's supposed to be doing, and in the event it doesn't do what it's supposed to be doing, how do you have the ability automatically to just take it offline?,” Hyman reasoned.

Network segmentation can help organizations manage higher-risk devices and isolate them. In the event of a cyberattack, a segmented network makes it much harder for threat actors to move throughout the network and expand their attack scope.

In addition, embarking on a zero trust security journey can help healthcare organizations manage enterprise-wide risks. Under a zero trust security model, no device or user is automatically trusted before being vetted by strict authentication processes. Zero trust is not a single technology or tactic, but a set of cyber defenses that collectively look for threats outside and within a network perimeter.

“I think the idea of network segmentation and zero trust is good regardless of the end-of-life Windows 8.1 issue,” Hyman suggested. “If you can truly get a zero trust architecture deployed, from an overall security posture perspective, it's a fantastic journey regardless of whether your software is end-of-life or not.”

In addition to focusing on enhancing the organization’s overall security posture, healthcare organizations should always remain aware of the latest vulnerability disclosures that may impact its systems and devices.

“We can pick on Windows 8.1 for being end-of-life and still running all over embedded systems in hospitals, but there is also plenty of software that is not end-of-life that has similar vulnerabilities that are being released every week,” Hyman reasoned. “We really need to be cognizant of vulnerability disclosures.”

The retirement of operating systems is a fact of life for IT and IT security professionals. But the medical devices that rely on these systems have a longer lifespan, creating a complex web of security and compliance risks. Updating and patching when possible and focusing on key cyber hygiene tactics in the meantime is crucial to maintaining device security within a healthcare network.