A large proportion of Internet-connected imaging devices in hospitals run outdated operating systems, according to a study released Tuesday by Palo Alto Networks, a cybersecurity firm. The company found that 83 percent of these devices run on outdated software that cannot be updated even if it contains known vulnerabilities that hackers can exploit.
That number is significantly higher than in 2018, in line with Microsoft’s termination of support for Windows 7 earlier this year. Quite a few computers run even older operating systems, including Windows XP, which Microsoft stopped supporting in 2014. Imaging equipment includes X-rays, MRI, mammograms and CAT scans, all of which require computer support and control.
Security experts say keeping the operating system up to date is one of the most important steps to keep hackers away from devices. However, when an update is stopped, the hacker does not stop looking for exploitable vulnerabilities. When a hacker eventually finds a vulnerability that can break an outdated operating system, the manufacturer will sometimes provide updates, but there is no guarantee that they will.
Hackers may have multiple motives to target devices in hospitals. Imaging and other medical devices, such as infusion pumps and patient surveillance systems, can be vulnerable to ransomware attacks, noting that hospitals have already suffered ransomware attacks, locking systems and demanding payment to regain control. They can also use the computing power of hospital computers to mine cryptocurrencies, an attack known as “crypto-hijacking.” This may cause the device to overheat or malfunction.
The study looked at a total of 1.2 million Internet-connected devices in hospitals and other businesses. That’s a small fraction of the 4.8 billion Internet-connected devices, according to Gartner, a business analytics firm. The study did not mention specific brands of imaging equipment. Researchers say hospitals may have difficulty updating their imaging devices because they cannot be purchased directly from software makers like Microsoft. Instead, they must rely on vendors that sell equipment to third parties to provide patches, a process that needs to be improved.