Is Your Hospital Prepared for Windows 7 End of Life?

Data breaches in the healthcare sector cost the US $4 billion in 2019. When Microsoft ended support for Windows XP in 2014, the healthcare sector suffered the most.
Cynerio
News
Feb 5, 2020

A Brief History of Windows OS End of Life

Data breaches in the healthcare sector cost the US $4 billion in 2019. When Microsoft ended support for Windows XP in 2014 after 12 years of support, everyone from big business to individuals running the OS on their PCs fell victim to a rash of cyber attacks. The international healthcare sector suffered the most.

The WannaCry, Petya, and NotPetya ransomware attacks exploited specific vulnerabilities in the unsupported Windows XP OS and wreaked havoc on the healthcare sector. Hospitals were shut down, surgeries were cancelled, and the sector lost billions of dollars.

These attacks are the most famous to hit the sector, but smaller attacks plague hospitals around the world every day.

Why We Need to Care about Windows 7 EOL

When Microsoft killed Windows 7 on January 14, 2020, all devices running the operating system became officially unsupported. Windows 7 no longer receives updates and security patches from Microsoft and any devices running the OS are now at great risk of cyber attack. Despite the retirement of certain operating systems, many advanced medical devices still run them. 

At the same time, cyber criminals have upped their ante and the sector continuously falls victim to attacks that are more complex, harder to identify, and even more difficult to overcome. In other words, the repercussions of Windows 7 EOL could be even worse than what we saw with Windows XP.

If your PC is running Windows 7, the notice below should be popping up every time you reboot. Notice Microsoft's strong recommendation to ditch your old PC and simply buy a new one running Windows 10. 

What Windows 7 EOL Means for Connected Medical Devices

In the world of connected medical devices, retiring machines running unsupported operating systems isn't so easy. First of all, medical devices tend to be expensive. Take MRI machines, for example. MRI machines are critical to patient diagnoses and subsequent care. They can also cost up to $3 million. Vendor warranties and support for devices end after an average of 11 years but these devices can last more than 20

Although other devices may not be as long-lived as MRIs, their life cycles still exceed those of their operating systems, and the devices are also critical to patient care (e.g. IV pumps). Considering the costs and the criticality of devices, it’s not hard to understand why hospitals keep using devices running unsupported operating systems or because vendor warranties expire. 

Besides the complications posed by long life cycles and outdated operating systems, connected medical devices are often not developed with built-in cybersecurity. Despite this fact, these devices cannot be taken offline because they are vital to the smooth operation of clinical ecosystems and central to the delivery of patient monitoring and care. Removing a device from the network could damage the clinical network and disrupt life-saving medical care.

This is the Catch-22 of modern healthcare delivery: connected devices are at once the cornerstone of HDOs’ critical infrastructure and the delivery of patient care. They are also the weakest link in clinical ecosystems, placing patient safety and confidentiality at risk.


Windows 7 EOL Raises the Cyber Risk Factor

The end of Microsoft support for Windows 7 exponentially raises the risk factor to medical ecosystems. Even a minor cyber attack can disrupt clinical services and organizational workflow, jeopardize patient safety, and compromise confidential personal health information (PHI). A single vulnerable device places the entire clinical network at risk.

To make a bad situation even more dire, the department most at risk is Radiology, home of the most long-lived devices running unsupported Windows OS: CT scanners, MRI machines, and X-Rays.

According to in-house Cynerio Live research, 40% of all connected medical devices run a Windows OS and nearly 50% of those run on Windows 7. This means over 20% of all medical devices in the global clinical ecosystem run the unsupported Windows 7 OS. These stats don’t take into account other outdated operating systems: Windows 2008, Windows Mobile, Windows Vista, Windows XP, Windows 98, or Windows 2000.

Taking Steps to Mitigate Risk

Unsupported devices can’t be 100% secured unless taken offline, but hospital IT security teams can still take steps to mitigate risk. Securing your clinical ecosystem starts with asking the right questions, mapping out device communications, and building a segmentation policy that permits uninterrupted clinical services:

  1. How many devices on your network run Windows 7 or other outdated operating systems?
  2. Out of all the devices running outdated operating systems, how many can be upgraded or patched?
  3. Which departments rely the most on devices running Windows 7 and other unsupported operating systems?

The most important step to healthcare IoT security is assigning a team of employees to an ongoing hospital cybersecurity project. However, gathering all this information and using it to create an effective strategy that doesn’t disrupt clinical operations can be a daunting task. 

The Cynerio Solution

Cynerio is a medical-first healthcare IoT security solution built to help hospitals and other healthcare delivery organizations thwart cyber attacks and mitigate risk. It seamlessly integrates with your systems, flags vulnerabilities, and immediately starts identifying and profiling all devices running on Windows 7 and other unsupported operating systems.

The Cynerio platform provides a 360° view of your clinical ecosystem that goes beyond devices. It provides you with the context hospital IT teams need to understand vulnerabilities and evaluate device risk according to criticality and impact on clinical workflows and delivery of care. Armed with the context provided by Cynerio, hospitals can take effective action:

  1. Start upgrading and patching devices 
  2. Understand when upgrading and patching isn’t an option and start building informed microsegmentation policies

Most importantly, the Cynerio platform delivers IT security teams with what they need above all else: an effective and enforceable cybersecurity strategy customized to your hospital that protects your assets and promotes uninterrupted services.

Read the use case to learn more about how hospitals like yours can protect your assets against medical devices running unsupported operating systems.