Healthcare IoT Attack Surface Expands with Windows Embedded Standard 7 EOL
Microsoft will retire its Windows Embedded Standard 7 operating system on Tuesday, October 13, 2020. All devices and systems running it will no longer receive support or security updates. The retirement of this operating system follows that of Windows 7 and Windows Server 2008/R2 earlier this year and affects critical medical systems and devices.
In support of CISA's National Cyber Awareness Month, Cynerio is offering healthcare facilities in North America a free risk assessment until October 31.
Windows Embedded Standard 7 is used in many critical medical devices provided by a multitude of vendors (e.g. Philips, GE, Becton Dickson, Siemens, Hologic, Carestream, Ortho Clinical Diagnostics, bioMerieux), including laboratory and imaging devices:
- Ultrasound devices
- X-Ray machines
- Hematology analyzers
- Blood gas analyzers
- Medicine dispensers
- Microbial detection devices
- Mammography machines
- DICOM workstations
- Breast biopsy systems
What Does This Mean for Healthcare Facilities?
Patients, healthcare professionals, and the industry’s notoriously vulnerable attack surface will expand yet again. With the retirement of yet another ubiquitous Windows OS, millions more critical medical devices will be left without support in the event of an attack or discovered vulnerability.
Ransomware and other vulnerabilities not only risk exposing sensitive employee information and ePHI to bad actors, they cause hospital shutdowns and even threaten patient lives, as seen in the attacks against UHS in the US and Duesseldorf University Hospital in Germany last month.
Further, the retirement of Windows Embedded Standard 7 compounded with the recent leak of the source code of multiple legacy Windows OS (i.e. XP, Server 2003, DOS, CE, and NT) raises the risk of running legacy operating systems even more. It is likely some of the legacy code survived to later versions, further increasing the vulnerability of devices running any of these systems.
How Can Cynerio Help You Mitigate the Threat?
Cynerio empowers healthcare facilities with the insights and solutions they need to practice proactive cybersecurity.
- Gain full visibility into every asset - Identify every device, classify them, flag any with infections or known vulnerabilities and risks
- Identify all devices with unsupported operating systems - Profile every device, identify operating systems, get real-time alerts on threats
- Automate risk assessment - Leverage the power of AI and automated risk analysis of every affected asset to understand its risk score according to clinical impact and receive alerts on weak and default passwords, etc.
- Configure custom segmentation policies
a. Devise and enforce north-south segmentation policies to internet-facing devices to prevent devices from communicating with malicious actors at external endpoints
b. Apply east-west segmentation policies to prevent unauthorized device-to-device communication on the network and to limit the spread of infection in the case of a compromised device
Contact us to get your free risk assessment today.