Medical Devices Face January 14 D-Day

On January 14, 2020, Microsoft will stop supporting Windows 7.  So what?

Well, if you are in the medical community, it could mean the choice between spending big money on updating the operating systems of your medical devices or facing the constant attacks of hackers with vulnerable, out-dated software.  Some hospitals have updated medical equipment in the face of the looming cut-off date and a good share has not.  Many aren’t even aware that it is an issue or which devices are vulnerable.

Cyber firm Forescout reports that 59% of medical devices on the Internet of Medical Things (IOMT) run on various Windows operating systems, and as of January 14, a whopping 71% of those medical devices will be running on unsupported operating systems like Windows 7.

But should hospitals, clinics, and physician offices be concerned?  To be fair, there is no reason to assume hackers will launch a Normany-like attack on every unprotected device on January 14, but it is reasonable to assume the hackers will continue their focus on healthcare as a lucrative target.  The devices will continue to operate, but each day the software becomes more obsolete and vulnerable.

The issue is not necessarily that the hacked device will kill a patient, but government warnings suggest that some might be capable of doing just that.  The more common threat is that these devices interface with medical record systems, general operating systems, and other devices and give unprotected access to hackers seeking to penetrate the more protected systems using the obsolete devices as the point of entry.  Much like the Target breach that used a vendor’s thermostat control system to access the credit card system, unprotected access points can be catastrophic.

If an event were to occur, how will a medical provider defend a HIPAA breach or patient-injury from a device breach when the fact comes out that they were using an out-dated, unprotected device?