The Department of Homeland Security has warned the exploitation of a Microsoft Windows cybersecurity vulnerability could lead to a fast-spreading malware attack reminiscent of WannaCry.
In a statement posted Tuesday, DHS revealed telemetry devices sold by Spacelabs Healthcare suffer from the weakness, scoring 9.8 out of 10 on a security vulnerability scale.
- While Spacelabs is the first medtech to be the subject of an alert related to the vulnerability, a separate report estimates 45% of Windows-based connected medical devices are exposed.
In 2017, the WannaCry ransomware attack disrupted work at one third of English hospitals, revealing the vulnerability of healthcare networks running outdated systems. Last year, Microsoft warned it had found a new vulnerability, dubbed BlueKeep, that could enable malware to spread around the world like WannaCry did in 2017.
Microsoft patched the flaw but two weeks later communicated third-party research that estimated more than 1 million internet-connected computers were still vulnerable. As Microsoft said, there may have been additional vulnerable systems within corporate networks.
Due to the cost and difficulty of keeping medical devices running embedded versions of Microsoft Windows up to date, healthcare is particularly vulnerable to cyber attacks that exploit vulnerabilities in outdated operating systems.
Now, DHS has shared details of devices that have the BlueKeep vulnerability. The DHS’ alert covers Spacelabs’ Xhibit Telemetry Receiver and Arkon anesthesia delivery system. Spacelabs has created a software update for all deployed Xhibit devices to eliminate the vulnerability.
However, Arkon is no longer supported by Spacelabs. The DHS alert states that “many Spacelabs products are appliances and users are not intended to perform updates on them,” adding that there are products and systems that are obsolete or cannot be patched. Such products and systems cannot receive the software update that grants protection from BlueKeep.
The DHS notice advises users of technologies that cannot receive the update to block a port on their enterprise firewall. DHS thinks blocking the port will stop attackers from outside of the enterprise’s network from exploiting the vulnerability. However, hackers inside the network will still be able to mount attacks and legitimate users will lose the ability to perform certain actions.
DHS published the advisory on the same day as healthcare cybersecurity firm CyberMDX released a report that claimed 45% of connected medical devices in hospitals are vulnerable to BlueKeep.