CyberMDX, a healthcare cyber security company, has released a report that reveals a shocking statistic: slightly less than 50% of medical devices are vulnerable to the BlueKeep exploit.
The vulnerability, which was discovered last year, affects Windows Server 2008, Windows 7 and Windows Server 2008 R2.
Microsoft released a patch after the vulnerability came to light in May 2019.
Security authorities such as the US National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC) have also urged administrators to take notice and do updates.
There have been rising concerns that BlueKeep could be deployed in a similar manner as EternalBlue, the exploit that the infamous WannaCry ransomware was based on.
Still, despite all these warnings, several Windows systems remain vulnerable.
Looking at the figures presented by the report, it becomes clear that 22% of healthcare devices remain vulnerable because the updates have not yet been installed.
Add in the connected medical devices running Windows and the percentage rises to 45%.
Some of the connected devices in a typical hospital environment include X-ray devices, ultrasound devices, anaesthesia machines, radiology equipment and monitors.
If they remain unpatched, this is certain to put hospital networks and patients at risk.
However, the solution may not be as straightforward as it appears.
Since many of these devices can’t be taken offline for a split second to apply the updates (patient care depends on them being online), installing updates can be tricky.
Moreover, Windows 7 is no longer supported by Microsoft, yet many hospital networks rely on it to the present date.
Since there will be no more security updates for this operating system, additional vulnerabilities could surface as time goes on, therefore presenting a greater risk to those who will not move on to another OS (or update to the recent version of Windows).