Microsoft ‘BlueKeep’ Vulnerability Exposes Medical Devices to Potential Cyberattacks

Posted May 22, 2019


AAMI offers several resources to help both healthcare delivery organizations and medical device manufacturers develop effective cybersecurity practices and programs. They include:

For details on these and other resources, please visit the AAMI Store.

Microsoft last week issued a notification that a vulnerability in remote code execution exposes systems to potential cyberattacks. “An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” according to the Microsoft security update. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Devices, clients, and servers running older software versions of Windows and Windows servers are more likely to be targets of exploitation from this critical vulnerability, known as “BlueKeep.” The latest software releases are not affected.

This will be small comfort to many hospitals, which still use older software. “CyberMDX field statistics show BlueKeep affecting just over 15% of a typical hospital's TOTAL connected device inventory; the proportion of affected MEDICAL devices is even higher, hovering around 70%—bursting the attack surface wide open,” according to CyberMDX, a health technology cybersecurity firm. 

Once an unauthenticated remote attacker breaches a medical device server, “it could ‘worm’ its way quickly through the network and connected devices,” according to Medigate, another health technology cybersecurity firm. “This is a very important issue for the AAMI constituency,” said Beth Ellis, vice president of marketing at the company.

Medigate offers this advice to healthcare delivery organizations:

  • Get familiar with the remote code execution vulnerability (CVE-2019-0708).
  • Identify what is at risk on your network.
  • Start remediation process.
  • Begin mitigation immediately.

Remediation and mitigation will be complicated by the fact that medical devices require software patches verified by original equipment manufacturers (OEMs), Medigate points out. Clinical engineers will need to reach out to OEMs for patches, but developing patches will take time. In the meantime, hospitals should block relevant remote desktop protocol communications enforced by network access control and a firewall—taking care not to block critical communications that could change device functionality or jeopardize patient care.