Windows 7 End of Life Puts Hospitals in a Pickle

Windows 7 End of Life Puts Hospitals in a Pickle

Microsoft is ending all support for Windows 7 on January 14th, 2020 – less than 3 months away (as of this writing)! After that time, there will no longer be any updates (including security patches) for this version of the operating system.

Microsoft hasn’t offered Windows 7 on new machines for a long time, and they announced end of mainstream support way back in 2015 (and in fact, the company announced the EOL date alongside the OS’s launch over a decade ago, so there isn’t much reason for surprise). So presumably everyone is on Windows 10 now, right? Not so much. Alas, according to a report published earlier this year, a whopping “70% of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020.”

We don’t need to imagine a disaster scenario. Back in 2017, the WannaCry ransomware hit hospital systems particularly hard (most notably, it shut down the UK National Health Service). According to one report, almost all the computers affected were running Windows 7. So why wasn’t that rash of incidents (and all of the subsequent ones) enough to get the healthcare industry to bring at least the majority of their systems up to date?

The Cost of Change

In the medical device space, there are three complicating issues with operating system updates:

  1. Replacement costs: Despite the decade-long lifespan of Windows 7, the interval between technical platform changes is still shorter than the lifespan of most medical devices. Characterized as having the half-life of plutonium, medical devices are kept in service for as long as possible. The average reported age hit 22.8 years in 2015 – the highest since 1925. Add in the significant cost of the devices and the tight capex budgets of many facilities and the reluctance to replace working machines becomes slightly more understandable.
  2. Update and patching costs: Every set of cybersecurity guideline states emphatically to keep endpoint software patched and up to date. Yet, medical device updates are not as straightforward as updating your average computer or enterprise device. Updates and patches usually have to be delivered, not by the software vendor, but by the device manufacturer, who has to make sure that the patches and updates don’t negatively affect the function of the device. That means there is often a significant delay between the patch release from the software vendor and when the medical device user receives it. Combined with the aforementioned reluctance to mess with a working machine, hospitals end up with a population of devices whose operating systems have not been patched in a long time – if ever.
  3. Management costs: Like most other major enterprises, hospitals systems have a diverse and complex collection of devices on their networks. Just among the medical devices, hospitals contend with thousands of roaming devices, from different vendors, of different ages, and running on various software. Keeping track of all that information is difficult, not to mention that it may be challenging just to find the devices in order to update them. Managing the inventory of medical devices, what needs to be updated and when, and the mechanics of the updates is normally a top challenge for a hospital system.

Data Diode to the Rescue

The risk/reward boils down to hospitals weighing the cost (money, time, human resources, etc.) of inaction against the costs of updating their medical devices. Unfortunately, the mounting pressure from cyberattacks has made this a problem that can’t be ignored. In the case of medical devices, the prevailing advice is: find and track all your unpatched devices, patch the ones you can, and replace the rest.

This advice, though, is about solving the problem of patching medical devices.

Patching is not necessarily the problem. The real problem is securing the medical devices.

Data diodes can secure medical devices in a way that takes into account the replacement, update, and management challenges around medical devices. Our manufacturing clients, who face the same challenges of old machinery and outdated software platforms, provide multiple examples of hardware-based security protecting critical legacy assets without having to deal with the software platform aspects of the device.

Therefore, in a similar model, data diodes can protect legacy medical devices, such as the 70% of devices that will still be using Windows 7 for the foreseeable future, without impacting the devices’ ability to support top-notch care. They can also protect devices that can’t be patched or replaced.

What do you think? How are you addressing the security problem your legacy medical devices present?

Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 3: The Device

In the previous two posts in this series, I talked about the reasons cybersecurity analysis on medical devices is necessary and some processes behind device analysis. In the next coupl...
October 21, 2020
Board inspection
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 2: How We Do It

In my last post, I talked a bit about the cybersecurity challenges around medical devices. In this post, I want to tell you a bit about the process of device cybersecurity analysis, wi...
October 15, 2020
Device Assessment
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 1: “It’s Not a Good Situation”

Relevant to this series, Owl’s Device Inspection and Analysis Lab focuses on security analysis of all sorts of devices, ranging from laptops, servers, and mobile devices; to securing op...
October 7, 2020