On May 14, Microsoft published an advisory for a newly discovered remote code execution vulnerability. Given the identifier CVE-2019-0708, the vulnerability has been more popularly named “BlueKeep.”
According to the advisory, BlueKeep has the potential to impact devices, clients and servers running Microsoft’s Windows 7, Windows Server 2008, Windows Server 2003, Windows XP and embedded variations. It works by usurping the pre-authentication process involved in remotely connecting to the device through a Microsoft server, which opens the door to unauthorized remote code execution. More specifically, if a device’s remote desktop services (RDP) are enabled and TCP port 3389 is accessible, arbitrary code can be executed without any user interaction.
Though industry-agnostic in its nature, the BlueKeep vulnerability presents a huge attack surface that, like Wannacry before it, bears particular relevance to hospitals and medical devices.
Hospitals have extensive networks supporting the thousands of devices they utilize on a daily basis; however, owing to the difficulty and costs involved in continuous upgrade and replacement, healthcare systems and assets tend to disproportionately rely on legacy technologies. The combination of a large attack surface, easy paydays and an aged technology ecosystem has made health care the most targeted industry for ransomware attacks. If hospitals are not careful, vulnerabilities such as BlueKeep could end up being their downfall.
While current regulations and guidance largely protect the market from an influx of products that are vulnerable at the time of release, oversight in the post-market phase is lacking—constituting, at least presently, the much more serious threat.
Pre-market threats are, on the whole, easier to mitigate. Even though medical devices typically take five to six years of testing and clinical trials before receiving FDA approval, they usually are designed with a reasonably accurate understanding of the cyber-risk landscape in which they will be deployed initially. Even when vulnerabilities are discovered between the point of design and the point of delivery, it is usually fairly straightforward for the manufacturers to cross-reference their product lines against repositories such as the National Vulnerability Database and take the necessary steps to patch or otherwise redress problems before the device ships.
Post-market, things become considerably more complex. Not only do administrators need to contend with multi-vendor environments, but as time goes on, they also need to contend with more and more with multi-generational product versions—all of which may have vastly different security implications. It’s a lot to keep track of and almost inevitably things will fall through the cracks, which is why vulnerabilities such as BlueKeep pose such a grave danger.
Post-market vulnerability remediation and management requires real-time inventory insights, granular device risk profiling and constant disclosure monitoring. Even with all of that information, once deployed it often is difficult for hospitals to extricate certain devices for any reason, and the act of updating or patching can be viewed as disruptive to continuous patient care. For this reason, hospitals often forgo updates, leaving known risks in play.
As the digital threats to our personal information and even our physical safety grow, hospitals will need to put more of an emphasis on cybersecurity. Health care is already giving hackers a “kid in the candy store” experience, and without a more concerted effort to inject forward-facing cyber-awareness, planning and tools, things will only get worse. As scary as it is, the silver lining to BlueKeep is that it just might provide our industry with the kick to the rear that it needs.
Patients need to feel safe in the belief that the medical equipment essential to their care will work as designed. If we can’t give our most vulnerable citizens a basic sense of safety and security in the confines of a medical facility, we undermine the core of the social contract on which modern society is built.