Posted on Health IT Security by Jessica Davis

While most organizations in other sectors have steadily shifted to Windows 10 in recent years, more than half of provider still use legacy platforms that no longer receive security updates.

 – More than half of healthcare organizations are still operating on outdated Windows 7 operating systems, leaving providers much more vulnerable to malware or other cyberattacks like WannaCry, according to new research from Duo Security, part of Cisco.

The findings support a recent Forescout report that showed 70 percent of IoT and medical devices will be running on outdated Windows platforms by 2020.

The Duo Labs research team analyzed data from about 24 million devices, over 1 million applications and services, and more than 500 million authentications a month across Duo’s customer base in North America and Europe.

The researchers found that just 44 percent of healthcare has implemented Windows 10, with 56 percent operating legacy Windows 7. The healthcare sector is the “most Windows-dominated industry,” but they’ve been slow to adopt Windows 10.

In fact, more than half of all endpoints, or 500,000 devices, operate legacy Windows platforms. Meanwhile, Windows 10 platforms are found in 65 percent of organizations in all other sectors, compared to 29 percent of legacy platform use.

“Healthcare organizations use internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry,” the researchers wrote.

“Updating operating systems across enterprises with complex IT models and large fleets of devices is no easy feat,” they added. “Running an older OS can increase an organization’s vulnerability to attack… Out-of-date devices are more susceptible to vulnerability and can introduce risk to an organization.”

The issue is that Microsoft will not release patches for Windows 7 beginning January 14, 2020. And unpatched, legacy devices are the reason the WannaCry attack in 2017 was able to proliferate. The malware exploited a vulnerability in Windows 7 and Windows Server 2008 systems, which allowed 400,000 devices to be infected across the globe.

One of the largest victims of the cyberattack was the UK National Health Service, where about one-third of its trusts and 8 percent of its provider offices were impacted. Of those systems infected with WannaCry, Microsoft said 98 percent were running some version of Windows 7.

Also adding to concerns are a new RDP vulnerability found in legacy Windows 7, Server 2008, and XP, which are no longer maintained by Microsoft and do not receive patches to close security gaps.

The tech giant was so concerned by WannaCry’s impact that it released a rare patch for the flaw to prevent another global cyberattack. The Department of Homeland Security also urged all organizations to patch, and Microsoft repeated its call to patch soon after.

Given the lack of resources and IT staffing gaps, simply transitioning legacy platforms is not always feasible for providers. Soon after Microsoft released its rare patch, Oleg Kolesnikov, Head of Securonix Threat Research Labs told HealthITSecurity.com that it’s critical to shore up vulnerable endpoints, when implementing a new system isn’t an option.

“There’s a saying, it’s almost like candy with a hard, external shell and a softer core for the internal organization,” he said. “It applies to healthcare, with its critical operations: healthcare is the most mission critical, and it’s often not feasible to take systems down or patch in a timely manner.”