Jun 07, 2019
By Lisa Laczynski

BlueKeep and Healthcare

A high-profile Microsoft Windows operating system vulnerability was brought to the security community’s attention this past few weeks when Microsoft released a patch for it, taking the nearly unprecedented step of releasing a patch for several no-longer-supported operating systems.  Labeled 2019-0708 on CNA’s list of Common Vulnerabilities and Exposures (CVE) for all the security geeks out there, it’s been nicknamed “BlueKeep,” and it’s particularly insidious for a number of reasons.

First, the vulnerability is resident in a number of unsupported Microsoft Operating Systems, meaning it hasn’t been addressed by normal patching updates as would be the case with supported OS’s.  Affected operating systems are:

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

Second, the vulnerability enables remote attackers to assume control of the device without acquiring login credentials, so not only is every internet-connected device exposed to a simple attack vector, but any vulnerable devices on a network can be easily compromised after a single internet-connected device is successfully penetrated (i.e. installed malware can spread from device to device rapidly). The viral potential of this vulnerability is therefore akin to 2017’sWannaCry malware, understandably raising eyebrows in the cyber security community, and even prompting a warning from the US National Security Agency (NSA):

“The National Security Agency is urging MicrosoftWindows administrators and users to ensure they are using a patched and updated system in the face of growing threats… Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage onunpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.”[1]

Finally, the healthcare community is particularly susceptible to this vulnerability because so many connected medical devices are running older operating systems:

“70% of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020.”[2] 

Without question, the BlueKeep vulnerability is serious, but it is by no means unique.  Vulnerabilities will continue to be identified by the good guys (white hats) and the bad (black hats), and the healthcare community will continue to be a prime target, as it boasts the unfortunate combination of 1) many vulnerable systems, and 2) exceptionally valuable data:

“The average social security number can be purchased on the dark web for around $15, but a medical record with all of the personal information attached can go for $60 or more.”

[1] https://www.techspot.com/news/80407-nsa-announcement-advises-legacy-windows-users-patch-their.html

[2] https://www.fiercehealthcare.com/tech/medical-devices-running-legacy-windows-operating-system