Healthcare organizations (HCOs) are increasingly at risk from legacy operating systems, device complexity and the use of commonly exploited protocols, according to a new study from Forescout.

The security vendor analyzed 75 global healthcare deployments running over 1.5 million devices across 10,000 virtual local area networks (VLANs).

It found that although less than 1% were running unsupported operating systems, 71% of Windows devices were on Windows 7, Windows 2008 or Windows Mobile, which will be end-of-lifed in January 2020 — less than a year away.

These HCOs are further exposing themselves to threats by using high-risk services like SMB, which was exploited in the infamous WannaCry attacks, as well as RDP, FTP and others. Some 85% of Windows devices had SMB turned on, while over a third (35%) were running RDP, which is commonly used in fileless attacks.

The sheer range of medical devices in use also presents greater cyber-risks, especially as many aren’t architected with security in mind, the report claimed.

A third (34%) of organizations’ medical VLANs were found to support more than 100 distinct device vendors. Even more are likely to exist on other networks.

Patching is often problematic due to the criticality of these devices and the fact that, in some cases, doing so invalidates the product’s warranty.

Even worse, in many cases, vendors are responsible for patching themselves, and sometimes devices are connected to the network without the oversight of IT, claimed the report.

Forescout argued that VLANs could help HCOs mitigate risk by segmenting their networks. However, in half (49%) of the deployments studied, medical devices were connected to 10 VLANs or fewer, suggesting insufficient investment in this strategy.

“Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks,” argued Elisa Costante, head of OT and industrial technology innovation at Forescout.

“Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with life-saving devices and extremely sensitive environments.”

Although there has been an explosion in OT (8%) and IoT (39%) devices in recent years, the biggest potential attack surface on medical VLANs came from regular IT devices (53%), the report claimed.