Ultrasound Cybersecurity: Here’s what you need to know

Why IT professionals are demanding Windows 10 on your ultrasound

Last week Microsoft officially ended security updates for Windows 7, an operating system that drives many of the most popular ultrasound machines.

What this means is that most ultrasound machines are now out of compliance with most healthcare organizations' security policies. And this creates a scare for cybersecurity and IT departments worldwide.

And this isn't related to just ultrasound machines. In fact, it created a problem for most connected medical devices, including CT, MRI, X-Ray and a host of other devices with Windows as their operating systems.

This is not limited to medium and large scale healthcare systems. Smaller healthcare facilities and private practices are affected, too. It's just that the smaller organizations don't have an IT Department to warn (and protect) them from potential threats.

Now, IT Departments and administrators must balance the cost-effectiveness of upgrading their equipment to only high-end systems running Windows 10. For ultrasound, nearly all systems that run Windows 10 are high-end systems released (or upgraded) in 2019.

But this doesn't mean you need to put a Tin Hat on your medical devices and take extreme measures. For many, it's not practical. And frankly, it's not easy to hack an ultrasound machine in such a way that it could create an expensive data breach. More on that later.

Recently we ran into a few organizations that had to make these decisions:

• Is it practical to spend more than $130,000 on the most secure ultrasound machine, even if you don't need it or can't afford it? For some, this answer is "yes." For others, it simply isn't financially possible.
• Is it practical and cost-effective to install USB locks on every computer and device in your healthcare network? For one healthcare network, the answer was "yes" and they installed 15,000 locks to restrict access to USB ports.

Crazy, right?

Not really.

For some organizations, extreme measures make sense because the alternative is a nightmare. Data breaches were estimated to cost the Healthcare industry more than $4 Billion in 2019, according to Black Market Research.

Experts estimate the cost of a data breach costs more than $400 per record affected.

So yeah, it's a big deal. So what does it mean...

What is an ultrasound "data breach"?

A data breach is a situation where an unauthorized user gained access to the network or medical device and performed something such as: an attack on a network, stole data, or altered a patient's medical information (including replacing or altering images).

The most common ways a hacker could accesses an ultrasound system include:

• Gaining access through remote desktop
• Installing a virus via a USB stick
• Accessing an ultrasound that is not protected by a password

Once they gain access, they can:

• Launch a ransomware attack, demanding money with threats of releasing, deleting or altering patient images/data. This happened: Michigan Medical practice to close after a data breach.
• Steal patient data.
• Alter images or patient data to show an incorrect diagnosis.
• Potentially attack the entire network of connected devices.

This is scary, but is it real?

It's real, but it's very uncommon for someone to hack into an ultrasound machine. It requires a lot of work and is likely to return little reward.

In fact, there are very few known attacks on ultrasound machines. And these attacks came through a compromised network, not the actual ultrasound machine.

Additionally, these attacks could only exploit systems running Windows 2000, a 20-year old operating system that is found on very old ultrasound machines. Most are running an embedded version of Windows XP, Windows CE, or Windows 7.

So, if you're a hacker, is it really worth it? Probably not. That's a lot of time spent attempting to hack a single ultrasound machine to steal/alter patient data from that particular machine.

However, as more devices become connected, the vulnerabilities grow. And your network is only as safe as the weakest link... granted, the weakest link is most often an unattended or unsecured office PC.

Windows 10 IoT and your ultrasound

Windows 10 IoT (formally known as Windows 10 Embedded) is the new Operating System of choice for medical devices. So what makes it special? There are a few key things:

1. It is currently supported by Microsoft, and security updates and patches are available. Duh.
2. It offers a "Whitelisting" feature in which the manufacturer selects the only applications that can run on the system. This eliminates the threat of anyone trying to install malware or viruses on your ultrasound.
3. It is designed specifically for devices that fall into the category of Internet of Things.

This "IoT" version of Windows 10 is specifically designed for manufacturers. It is a limited, faster version of the operating system that can be customized by the manufacturer to do (or not d0) certain things. It was previously known as Windows Embedded, for which there were versions of all Windows operating systems going back to Windows NT 4.0.

Can I install Windows 10 IoT on my ultrasound machine?

Nope. Sorry. This is not an option. Installing Windows 10 on your ultrasound machine, or most any medical device, can't be done by an end user. Here's why:

• It will probably break your ultrasound. Ultrasound software is built for a specific operating system. Upgrading the Operating System could cause crashes, cripple, or render your ultrasound inoperable.
• It may require FDA Approval. Changing the operating system may require the manufacturer to send the machine back to the FDA for approval... this costs money and it doesn't help them sell new machines.
• Windows 10 IoT cannot be purchased. It is created specifically for Manufacturers who customize this embedded operating system for their specific needs.
• Good luck installing it. You need a proprietary service dongle and special password to access the Windows desktop on an ultrasound machine. Even if you get access, it may lock you from installing any software at all.

This is why medical IT departments are "nagging" you

There are no "official" protocols for cybersecurity in healthcare organizations. So, your IT professionals must find the best way to protect their systems within the most reasonable, non-restrictive, tin-hat wearing solutions.

That's really hard to do, especially considering that there are hundreds or thousands of devices connected to their network. They can't monitor every single one.

And it only gets worse. Eighty-seven percent of healthcare institutions are expected to use IoT technologies by the end of 2019, with nearly 650 million IoMT (Internet of Medical Things) devices in use by 2020.

For small-to-large organizations that are the most likely targets, this is big. Especially those that cannot afford a cybersecurity expert, much less upgrading all their systems.

For small offices and private practices, the benefits of taking extreme measures don't really outweigh the potential liabilities.

What you can do to protect yourself

There are a few easy things that everyone can do on their ultrasound to help protect their machines. You should do this for each medical device that has these options. Note: if you have a lower-cost machine, it's unlikely you have these options, and it's also unlikely that the machine is running Windows.

• Enable User Permissions and Password protection if your ultrasound has it.
• Log off when the ultrasound is not in use.
• Keep the ultrasound in a locked room when not in use
• If you're feeling extreme, put a lock on the easy-to-access USB ports if they're not being used.
• Hire an IT Consultant specializing in Cybersecurity.
• Hire an IT Consultant specializing in Cybersecurity.
• Hire an IT Consultant specializing in Cybersecurity.