Windows 7 End-of-Life: What it means for medical devices
This is part 1 of a 4-part series on how OEM healthcare organisations can transition their medical devices in preparation for Windows 7 end-of-life (EOL). Part 1 covers the background of the issue, part 2 will outline the virtualisation option, part 3 will review the user interface option, and part 4 will explain how to manage ongoing security and devices updates.
All parts are guest blogs written by Amar Parmar, Wind River.
In January 2020, Windows 7 is set to expire and the support for many versions of Windows CE and Windows Embedded have ended or will end soon. Millions of medical devices currently run these operating systems (OSs). Without proper end-of-life management and a transition to supported and secure OSs, these medical devices will become highly susceptible to malware and other cybersecurity risks.
Windows 7 support is set to end in January of 2020.
So, what can be done? The easiest solution would be to simply upgrade the device OS. Unfortunately, this can cost OEMs thousands of dollars per device on an ongoing basis and is therefore not a viable long-term solution. OEMs must find a way to maintain device security by using new solutions that allow for ongoing upgrades. Let’s explore how we ended up in this risky situation.
A Hypothetical Scenario
Mike looked out of his office window. While his eyes were focused on the greenery between the hospital buildings, his mind was far away. He was trying to figure out how his organisation was going to recover from the latest cybersecurity issue they were facing: WannaCry ransomware at the hospital, infecting critical devices. Two years previously, in 2017, WannaCry had been discovered, and it forced U.K. hospitals to suspend normal services and accept only emergency patients. By now, in 2019, Mike and his team had thought that their organisation was immune to the virus. After all, they had patched most of their computers, laptops, and servers. They had not, however, foreseen that Windows-powered medical devices could become infected and allow the malware to spread.
An Industry-Wide Problem
Unfortunately, Mike and his team represent the rule rather than the exception. Medical device security is an enormous problem facing healthcare organisations. While legacy systems present vulnerabilities to known malware, upcoming changes to Windows operating systems present an even bigger challenge.
Outdated systems on medical devices leave healthcare organisations vulnerable to malware and other cybersecurity threats.
Medical Devices and Windows
Many medical devices run Windows, which had provided medical device OEMs with two compelling value propositions: It allowed programmers to create engaging graphical user interfaces (GUIs) or user interfaces (UIs) quickly and easily. It also allowed programmers to create and debug software on their development machines, then transfer that software to an embedded medical device with little to no modification.
The Windows versions that became popular were Windows CE, Windows Embedded, and Windows 7. Some of the operating systems listed are not supported anymore. And support for others, such as Windows 7, is set to expire in January 2020. As with any software, this is a natural evolution. To keep devices secure and maintained, the software has to be upgraded to the latest and greatest version. For Windows, that currently means Windows 10. Since Windows itself has moved to a “modern lifecycle policy” for its operating systems, it means that a particular version of Windows 10 is supported for a maximum of 30 months. Unfortunately, according to a recent security report, this new paradigm is going to leave 71% of Windows-based medical devices unsupported.
Although medical device OEMs are scrambling to get in front of this issue, there are no easy paths forward. Often, upgrading the operating system means upgrading the processor and motherboard, which implies a full device refresh. After that, the medical device software has to be retested and revalidated. This assumes that the software does not break with the underlying operating system upgrade. That assumption, however, is not realistic. Hence medical device OEMs will be forced into a full device upgrade cycle that affects the motherboard, processor, operating system, medical application, and associated libraries.
OEMs need a way to quickly upgrade current devices and manage long-term support.
The size of the problem is immense. Looking at it conservatively, according to 2018 VDC reports, there are roughly 5-8 billion medical devices in the field, of which roughly 20%-25% run Windows, and 70% of those run on unsupported software. That means that there are at least 700M devices that will increase the security vectors of attack. Upgrading would cost OEMs about $2,500 per device. Thus, the magnitude of this problem runs to $2 billion or more.
Transition Systems to Manage Windows 7 End-of-Life
The Windows 7 end-of-life problem cannot be ignored without dire consequences. While upgrading systems seems like the easiest solution, budgetary restrictions and long-term costs must be considered. The most cost-effective and long-term solution is to maintain applications for an older version of Windows while ensuring a path forward for continuous security updates. Organisations can ultimately achieve this by utilising virtualisation or by modernising user interfaces (UIs) to match workflows while ultimately transitioning to an alternative embedded OS.
For more details on how organisations would implement these Windows 7 end-of-life transition options, look out our upcoming blog posts on how to upgrade devices using virtualisation and how to simplify the transition to embedded systems with modern user interfaces (UI).
For more information on how to transition your systems away from Windows 7 download the eBook Managing Windows 7 End of Life in Embedded Systems. Or, to find out how Wind River can help, talk to a Windows end of life expert.
Courtesy of Wind River.