A friend who is a medical doctor has a medical imaging device that exports small jpg files by providing a Samba share. It runs a heavily modified version of Windows 2000 and only supports SMBv1. SMBv1 is utterly insecure and was already used by Ransomware to infect hosts. There is no support available for Windows 2000 or from the device manufacturer anymore.
Despite its age, the device is "medically" up to date and a replacement would cost multiple 10,000s euros. We would like to isolate the medical device as a Ransomware attack would certainly render the device unusable.
I bought a cheap OpenWRT router to mount the SMBv1 share from the medical device and re-share it with a newer Samba server, hiding the medical device behind that router. It worked at first, but re-sharing network shares is discouraged and resulted in reoccuring problems in production that I couldn't easily fix.
Workflow is as follows: During medical examinations, pictures are taken. These are stored on the device and shared via SMBv1. Later, the pictures are manually retrieved by the PC in the doctors office and deleted. Speed isn't too important, there are like 5 pictures of few MiB each. They don't have to be immediately available as he retrieves the pictures only after he ended the examination. Reliability is important, as lost pictures would cause the examination to be repeated.
What is the best option to isolate the medical device from the network while reliably allowing reading and deleting the pictures taken?
