Cybersecurity vulnerabilities in operational technology (OT) devices pose significant risks to hospitals, threatening not only data security but also patient safety. Recent findings highlight critical flaws in devices from major manufacturers like Siemens and Advantech. These devices, essential for monitoring and treatment, are increasingly targeted by cybercriminals.
A recent analysis revealed vulnerabilities in Siemens imaging and control systems that could allow unauthorized access or disrupt operations. Similarly, Advantech’s industrial platforms contain vulnerabilities that could enable remote code execution. Such weaknesses are alarming since these devices are integral to patient care, forming a network crucial for monitoring and medical imaging.
Impact of Cyber Attacks on Healthcare Operations
The consequences of compromised OT devices can be dire. During the DCH Health ransomware attack, ambulances were rerouted from critical care patients, illustrating how cyber incidents can directly affect emergency services. The CommonSpirit incident delayed treatments across multiple states, undermining trust in healthcare systems.
Healthcare remains a prime target for cybercriminals. According to the Picus Blue Report, even healthcare organizations employing multiple layers of security still face detection and prevention gaps. Systems meant to monitor internal network traffic often fail to detect lateral movements, allowing attackers to move from compromised OT devices to sensitive electronic health record systems.
Several factors contribute to the heightened vulnerability of healthcare environments. Many OT devices operate on outdated software that cannot be easily updated without disrupting clinical services. This was notably evident during the WannaCry attack on the NHS, where legacy systems posed significant challenges.
The long lifespan of medical equipment, such as MRI machines, can often extend beyond typical IT refresh cycles, complicating security efforts. Additionally, interconnected clinical and administrative systems create pathways for attackers, making it easier to access sensitive data once a device is compromised. Operational constraints in healthcare further complicate these issues, as taking devices offline for updates may jeopardize patient care.
Rethinking Cybersecurity Strategies in Healthcare
Given these challenges, healthcare Chief Information Security Officers (CISOs) must adopt a new approach to managing cyber risks. Traditional methods of patching every vulnerability are insufficient. Instead, organizations should focus on continuous validation and risk-based prioritization in their cybersecurity strategies.
Continuous validation involves simulating real-world attacks to identify exploitable vulnerabilities within the network. The Picus Exposure Validation research indicates that less than 2% of vulnerabilities classified as high or critical are actually exploitable in specific environments. This insight allows security teams to concentrate resources on vulnerabilities that pose genuine risks.
Prioritization based on context is equally essential. Not every identified vulnerability requires immediate action. For example, a flaw in a device used in an isolated lab may not be as pressing as a vulnerability in critical patient monitoring software. By assessing the importance of assets and existing controls, hospitals can allocate resources more effectively.
In situations where patching is not feasible, alternative mitigations should be implemented. Updated intrusion prevention rules or enhanced endpoint detection signatures can provide temporary protection, allowing healthcare organizations to manage risks without compromising patient safety.
Continuous testing of resilience is vital. Regular simulations and red/blue team exercises can reveal vulnerabilities that standard security scans might miss. Mapping potential attack pathways across OT and IT networks helps hospitals identify and address weak points before they can be exploited.
Collaboration with clinical and operational leaders is crucial for fostering security awareness. CISOs should ensure that security measures align with patient care objectives. Transparent reporting, including exposure scores, can facilitate understanding and support for cybersecurity initiatives.
Healthcare security leaders operate under considerable pressure, facing budget constraints and complex regulatory requirements. By focusing on reducing actual risks and ensuring continuity of care, organizations can enhance their defenses against cyber threats. Implementing continuous validation, context-aware prioritization, and multi-layered security measures can significantly lower exposure, improve patient safety, and reinforce trust.
In the high-stakes environment of healthcare, prompt action is essential. Every moment that systems are down can have serious implications for patient lives. By modernizing vulnerability management and securing OT devices, hospitals can better protect not just their operations but also the well-being of their patients.
Sıla Özeren is an associate security research engineer at Picus Security. She holds an MSc in cryptography from the Institute of Applied Mathematics at METU, where she focused her thesis on the CRYSTALS-Kyber algorithm and its implementations.
