Compromised operational technology (OT) devices pose a significant cyber risk to hospitals, threatening not only sensitive data but also patient lives. Recent vulnerabilities discovered in devices from Siemens and Advantech highlight the urgent need for enhanced security measures. These devices, which include infusion pumps, ventilators, and imaging systems, form the backbone of clinical operations. Flaws in their security can lead to catastrophic outcomes, as seen in past incidents.
The vulnerabilities in Siemens imaging and control systems potentially allow attackers to bypass authentication protocols or crash essential equipment. Similarly, Advantech platforms have been found to have remote code execution vulnerabilities, confirmed by researchers as exploitable. These weaknesses create opportunities for ransomware attacks, which have previously resulted in severe disruptions in hospital operations. For example, during the DCH Health ransomware event, ambulances were rerouted from critical care patients, while the CommonSpirit incident delayed treatments across multiple states for weeks.
Healthcare’s Vulnerability to Cyber Attacks
Healthcare has become a prime target for cyber criminals. According to the Picus Blue Report, even hospitals employing multiple layers of security controls still face significant detection and prevention gaps. This is particularly true for monitoring east-west traffic within hospital networks, which often fails to catch lateral movements. Such oversights enable attackers to move from compromised OT devices to electronic health records or administrative systems with ease.
Several factors contribute to the heightened vulnerability of healthcare facilities. Many OT devices rely on outdated software that cannot be patched without disrupting clinical operations, a situation that significantly impacted the NHS during the WannaCry incident. Additionally, long refresh cycles mean that high-value equipment like MRI machines may remain in use for decades, far exceeding typical IT lifespans. The flat network architecture in many hospitals, where clinical devices are interconnected with corporate systems, further exacerbates risks. Operational constraints in hospitals also mean that taking devices offline for updates can directly affect patient care.
These conditions create a challenging environment for cybersecurity. Attackers recognize the high stakes, understanding that hospitals are often willing to pay ransoms quickly to restore essential services.
Rethinking Cybersecurity in Healthcare
In light of these challenges, chief information security officers (CISOs) in healthcare must reconsider their strategies for managing cyber risks. Traditional approaches that focus on patching every vulnerability are insufficient. Instead, healthcare organizations should adopt a more modern approach that emphasizes continuous validation and risk-based prioritization.
Continuous validation involves simulating real-world attacks across both OT and IT environments. Research from Picus Security indicates that less than 2% of vulnerabilities labeled as high or critical are truly exploitable within a given context. By regularly testing security controls against actual attack techniques, hospitals can identify which vulnerabilities are neutralized and which require immediate attention. This proactive approach prevents wasted resources on issues that have already been mitigated.
Prioritizing vulnerabilities based on risk and context is also essential. Not every high-severity Common Vulnerability and Exposure (CVE) requires an urgent response. For instance, a flaw in an isolated lab device may be less critical than a vulnerability affecting patient monitoring software on the main clinical network. When patching is not feasible, alternative mitigations, such as updated intrusion prevention rules or endpoint detection signatures, should be employed to minimize risk.
To further enhance security, hospitals should engage in continuous testing of their resilience. Breach and attack simulations, along with red and blue team exercises, help uncover blind spots that traditional scanners may miss. By mapping potential attack paths across OT and IT networks, hospitals can close off pivot points before they can be exploited.
Collaboration with stakeholders across the organization is crucial for effective cybersecurity. CISOs must work closely with clinical and operational leaders to foster a culture of security awareness. Transparent reporting, including evidence-based exposure scores, can help build understanding and support for necessary investments in cyber defense strategies that ultimately support patient care.
Healthcare security leaders are under immense pressure due to constrained budgets, complex regulatory requirements, and a constant barrage of cyberattacks. By focusing on reducing real risks, restoring control, and ensuring continuity of care through modernized security practices, healthcare organizations can protect both their systems and the patients who depend on them. Every minute of downtime is critical when lives are at stake, making it essential to prioritize the protection of OT devices and overall hospital security.
