The healthcare sector continues to face mounting cyber threats, with high-profile incidents exposing the fragility of digital infrastructure within hospitals and healthcare delivery organisations (HDOs). Ransomware attacks such as the one targeting Change Healthcare in 2024 have underscored the financial and operational risks associated with insecure cyber-physical systems (CPS). With attackers exploiting known vulnerabilities and insecure connectivity across millions of devices, healthcare’s digital transformation journey is increasingly imperilled by cybersecurity challenges. The data reveals that exposures span the entire hospital ecosystem—from critical patient care systems to behind-the-scenes operational technologies, placing both financial viability and patient safety at stake.
Ransomware and the Critical Weaknesses of Hospital Infrastructure
Hospitals and HDOs are prime targets for cybercriminals, particularly ransomware gangs that have weaponised healthcare’s operational urgency. Entities such as Black Basta and BlackCat/ALPHV have led some of the most disruptive attacks, impacting systems essential for patient care, diagnostics and financial transactions. These attacks go beyond simple encryption; modern double and triple extortion techniques include credential theft, data exfiltration and even distributed denial-of-service threats. The financial impact is staggering, with ransom demands often reaching millions of dollars, in addition to recovery and reputational damage.
A significant contributor to healthcare’s vulnerability is its dependence on legacy technology. Many devices still operate on outdated or unsupported systems, which not only attract attackers but also slow down patching efforts. In addition, the validation processes required by regulatory bodies like the FDA further delay the deployment of cybersecurity updates, giving adversaries a broader window of opportunity. These conditions, combined with insecure device connectivity, result in a sprawling attack surface that is difficult for security leaders to manage effectively.
Related Read: Strengthening Healthcare Cybersecurity: The Impact of New Regulations
Pinpointing the Most At-Risk Devices and Systems
The analysis of over 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 operational technology (OT) assets across 351 HDOs reveals systemic vulnerabilities. Notably, 99% of the organisations surveyed were found to operate devices with confirmed known exploited vulnerabilities (KEVs), and 89% had systems that were both vulnerable and insecurely connected to the internet. This exposure includes devices tied to critical patient care, such as imaging systems, hospital information systems (HIS) and patient monitors.
HIS platforms, often the hub for clinical, administrative and financial operations, are particularly attractive targets due to their centrality and the sensitive information they store. Nearly half of these systems were found to contain KEVs, with 20% being simultaneously vulnerable and connected in insecure ways. Imaging systems such as MRI and CT scanners are similarly exposed, with 8% carrying ransomware-linked KEVs while being accessible online. Patient monitoring devices—especially those used in remote or critical care scenarios—present unique risks due to poor design decisions, such as hardcoded connections to unsecured networks. Even surgical tools and OT systems, like building management and temperature control networks, though smaller in number, pose severe risks if compromised, as they can disrupt surgeries or medication storage conditions.
Strategic Exposure Management: A Framework for Mitigation
Given the breadth and depth of healthcare’s cyber vulnerabilities, traditional patch management is no longer sufficient. A comprehensive exposure management strategy is necessary—one that considers not just software flaws but also insecure communication protocols, default credentials and connectivity weaknesses. Mitigating these risks requires a five-step framework focused on identifying exposures, prioritising them based on business and clinical impact, and taking action to remediate or isolate high-risk systems.
First, healthcare organisations must perform a detailed inventory to map all devices and their interdependencies. Second, they must prioritise exposures that combine multiple risk factors, such as ransomware-linked KEVs with insecure internet access, rather than relying solely on standard CVSS scores. This refined focus enables faster, more effective remediation. Third, deploying compensating controls, particularly for devices subject to regulatory constraints on software updates, is vital. Fourth, validating the real-world accessibility of vulnerabilities can help distinguish between theoretical and urgent threats. Lastly, mobilisation of security resources and clear communication across IT, biomedical and administrative teams ensures risks are addressed without disrupting patient care.
Cybersecurity in healthcare is no longer an ancillary concern; it is a core pillar of patient safety and operational resilience. The sheer volume of devices running with known vulnerabilities—and often connected in insecure ways—places unprecedented pressure on hospitals and HDOs. With attackers evolving faster than legacy systems can be secured, only a deliberate, risk-based approach to exposure management will allow healthcare organisations to remain functional and safe. By focusing remediation on devices with the highest combination of vulnerabilities and connectivity risks and fostering collaboration across internal departments, the sector can begin to close its most dangerous cyber gaps.
Source: Claroty
Image Credit: iStock
