Hospitals are facing a patching conundrum. Like that old T-shirt from college, many orgs— including medical ones—hang on to tech that eventually needs a little mending. Software patches, usually downloaded from a vendor’s site, act as quick code replacements and (hopefully) fixes for discovered vulnerabilities.
Healthcare facilities, however, have a patchwork of devices: laptops, network-connected infusion pumps, sophisticated surgery systems, and other specialized instruments that must be kept both up to date and operating.
But ransomware actors have increasingly targeted hospitals—sometimes through both known and unknown vulnerabilities. Global ransomware attacks against the health sector have increased, according to The Cyber Threat Intelligence Integration Center, from 214 claimed victims in 2022 to 389 in 2023.
Former and current healthcare IT pros spoke with Healthcare Brew about tactics that helped them handle as many patches as possible. In their view, implementing safeguards like network segmentation and tabletop exercises for the holes that go unseen is just as important as having a patch management program.
A rough state. A report from the cybersecurity company Claroty, released in March 2024, found that 23% of the firm’s studied medical devices have at least one “known exploited vulnerability,” and 14% are running an unsupported or end-of-life operating system, a technology that has a newer version available, and often will no longer receive updates.
An assessment from the nonprofit Health Information Sharing and Analysis Center (Health-ISAC), firmware -security company Finite State, and cybersecurity vendor Securin found 993 vulnerabilities across 966 healthcare products in 2023—a 59% increase from 2022.
“These vulnerabilities can potentially be exploited by attackers to target healthcare organizations,” the report read, citing that 43 vulnerabilities in particular are “highly attractive” to bad actors because they enable remote access to networks.
“They’re coming in; they’re finding something that’s running an old server sitting on the side that someone forgot about and never updated, never patched because it’s running some software that five people use,” Rahul Singh, healthcare provider industry lead at consulting firm West Monroe and former healthcare IT leader at both UnitedHealth Group and Cigna, told Healthcare Brew, referring to threat actors.
As IT Brew reported in June, data breaches (across all industries) are increasingly beginning with vulnerability exploits—malicious code or commands that take advantage of a program’s discovered flaw.
The WannaCry ransomware attack in May 2017—an event that reportedly impacted over 200,000 computers in nearly 150 countries—used a Windows-based vulnerability to disrupt healthcare (and other industry) environments. To guard against the computer worm, many facilities shut down their IT systems, leading to diverted ambulances, restricted access to patient data, and cancellations of surgeries.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
Gotta patch ’em all? Andy Richter, currently IT services firm Presidio’s enterprise network practice director, accepted a level of unpatched assets when he was network engineer at Caritas Christi Healthcare (now Steward Healthcare) in 2005. His team back then, he said, had to prioritize patching for the highest risks: the Windows machines that were vulnerable to more malware worms.
Similar risk assessment must be conducted today, according to Richter, which means an imager may have to go unpatched and additional controls have to be relied upon.
“If there’s a vulnerability in radiology, that’s a problem but not critical, and it’s hard to mitigate because we’re worried about breaking something else. What is the role of mitigating something rather than patching it? It’s a real conversation we have to start having: Can we firewall off where the infusion pumps are, to reduce their risk, to reduce the requirements, to give yourself more time before you have to patch?” Richter said.
Claroty’s report recommended vigilant patching especially for connected devices and systems, “that bridge enterprise and medical networks.” The firm considers segmentation, or separating connected devices from the corporate network, a “paramount” strategy.
Singh said, in his healthcare environments, he deployed microsegmentation to prevent routing between networks. In this scenario, internet -connected-type devices are isolated on one network, enforced by firewalls and policy controls. “If anything else tries to access it, you’re basically doing a deny,” Singh said.
Aside from segmentation, planning for disaster is its own kind of supplemental strategy.
At ECU Health, a 1447-bed facility in North Carolina, Identity and Access Management Manager Nicki Bennett-Burton must monitor and maintain critical services like electronic health records and Active Directory auditing.
Bennett-Burton and her team also participate in annual tabletop exercises that prepare them for those kinds of services going down. During these exercises, a disaster recovery lead, along with risk, compliance, and IT teams run scenarios like what to do and who to contact if ambulances get diverted or patient data disappears.
“Especially in healthcare, you always accept there is always going to be a risk. It’s how you mitigate and react to that risk,” Bennett-Burton said.