Cybersecurity Breaches Threaten Patient Safety in Hospitals

When hospitals’ operational technology (OT) devices are compromised, the stakes are alarmingly high; it is not just data that is at risk, but also patient lives. A recent analysis reveals significant vulnerabilities in devices essential for clinical operations, such as infusion pumps, ventilators, and imaging systems. These flaws expose healthcare facilities to potentially devastating cyberattacks.

Recent findings highlighted vulnerabilities in devices from major manufacturers, including Siemens and Advantech. Specifically, flaws in Siemens’ imaging and control systems could allow attackers to bypass authentication protocols or crash vital equipment. Additionally, Advantech’s industrial and IoT platforms were discovered to have remote code execution vulnerabilities, which researchers confirmed could be exploited. These devices, which are integral to patient monitoring and medical imaging, illustrate the urgent need for enhanced cybersecurity measures in healthcare settings.

Escalating Threats to Healthcare Systems

Healthcare is increasingly becoming a prime target for cybercriminals. According to the Picus Blue Report, even organizations that have implemented multiple layers of security controls still face detection and prevention gaps. In particular, the controls designed to monitor lateral movement within hospital networks often fail, allowing attackers to navigate from compromised OT devices into electronic health record systems or administrative platforms without detection.

Several factors contribute to the heightened vulnerability of healthcare institutions. Many OT devices operate on outdated systems and software that cannot be easily patched without disrupting clinical services. This issue was notably highlighted during the WannaCry ransomware attack, which severely impacted the NHS. Furthermore, high-value equipment, such as MRI machines, can remain in use for decades, far exceeding typical IT lifecycles. Additionally, the interconnectivity of clinical devices and corporate systems in many hospitals creates pathways for attackers to move from compromised OT equipment to sensitive patient data.

The operational constraints in healthcare also complicate cybersecurity efforts. Unlike other sectors, taking a device offline for updates can directly affect patient care, creating a dilemma for IT security teams.

Rethinking Cybersecurity Strategies

Given these challenges, Chief Information Security Officers (CISOs) and their teams must adopt innovative approaches to manage cyber risks effectively. Traditional strategies that focus solely on patching vulnerabilities may no longer suffice. Instead, organizations need to modernize their cybersecurity frameworks to incorporate continuous validation and risk-based prioritization.

Continuous validation of vulnerabilities is crucial. The Picus Exposure Validation research reveals that less than 2% of vulnerabilities classified as high or critical are actually exploitable within specific environments. Security teams should simulate real-world attacks across both OT and IT environments to identify which vulnerabilities can be targeted. By consistently testing security controls against actual attack techniques, hospitals can discern which vulnerabilities require immediate attention and which are mitigated through existing controls.

Moreover, hospitals should prioritize vulnerabilities based on risk and context. Not all critical vulnerabilities necessitate an urgent response. For instance, a flaw in a lab device may pose less risk than a vulnerability in patient monitoring software on the main clinical network.

When patching is not an option, security teams should implement alternative mitigations, such as updated intrusion prevention rules or enhanced endpoint detection signatures. This strategy can help buy time without unnecessarily exposing patients to risk. Continuous testing, including breach and attack simulations, can also reveal vulnerabilities that traditional scanners and audits might miss.

CISOs should foster strong relationships with clinical and operational leaders to promote security awareness and best practices. Transparent reporting, including data-driven exposure scores, can help align stakeholders around effective cyber defense strategies that support patient care.

Healthcare security leaders face immense pressure due to constrained budgets, complex regulatory requirements, and a persistent barrage of cyber threats. It is vital that they focus on reducing actual risks, restoring control, and ensuring the continuity of care. By transitioning to continuous validation, context-aware prioritization, and layered defenses, healthcare organizations can mitigate their exposure, enhance patient safety, and reinforce public trust.

Every minute of downtime matters when patient lives are at stake. By modernizing vulnerability management and securing OT devices, hospitals can safeguard not only their systems and data but also the patients who depend on them.

About Sıla Özeren: Sıla Özeren is an associate security research engineer at Picus Security. She holds an MSc in cryptography from the Institute of Applied Mathematics at METU, where she focused her thesis on the PQC algorithm known as CRYSTALS-Kyber and its masked implementations.