In healthcare, known vulnerabilities often go unpatched due to continued resistance to patching. Many hospitals and providers see legacy infrastructure and compatibility issues as pain points and therefore view software patches as overly complex and disruptive.
However, our industry must remember that the risks of not patching endpoints far outweigh these manageable inconveniences. In fact, this aversion increases the risk of attacks on patient monitors, infusion pumps, and imaging systems as AI accelerates vulnerability discovery.
In October, Sophos revealed that exploited vulnerabilities—known endpoint backdoors for which fixes exist but have not yet been applied—were the leading cause of medical ransomware. This is a big problem because a successful attack can disrupt patient care and cost the average recovery more than $1 million.
The truth is, we are losing the patch war, and therefore the ransomware war. Let’s explore how healthcare is changing its perspective, improving patches, and better blocking the ransomware path.
The challenge of patching
Patching is indeed easier said than done, and there are legitimate challenges that prevent the healthcare ecosystem from updating as quickly as possible.
First, there are old machines and compatibility issues. Many healthcare organizations run critical systems on older hardware that is not suitable for frequent updates. When these systems are tightly integrated with electronic health records and other clinical workflows, administrators worry that patches could break something important.
And if this happens, downtime can be dangerous. Failed updates that can bring down patient monitoring systems or make records inaccessible to clinicians are not just an IT problem. This is a department with nursing responsibilities and uptime needs—understandably, anything that might jeopardize patient care might not be prioritized.
Patches don't always work well either. Pre-release testing and the ability to roll back in the event of an emergency are essential capabilities that teams often lack. These are legitimate concerns, of course, but they are creating a dangerous status quo, delaying patches and allowing known vulnerabilities to persist longer — and attackers know it.
The dangers of not patching
Ransomware can cause financial, reputational and service delivery losses, as demonstrated by a successful attack on Change Healthcare last year when attackers exploited a basic endpoint security failure. The result? Data stolen, emergency surgeries canceled, and an estimated $800 million in losses.
Unfortunately, the vulnerability situation is worse than many people realize. A recent analysis of more than 2 million Internet-exposed assets found that 16% of healthcare and insurance assets contained exploitable vulnerabilities, including outdated software, exposed sensitive data, and misconfigurations.
While this puts healthcare below industries like education (31%) and government (26%), it still represents tens of thousands of vulnerable endpoints across the industry. Notably, these vulnerabilities were identified using the same black-box penetration testing techniques used by real attackers, meaning bad actors could find them just as easily.
Despite these risks, many in healthcare still choose to avoid patching known critical vulnerabilities instead of scheduling planned downtime. This backward logic is becoming increasingly dangerous as bad actors discover and exploit vulnerabilities faster than ever. Security vulnerabilities that were once manageable can now be weaponized at scale within hours of disclosure. Leaving these back doors open is simply not the way forward.
The answer to defeating ransomware
The good news is that healthcare can nip this situation in the bud with just a few simple technological shifts.
First, automatically apply patches during off-peak hours. This goes a long way in minimizing disruption and maximizing troubleshooting time if a problem arises. Modern unified endpoint management (UEM) platforms solve this problem by scheduling automatic updates during nights, weekends, or other low-activity periods.
UEM also helps understand how many devices are in the ecosystem and where they are located. Addressing this basic inventory and overseeing policy enforcement, configuration management, and remote wipe at the click of a button is critical to strengthening defenses. The Extended Detection and Response (XDR) platform also helps monitor endpoints in real-time, identify suspicious behavior, and enable rapid incident response.
Finally, be realistic about your equipment. Not all old equipment can be replaced overnight, but set a clear timetable for phasing out equipment that can no longer be maintained safely. And, when older medical equipment cannot be updated immediately, network segmentation becomes critical. Isolating these devices limits the potential damage caused by any compromise.
These gaps can and do have real-world consequences. Administrators often feel increasing pressure from senior leadership, feel anxious or stressed about future attacks, and feel guilty that the attacks have not stopped. However, simply acknowledging these sentiments is not enough – organizations must provide the tools and resources to prevent a ransomware incident from happening again.
The risk of a patch is manageable, which is much better than canceled surgery, compromised patient data, and avoidable recovery costs. It's time for the healthcare sector to treat patching with the urgency and oversight it deserves.
Photo: traffic_analyzer, Getty Images
Apu Pavithran is the founder and CEO of Hexnode, the award-winning Unified Endpoint Management (UEM) platform developed by Mitsogo Inc. Hexnode helps enterprises manage mobile, desktop and workplace devices from one place.
This article appeared in Medical City Influencers program. Anyone can share their thoughts on healthcare business and innovation on MedCity News through MedCity Influencers. Click here to learn how.
