Vulnerability threat management (VTM) in the healthcare space is too important to be conducted haphazardly. It’s critical to find software tools that let you prioritize vulnerabilities, spot trends instantly, and quickly filter by vulnerability type and severity.
Without such tools, managing vulnerability threats is a daunting task. Here’s what healthcare organizations are currently facing:
Scanners routinely find thousands of vulnerabilities across a typical healthcare environment – weaknesses in software, firmware or configuration on the IT, clinical or OT systems. They’re usually prioritized by asset type and Common Vulnerability Scoring System (CVSS) scores, which assess the severity of a vulnerability on a 0-to-10 scale.
The scanner reports create lengthy “to fix” lists that compete with patient care and maintenance windows.
CISA’s Known Exploited Vulnerabilities (KEVs) catalog contains vulnerabilities that the agency has confirmed are being actively exploited. When a vulnerability appears on this list, there’s a strong likelihood that bad actors are now attacking it. KEVs usually wind up at the top of patching and mitigation queues because they help your team focus its limited time on vulnerabilities most likely to lead to a real incident.
Here are some sobering statistics on the VTM landscape in healthcare today:
- 99% of healthcare organizations have at least one device containing a CISA KEV in their environment.
- 50% of organizations are investing in vulnerability tools, yet remediation across OT and clinical environments can still take weeks.
- 96% of hospitals have end-of-life operating systems or software with known vulnerabilities.
- 89% of healthcare organizations conduct vulnerability scanning quarterly, but far fewer do it monthly.
- Fewer than 20% of these organizations do advanced testing like wireless penetration tests, red/blue team exercises, or tabletop drills quarterly.
Patient Safety Requires Prompt Patching
Most critical non-medical device vulnerabilities receive vendor patches within about 14 days, but hospitals still need regular scanning and strong processes to apply those patches.
Across more than 1.5 million patient-connected devices, about 8% have confirmed KEVs. A subset of those also have KEVs linked to ransomware and insecure connectivity, which means they are both exposed and attractive to attackers.
Nearly 80% of healthcare organizations have OT devices with KEVs – and 65% have OT devices with KEVs plus insecure Internet connectivity.
A More Productive Way To Patch
Here are some of the many benefits of using VTM software to guide your patching:
Makes efficient use of limited staff time – Your team doesn’t waste time addressing low-priority vulnerabilities.
Ability to isolate assets that rely on vendor validation – Some medical device and OT assets can’t be patched quickly, so a VTM tool lets you determine which assets can be placed on a bubble network that keeps them far away from medical records.
Improves reporting to executive leadership – VTM software lets you summarize the progress you’ve made in patching vulnerabilities – and documents any hurdles you’ve encountered.
End-to-end automation of non-critical patches – VTM tools allow you to authorize automatic patches for programs that pose little risk to your ongoing operations (Adobe Reader, Google Chrome, Microsoft Office, etc.).
VTM: A Patient Safety Priority
About 120,000 patient-connected devices in the U.S. have confirmed vulnerabilities. That opens the door to ransomware and puts patient safety in real jeopardy. VTM tools can help you stay one step ahead of attackers while maximizing precious staff time.
About Brandon Crawford
Brandon Crawford is Manager, Vulnerability Threat Management at Fortified Health Security, headquartered in Brentwood, Tennessee.
