When a hospital’s connected devices are compromised, it’s more than just data or dollars at risk — it’s patient lives. In recent years, operational technology (OT) devices, such as infusion pumps, ventilators and imaging systems, have become essential to clinical operations. Unfortunately, flaws in these devices and the broader networks they connect to continue to expose hospitals to devastating attacks.
Recent discoveries of vulnerabilities in Siemens and Advantech devices underscore the risks hospitals face. Siemens imaging and control systems were found to contain flaws that could let attackers bypass authentication or crash equipment. Advantech’s widely deployed industrial and IoT platforms had remote code execution vulnerabilities that researchers confirmed could be exploited. These are the same kinds of devices embedded in hospital environments, forming the backbone of patient monitoring, building management and medical imaging.
Vulnerabilities open the door to devastating ransomware attacks. During the DCH Health ransomware event, ambulances were diverted from critical care patients. The CommonSpirit incident delayed treatments and appointments for weeks across multiple states. In every case, the result was disruption to hospital operations that directly impacted patient safety and trust.
Increasing threats to healthcare
Healthcare is a top target for cyber criminals. Defensive testing, as outlined in the Picus Blue Report, shows that even when healthcare organizations deploy multiple layers of security controls, detection and prevention gaps persist. In particular, controls designed to monitor east-west traffic inside hospital networks often miss lateral movement, making it easier for attackers to pivot from compromised OT devices into electronic health record systems or administrative platforms.
Several factors converge to make healthcare uniquely exposed:
- Legacy systems: Many OT devices run on outdated systems and software that can’t be patched without interrupting clinical use. This issue contributed to WannaCry’s impact on the NHS.
- Long refresh cycles: High-value equipment such as MRI machines may remain operational for decades, well beyond typical IT lifecycles.
- Flat networks: In many hospitals, clinical devices and corporate systems are interconnected, enabling attackers to pivot from compromised OT equipment to electronic health records or billing platforms.
- Operational constraints: Unlike in other industries, taking a device offline for updates or testing can directly impact patient care.
These conditions create a perfect storm: an expanding attack surface that is difficult to manage with traditional approaches, easy to exploit and deeply intertwined with patient outcomes. Attackers also understand the high stakes. Threat groups deliberately target healthcare because they know hospitals are more likely to pay ransoms quickly to restore service.
A new approach to healthcare security
Given these challenges, healthcare CISOs and their teams must rethink how they manage cyber risk. Traditional patch-everything strategies can’t keep pace. Instead, organizations need to modernize their cyber defenses to incorporate continuous validation and risk-based prioritization.
- Validate continuously. Traditional vulnerability management often assumes that every high-severity CVE is dangerous. But as the Picus Exposure Validation research shows, less than 2% of vulnerabilities labeled high or critical are exploitable in a given environment. Security teams should simulate real-world attacks across OT and IT environments to understand which vulnerabilities can be exploited within their networks. By continuously testing security controls against real-world attack techniques, hospitals can see which vulnerabilities are neutralized and which require urgent attention, preventing wasted effort on issues already mitigated by existing controls.
- Prioritize based on risk and context. Not every CVE deserves a crisis-level response. Hospitals should weigh asset criticality, exploitability and existing controls before deciding where to focus. A flaw on an isolated lab device may be less urgent than a vulnerability in patient monitoring software running on the main clinical network.
- Shore up compensating controls. When patching is not feasible, security teams should apply alternative mitigations such as updated intrusion prevention rules or endpoint detection signatures. This buys time without exposing patients to unnecessary risk.
- Test resilience continuously. Breach and attack simulation and red/blue team exercises help reveal blind spots that scanners and audits miss. By mapping attack paths across OT and IT networks, hospitals can identify and close potential pivot points before attackers exploit them.
- Gain buy-in and alignment with stakeholders across the organization. CISOs should work closely with clinical and operational leaders to ensure basic security awareness and cyber hygiene are supported. Transparent reporting, including evidence-based exposure scores, can help foster understanding and alignment around investment and implementation of successful cyber defense strategies that support patient care rather than hinder it.
Cyber Defense that enables patient care
Healthcare security leaders face immense pressure: constrained budgets, complex regulatory requirements and what may seem like a never-ending barrage of cyberattacks. It’s important they focus on reducing real risk, restoring control and ensuring continuity of care. By moving to continuous validation, context-aware prioritization and layered defenses, healthcare organizations can reduce their exposure, reinforce patient safety and strengthen trust.
Every minute of downtime matters when patient lives are on the line. By modernizing vulnerability management and securing OT devices, hospitals can protect not only their systems and data but also the patients who depend on them.
About Sila Özeren
Sıla Özeren is an associate security research engineer at Picus Security. She holds an MSc in cryptography from the Institute of Applied Mathematics at METU, where she completed her thesis on the PQC algorithm called CRYSTALS-Kyber and its masked implementations.
