It’s not “news” that the healthcare and hospital sector has become a prime target for cyberattacks. Human error, insufficient cybersecurity investments, and the fact that many modern healthcare procedures such as imaging devices, insulin pumps, and heart monitors, are networked on end-of-life legacy software, has led to a rapidly escalating threat of exploitation.
In recent years, research revealed nearly 1,000 vulnerabilities across 966 medical products, highlighting exploitable weaknesses in software and firmware. In 2023 alone, 725 healthcare data breaches were reported, exposing over 133 million records. Hacking incidents accounted for 93.5% of these breaches. With an average cost of $10 million per breach, this is not an insignificant amount of money.
Healthcare organizations are particularly vulnerable and targeted by cyberattacks because they possess a tremendous amount of information of high monetary and intelligence value to cyber thieves and nation-state actors. The more sensitive the data, the higher the probability threat actors will attack it. For cybercriminals, stealing patient data is the big win – one record can elicit up to $250 on the Dark Web, approximately 50x more than the next best stolen data, credit and debit card numbers.
So if you are a bad actor looking for a “score,” what does that mean? It means the game is on.
Hacking Into a Hospital
Years ago I worked as what is known as a “white hacker” – the good guys. My job was to expose vulnerabilities in a network so that they can be recognized, patched, and remediated. I’d sit in an ED with my laptop and a hoodie, pretending to be a waiting patient, while I tried to get into every networked system of the hospital. In one example, it was as simple as connecting my laptop to the printer in the waiting room, from which I was able to access the corporate network. From there, everything was at my fingertips – the phone system, individual patients’ scans, credit card information, and more.
What this “white hat” hacking exercise taught the hospital was that pretty much every system was vulnerable to attack.
Vulnerability Management Automation
Vulnerability management is a critical security operations activity that helps organizations identify assets, mitigate threats and meet compliance mandates.
Traditionally, this has been done by an IT team manually. But manual vulnerability management can drain resources and increase risk. Security teams spend hours weekly, manually prioritizing known vulnerabilities while never getting ahead. Additionally, security teams are not aware of all vulnerabilities and risks, lacking up-to-date vulnerability data, creating security blindspots. This ultimately means that, when most healthcare organizations don’t even have a robust IT department, vulnerability tracking and reporting is extremely “hit or miss.”
Speed-to-fix is also an issue when vulnerability management is done manually. When a vulnerability has been announced, most software companies brag that they can deliver the security “patch” in just two weeks (the average is 194 days). The organization then deploys the patch onto the system, essentially plugging that vulnerability. But that’s at least two weeks of an open door policy for bad actors to exploit.
Automation is imperative with today’s ever-increasing threat factors. With rising cyber threats and stringent regulatory requirements, vulnerability management must go beyond manual traditional patch management, as described above ( the “send me the patch and we’ll plug the hole” method). Healthcare organizations must meet regulatory requirements, and build trust with patients by demonstrating a commitment to safeguarding their information and ensuring that essential systems are secured without disrupting patient care or operational efficiency.
That means investing in automated vulnerability technology, or preemptive security. Stop a problem before it becomes one. Vulnerability assessment (VA) technology buyers have evolved from tools that only identified vulnerabilities to those that also proactively assess, manage and report the risks posed by those weaknesses. VA solutions identify, categorize and prioritize vulnerabilities as well as orchestrate their remediation or mitigation. Their primary focus is vulnerability and security configuration assessments for enterprise risk identification and reduction, and reporting against various compliance standards. VA can be delivered via on-premises, hosted and cloud-based solutions, and it may use appliances and agents.
What to Look For
Security and risk management leaders responsible for security operations must look for VA solutions can can:
- Analyze: analyze proprietary and niche applications for vulnerabilities without official CVE (Common Vulnerabilities and Exposures, a standardized way to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities)
- Prioritize: be able to prioritize the combination of the organizational infrastructure context landscape with thousands of data points and 0-days to accurately pinpoint any outstanding risk.
- Remediate: provide a list of recommended actions to eliminate a vulnerability and enable an organization to stay safe and resilient no matter what risks you’re confronting.
- Patch: finds the apps you are running, finds the patches they need, and apply them – all automatically with no manual intervention.
In conclusion, the healthcare sector’s vulnerability to cyberattacks is a stark reality, exacerbated by legacy systems, valuable data, and the sheer volume of exploitable weaknesses. The shift from manual vulnerability management to automated solutions is not merely a recommendation, but a necessity.
By investing in technologies that can analyze, prioritize, remediate, and patch vulnerabilities in real-time, healthcare organizations can significantly reduce their risk exposure. This proactive approach not only safeguards sensitive patient data and maintains operational integrity, but also builds trust, ensuring that critical healthcare services remain secure and uninterrupted in the face of evolving cyber threats. Ultimately, automated vulnerability management represents a critical step towards preemptive security, transforming the healthcare sector’s defense posture from reactive to resilient.
Roi Cohen
As the CEO and co-founder of Vicarius, Roi Cohen leads the sales, marketing, and customer success teams of the cyber security company that provides exposure management solutions for enterprises. With over twenty years of experience in the cyber security industry, he was previously a malware research team leader at CyberArk and CYBERTINEL, where he initiated and conducted multiple vulnerability research projects, developed cyber security assessment tools, and wrote and submitted patents in the cyber security field. Cohen has an MBA in Management of Technology, Innovation, and Entrepreneurship from Tel Aviv University.
