Dangers of Unpatched Healthcare IoT and Network Systems


Rick Leib, CISO for Client Services at Access Point Consulting

Dangers of Unpatched Healthcare IoT and Network Systems


It’s not uncommon for large healthcare organizations to support patients via thousands of systems––servers, network hardware, and Internet of Things (IoT) devices particular to the medical practice. Healthcare organizations are primary targets for attackers and are required to follow strict regulations to stop data breaches. HIPAA violations are costly, and unpatched hardware leaves healthcare systems vulnerable to numerous threats including malware, ransomware, security bypasses, and possible remote code execution. Patching systems with the latest update is critical to data protection and risk management, and it keeps the company compliant with HIPAA guidelines.

Challenges and Vulnerabilities in Healthcare

Almost every business stores data that’s valuable to third-parties, but healthcare organizations store full patient identities including their financial data. The volumes of personally identifiable information (PII) and their large attack surface make healthcare companies an attractive target. 

Healthcare faces three main risks:

  • Third-party vendor breaches: According to HIPAA Journal, healthcare organizations experience more third-party vendor breaches than any other industry. It’s not uncommon for healthcare companies to use cloud software from a third-party to manage patient records and billing. Attackers target this software to gain access to data, often from vulnerabilities in an unpatched vendor application.
  • Cloud misconfigurations: It’s not uncommon for businesses to store data in the cloud, but misconfigurations in how that data is secured could leave data open to the public. Several data breaches across sectors including the US government have left data open to theft.
  • IoT vulnerabilities: IoT allows specialized medical equipment to play a key role in patient care, but it can also leave patient data vulnerable to theft. According to Security Magazine, the most vulnerable IoT devices are the IV pump and the VOIP (voice over IP) component in IoT devices.

Best Practices for Vulnerability Management in Healthcare

To avoid threats against your large attack surface, administrators need to scan the environment for unpatched software and firmware. The first step is to audit the environment so that you can account for every device and system on the network. Shadow IT, which are unknown devices on the network, leave the environment vulnerable to exploits when administrators don’t know that they exist and don’t update them.

After auditing the environment, an automated scan can find devices with outdated software. Agents can be installed on a server to report unpatched software, but some scanners scan open ports too. This step is automated and can use artificial intelligence to help with accuracy. Scanners report to a central server where administrators can review devices with outdated software and create a plan to patch them.

The last step is the biggest challenge. Patching must be done across numerous devices, but these devices can’t always be shut down. Some operating systems can be ‘hot patched,’ meaning patches can be installed without rebooting the machine, but this method requires specialized patching software. 

Another issue is the concern around bugs or flaws that may embedded in patch code, which is typically written under considerable pressure. Enterprise organizations test patches on a small non-critical system before deploying to all devices. The strategies you choose depend on the devices located on the network, your attack surface, and operating systems. Several deployment automation and orchestration applications help with this step, but you should still test on non-critical machines.

Compliance with HIPAA Regulations for Patch Management

The issue of unpatched software came to a head in 2018 when the Office for Civil Rights (OCR) released a newsletter explaining the importance of patching software. OCR warned healthcare administrators that vulnerabilities could exist in unpatched databases, electronic health records (EHRs), operating systems, and IoT firmware. The OCR advice comes after numerous data breaches from unpatched software across large attack surfaces common in hospitals, doctor offices, and other healthcare organizations.

HIPAA requires organizations to identify flaws in their software, and patch management is a requirement of 45 C.F.R. § 164.308(a)(5)(ii)(B). Violations not only carry hefty fines, but lead to long-term litigation and brand damage. HIPAA requires that healthcare organizations have a complete audit of their digital environment with strategies to patch operating systems, software, and firmware. 

The Future of Patching: AI and Automation

To help make patching comprehensive, artificial intelligence (AI) can be used to detect and deploy updates. Instead of asking an administrator to manually install patches, AI scans and automatically remediates unpatched software. You may still want to manually patch critical hardware like servers or firewalls, but AI reduces the overhead of updating user devices and non-critical IoT. 

Many of today’s AI scans and patch remediation systems also perform validation on the updates. If an update fails or a device cannot be accessed, an alert is sent to an administrator. Automation isn’t the answer to every patching problem, but it can remediate the low-level systems that would otherwise require administrator attention. By reducing this overhead, administrators can focus their attention on tending to critical systems.

Conclusion: Safeguarding Patient Information in Healthcare

Safeguarding protected healthcare information (PHI) and PII is likely your top priority, and having a patch management plan helps with your efforts. Instead of leaving your data and network environment open to exploits, use automation to scan and remediate outdated software. IoT is a primary target for threats, but patching their firmware greatly reduces risks of a data breach.

If you haven’t built a patch management system into your regular IT process, talk to one of our experts to evaluate your current environment and make suggestions on appropriate next steps.

Let us help you secure your healthcare environment.


To Enhance Your Cyber Operations

Protecting Healthcare Legacy Systems with Micro-Segmentation

Protecting Healthcare Legacy Systems with Micro-Segmentation

Segmentation in network environments is nothing new. It’s common for administrators to segment the network based on logical functions and security controls. For example, the finance department is one segment, and the sales department is another segment. All segments can send traffic to email servers (for example), but user traffic does not enter finance or sales segments unless the user is authorized to access them.

Find out more
Operationalizing Cyber Resilience in Healthcare

Operationalizing Cyber Resilience in Healthcare

The healthcare sector faced a staggering 156% increase in breached records in 2023. The concern goes beyond just alarming statistics: Breaches pose a direct risk to patient safety by disrupting essential healthcare services, including eligibility verification, prescription processing, and hospital discharge procedures.

Find out more