International 
Politics 
Local 
Finance 
Sports 
Entertainment 
Lifestyle 
Technology 
Literature 
Science 
Health 
3 days ago
9
Corey Elinburg, Healthcare Principal at Claroty, has spent 30+ years helping industry giants from all verticals secure what matters most.
getty
The huddle board at the nurses' station is frozen. Imaging won’t load for radiology. The temperature in a cryogenic freezer in the cell-therapy lab starts climbing toward the danger line. Somewhere, a clinician asks the question that should keep every healthcare CIO and CISO awake: How do we keep everyone safe until the systems come back?
We are no longer just talking about data breaches. We’re talking about care-delivery failures. Many in the industry keep talking about medical device security as though it were an IT hygiene problem; the industry professionals caring for patients know better. Healthcare was the top-targeted sector for ransomware in 2025, with the FBI logging hundreds of attacks against hospitals and clinics. Kettering Health spent nearly three weeks restoring normal operations after a May 2025 attack. The next event is already inbound. The only question is whether your environment helps the attacker, slows them down or allows rapid recovery regardless.
While IT is hardening, attackers are pivoting.
Healthcare IT and its related cyber programs are progressively getting better. Endpoint detection and response is maturing, immutable backup is industrialized, multifactor authentication adoption is climbing and defensive metrics improved across 2025. Defenders are winning ground on the laptops, servers and electronic healthcare record layer.
Attackers don’t quit—they move on to newfound leverage. The soft underbelly of every healthcare delivery organization is no longer IT systems. It’s the cyber-physical systems (CPS) that most IT shops don’t even manage: medical devices, building management and physical security.
HVAC. Negative pressure. Cold storage. Fire and life safety. Badge readers and cameras. All connected. All under-protected. All are capable of taking down clinical operations without an attacker ever touching the data center. Recent CPS research found that 75% of organizations have building systems with known exploited vulnerabilities (KEVs), and 51% of those KEVs are linked to active ransomware and exposed to the internet.
You see, every hospital is more than a building. It is a connected care infrastructure consisting not only of IT systems but also of biomed devices, facilities systems, clinical networks, physical security and other operational technologies that must work in concert to keep patients safe and care delivery flowing. Until resilience reaches every device in this connected model, we cannot rest.
Visibility without clinical context is a mirage.
Hospitals commonly run 10 to 15 connected devices per bed in the U.S., and a large health system can carry hundreds of thousands of “non-IT” connected endpoints—infusion pumps, imaging systems, glucose monitors, building automation and pharmacy robots. Recent research analyzing 2.25 million Internet of Medical Things and over 647,000 operational technology devices across 351 healthcare organizations found that 99% of organizations are running medical devices with known exploited vulnerabilities, and 89% have the riskiest 1%—KEVs linked to active ransomware and an insecure connection to the internet.
Inventory matters. Context matters more. An MRI in routine radiology and a syringe pump in a pediatric ICU are not the same risk and don’t deserve the same remediation policy. Until your asset record knows each device’s clinical purpose and which other devices it works with to perform a clinical function, your security program is counting devices, not protecting patients.
Patching won’t save you.
In my experience, medical devices have a lifespan of 10 to 20 years. Medical device management patches require FDA revalidation. You cannot just pull an MRI offline at 2 p.m. on a Tuesday without ramifications. The proposed HIPAA Security Rule asks for 15-day critical patches. This is a useful and aspirational target, not a working strategy for today's constraints.
Patching is one control—not the program. Real power lives in the compensating controls: segmentation, identity, monitoring, resiliency and the operational discipline to run them as a cohesive system to reduce exposure. Ensuring the inability to exploit a vulnerability is more important than a patch in an era where AI can discover vulnerabilities at a rate far beyond our ability to remedy them.
Segmentation is a load-bearing wall, so let it bear the load.
A strong segmentation plan layers two things: microsegmentation inside zones that defaults deny and contains lateral movement when—not if—something gets in, and Layer-7 inspection between zones that understands clinical protocols like HL7, DICOM and FHIR rather than just ports and IPs. Where the firewall can’t go deep enough, integration gateways and API security can help fill the gap.
Federal guidance is converging fast. CISA published "Microsegmentation in Zero Trust, Part One" in July 2025, treating granular isolation as the foundation of OT defense—guidance that maps almost exactly onto the medical device problem. The proposed HIPAA Security Rule goes further: It adds a new technical safeguard at 45 CFR 164.312(a)(2)(vi), turning what was previously a cybersecurity best practice into a specific regulatory obligation if the rule is finalized. If your network is still flat between radiology and the rest of your biomed estate, you are out of step with both the threat and the regulator.
If you want “bang for your buck” in terms of risk mitigation, segmentation is where you will find it.
What remains, and what can you do?
There is much more to say, but additional words will put me in the "too long; didn't read” category. I’ll leave you with this: Key aspects of identity, third-party risk management and other core disciplines must be considered across devices and systems. The readers of this article will know the key tenets of zero trust and cyber hygiene, but rather than recount them, I will end with something that I hope you find poignant.
Determine what devices in your network create scenarios that can't fall back to paper. Look at how you can scale resilience by segmenting them based on business context. Protect those critical devices and segments first, building resilience where a "known exploited vulnerability" will cause the most damage.
You can't restore a patient from backup.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
English (US)