Hospitals Face Cyber Risks as OT Devices Vulnerabilities Expand

The increasing reliance on operational technology (OT) devices in hospitals poses significant risks to patient safety, as recent findings expose critical vulnerabilities. Devices such as infusion pumps, ventilators, and imaging systems are fundamental to clinical operations. However, flaws in these technologies can lead to devastating cyberattacks that jeopardize not only sensitive data but also patient lives.

Recent vulnerabilities identified in devices produced by Siemens and Advantech highlight this urgent issue. Flaws in Siemens’ imaging and control systems could allow unauthorized access, enabling attackers to bypass authentication or even crash essential equipment. Similarly, Advantech’s widely used industrial and Internet of Things (IoT) platforms exhibited remote code execution vulnerabilities that were confirmed to be exploitable. These devices are integral to hospital environments, supporting patient monitoring and medical imaging.

Cyber Threats Intensify in Healthcare

Healthcare facilities have become prime targets for cybercriminals, with the potential for ransomware attacks leading to severe operational disruptions. For instance, during the DCH Health ransomware incident, ambulances were redirected away from critical patients, while the CommonSpirit cyberattack caused significant delays in treatments and appointments across multiple states. Such incidents reveal how cyber vulnerabilities can directly impact patient safety and erode public trust in healthcare systems.

According to the Picus Blue Report, healthcare organizations often struggle to secure their networks despite deploying multiple security controls. Gaps in detection and prevention mechanisms persist, particularly with monitoring east-west traffic within hospital networks. This oversight allows attackers to move laterally from compromised OT devices into electronic health record systems or administrative platforms, raising the stakes for patient care.

Several factors contribute to the heightened exposure of healthcare systems to cyberattacks. Many OT devices operate on outdated software that cannot be easily patched, which proved detrimental during the WannaCry attack on the UK’s National Health Service (NHS). Furthermore, high-value equipment, such as MRI machines, often remains functional for decades, well beyond typical information technology lifecycles. The interconnected nature of clinical devices and corporate systems creates a flat network environment, enabling attackers to pivot seamlessly between systems.

Operational constraints further complicate the situation. Taking devices offline for updates can directly impact patient care, making it challenging for healthcare organizations to manage vulnerabilities effectively. These conditions create a unique risk landscape where traditional cybersecurity strategies fall short.

Modernizing Cybersecurity in Healthcare

Given these challenges, healthcare Chief Information Security Officers (CISOs) must adopt a more innovative approach to managing cyber risk. The conventional strategy of patching every vulnerability is no longer viable, necessitating a shift towards continuous validation and risk-based prioritization of security measures.

First, organizations should implement continuous validation of their security controls. Traditional vulnerability management often overestimates the danger posed by high-severity Common Vulnerabilities and Exposures (CVEs). Research by Picus indicates that less than 2% of vulnerabilities categorized as high or critical are exploitable in any given environment. Security teams can benefit from simulating real-world attacks across both OT and IT environments to identify which vulnerabilities are genuinely at risk and which have already been mitigated by existing controls.

Secondly, hospitals must prioritize their response based on risk and context. Not every CVE requires immediate action. Criticality of assets, potential exploitability, and existing controls should guide the focus of remediation efforts. For instance, a vulnerability in isolated lab equipment may not warrant the same urgency as one affecting patient monitoring systems on the main clinical network.

When immediate patching is impractical, establishing compensating controls becomes essential. Security teams should explore alternative mitigations, such as updating intrusion prevention rules or enhancing endpoint detection signatures. This strategy allows organizations to manage risk effectively while minimizing exposure to patients.

Lastly, continuous testing of resilience through breach and attack simulations, as well as red and blue team exercises, can help organizations identify vulnerabilities that standard scanners and audits may overlook. By mapping potential attack paths across OT and IT networks, hospitals can proactively close off pivot points before they can be exploited by malicious actors.

Alignment and collaboration with stakeholders across the organization are critical for successful cybersecurity strategies. CISOs should engage closely with clinical and operational leaders to promote awareness of basic security practices and cyber hygiene. Transparent reporting, including evidence-based exposure scores, can facilitate understanding and consensus on necessary investments in cybersecurity that do not hinder patient care.

Healthcare security leaders must navigate numerous pressures, including limited budgets and complex regulatory demands, all while facing a constant threat of cyberattacks. By focusing on continuous validation, context-aware prioritization, and layered defenses, healthcare organizations can significantly reduce their cyber exposure, enhance patient safety, and restore public trust.

Every minute of operational downtime can have dire consequences for patient lives. By modernizing their approach to vulnerability management and securing OT devices, hospitals not only protect their systems and data but also safeguard the patients who rely on their care.

Sıla Özeren is an associate security research engineer at Picus Security. She holds a Master’s degree in cryptography from the Institute of Applied Mathematics at Middle East Technical University (METU), where her thesis focused on the post-quantum cryptography algorithm known as CRYSTALS-Kyber and its masked implementations.