How Unpatched Vulnerabilities Increase Cybersecurity Risks in Healthcare IT Systems

By Mark Middleton, Chief Cloud Officer and Chief Quality Officer, CloudWave

Cyber-attacks on critical infrastructure such as healthcare are on the rise. Unfortunately, these attacks can cause significant IT system outages that disrupt patient care, as the lack of access to data results in delays that can affect patient outcomes. Studies have shown that ransomware attacks and other hospital cyber incidents have even led to increased mortality rates, including a tragic incident where a patient who urgently needed care passed away due to an IT system failure that required transport to another facility. 

Cybercriminals often exploit unpatched vulnerabilities in commonly used software programs to launch large-scale attacks. This method enables threat actors to leverage known security bugs to run malicious code that compromises an affected system’s security, making unpatched systems one of the biggest threats to a healthcare IT system. 

Ensuring that systems are up-to-date and patched is crucial, as failure to do so can leave them vulnerable to cyber-attacks. However, a new report issued by the Department of Health and Human Services in partnership with the Health Sector Coordinating Council reveals that 96% of hospitals are operating with systems and software programs that contain known vulnerabilities. A January 2022 report also highlighted that 53% of connected medical devices and other IoT devices in hospitals had known critical vulnerabilities. Further research showed that 57% of hospitals that suffered cyberattacks stated that their breaches could have been prevented if they had installed an available patch.

For example, popular operating systems like Windows are often targeted by hackers. Even a few days of delay updating critical security patches can leave an organization vulnerable to an attack. Recently, hackers exploited an unpatched vulnerability in Microsoft Office within the Microsoft Support Diagnostic Tool, CVE-2022-30190, also dubbed “Follina,” which allows for remote code execution on Windows systems. This affected 41 Microsoft products and could enable threat actors to perform malicious activities like deleting data, installing programs, and creating new accounts with user rights. 

Another infamous example was the widespread exploitation of a critical remote code execution vulnerability, CVE-2021-44228, in the Log4j software library. Log4j is a widely-used open-source logging library contained in thousands of applications. A threat actor could exploit this vulnerability to take control of an affected system.

In addition, it is important to note that unpatched software vulnerabilities can include older threats that organizations have been slow to address, providing hackers an easy way to exploit them. Recent research has shown that many of the vulnerabilities cybercriminals exploited in 2022 were actually years old.

If Patching Is So Critical, Why Is It Not a Top Priority?

The Cybersecurity Infrastructure and Security Agency (CISA) recommends that organizations keep their software up to date as the best defense against attackers exploiting patched vulnerabilities. The organization states that “timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” However, patch management is a complex process, and there is a vast range of possible vulnerabilities to exploit. For example, the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), fed by the Common Vulnerabilities and Exposures (CVE) list, has more than 1,500 entries for June 2023 alone. 

As a result, healthcare IT departments face numerous challenges when scheduling and conducting routine maintenance, including:

• Healthcare IT system complexity: The healthcare IT environment is often home to outdated and complex software systems. Legacy software versions get retired and stop receiving updates/support, which becomes problematic when they remain in the IT environment. 

• Staffing shortages, limited IT resources, and budgets: Healthcare organizations continue to face shortages in finding available IT talent while balancing extreme budget pressures.  

• Bargaining with clinical staff for downtime: Scheduling and conducting routine maintenance, such as patching, requires systems to be down for some time, which can disrupt patient care. 

• Prioritization: Lean healthcare IT teams often have competing priorities, and while patching it is critical, it can take a back seat to other larger, seemingly more pressing projects. 

Fully Managed Patching Can Help 

Many organizations are now opting for fully managed patching to alleviate the burden on healthcare IT and establish a structured system maintenance approach. With the help of a trusted partner, IT teams can prioritize critical patching requirements and adopt a hands-off approach to maintenance while ensuring compliance and protection against cyber threats. This allows for a more streamlined and efficient process, reducing the likelihood of unpatched vulnerabilities and potential security breaches.

It is recommended that healthcare institutions collaborate with a highly qualified partner to determine the critical systems that need to be prioritized and establish a patch management policy that includes testing and deployment methods. A competent partner typically has a well-established and streamlined patch management approach developed through working with numerous healthcare IT environments. 
Fully managed patching is also an affordable solution that can save healthcare organizations money compared to paying staff to work overnight shifts in preparation for patching. It also minimizes downtime and frees up resources, enabling IT teams to focus on other priorities. Ultimately, fully managed patching can help healthcare organizations maintain operational excellence while focusing on what matters most, providing outstanding patient care.