June 6, 2023
The Danger Within: How Unpatched Vulnerabilities Leave Your Hospital Open to Cyberattacks
Cyberattacks and resulting IT system outages cause considerable disruption to patient care. For example, numerous studies have identified increased hospital mortality rates following ransomware attacks and other major cyber incidents, including a recent fatality due to an IT system failure.
One of the most common methods cyber-criminals utilize to launch large-scale attacks is exploiting unpatched software vulnerabilities. These vulnerabilities allow bad actors to leverage known security bugs to run malicious code, which makes unpatched systems one of the biggest threats to a healthcare IT system.
According to a new report issued by the Department of Health and Human Services in partnership with the Health Sector Coordinating Council, 96% of hospitals are operating with systems and software programs that contain known vulnerabilities. However, only 53% of surveyed hospitals stated they have a documented plan for addressing identified vulnerabilities. Further research showed that 57% of hospitals that suffered cyberattacks stated that their breaches could have been prevented if they had installed an available patch. 34% of those victims knew of the vulnerability but took no action.
Why Is Patching Not Getting Done?
According to the Cybersecurity Infrastructure and Security Agency (CISA), “timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” However, healthcare IT departments face many challenges when scheduling and conducting routine maintenance such as patching, including:
- Complexity of IT systems: The healthcare IT environment often contains outdated, legacy, and complex software systems. For example, older software versions get retired and stop receiving support/updates, which becomes problematic when they remain in the existing IT environment.
- Staffing shortages, limited IT resources, and budgets: Healthcare organizations continue to face unprecedented shortages in available IT talent while balancing extreme budget pressures.
- Bargaining with clinical staff for downtime: Scheduling and conducting routine maintenance, such as patching, requires systems to be down for a period of time, which can disrupt patient care.
- Prioritization: Lean healthcare IT teams often have competing priorities, and while patching is crucial, it can take a back seat to other larger, seemingly more pressing projects.
How Fully Managed Patching Can Help
Organizations are turning to fully managed patching to alleviate the strain on healthcare IT systems. For example, CloudWave patches 1,000+ servers per week across 150+ hospitals. We had to scale and streamline our maintenance process to patch more efficiently. Now, we are bringing this structured approach to customers with the introduction of our new CloudCare+ fully managed patching service.
By working with an experienced partner like CloudWave to prioritize critical patching requirements, healthcare IT teams can take a hands-off approach to maintenance while keeping the environment compliant and secure against cyber threats.
As a best practice, healthcare institutions should work with their partner to institute a patch management policy, outlining testing and the methodology for deploying patches, as well as identifying critical systems to prioritize.
Fully managed patching is also affordable, as it costs roughly the same as paying staff to work overnight shifts to prepare for patching days in advance. It also minimizes downtime and frees up substantial resources, enabling the IT team to concentrate on other priorities.
In summary, this enables healthcare organizations to maintain operational excellence while focusing on what matters most, including providing exceptional patient care. To learn more, download our new infographic.