Preparing Healthcare Networks For The Vulnerability Flood

Batten down the digital hatches – a flood of technical vulnerabilities is on the horizon. 

In March, a well-known security researcher warned that AI agents can now generate working exploits for previously unknown vulnerabilities in hours rather than weeks. As a result, bad actors threaten to identify and weaponize weaknesses faster than it’s possible to patch them.

This is bad news across the board but particularly for healthcare. The sector already struggles with legacy endpoints, limited network oversight, and silos between IT and OT. The arrival of an even tighter exploitation window only makes successful hacks (and costly payouts) more likely. 

Let’s explore how admins can prepare for the coming storm by improving cross-department collaboration, strengthening architectural safeguards, and flagging unusual activity by using AI for good.

Healthcare’s growing attack surface

Exploited vulnerabilities are already a thorn in the side of healthcare networks, growing last year to become the leading technical cause of ransomware.

The reasons are two-fold. First, healthcare is overrun with legacy devices. End-of-life, unpatched, and forgotten endpoints are too often left online. Heavy-duty clinical equipment like imaging systems and lab analyzers can operate for decades while the software inside fails to keep pace. They still “work” but can also double as dormant, unrecognized backdoors.

Another factor is that admins don’t always know what’s connected or their security status. Insufficient inventory and patch management are rife and further complicated by the vastness of the medical attack surface, which comprises everything from clinical devices to HVAC and building access control systems. Admins can’t protect what they can’t properly see.

Adding agentic vulnerability scanning to the mix is a force multiplier for attackers. Essentially, these agents investigate source code across systems, match what they find against documented attack patterns, and generate working exploits. This took considerable time and effort in the past. Today, however, large language models provide “supernatural amounts of correlation” to unlock new scale and speed. For example, AI agents can now read a patch release and reverse engineer a working exploit before most teams have scheduled the update.

Worse, these agents don’t discriminate. They’ll find known yet unpatched vulnerabilities in addition to brand new exploits, giving bad actors an uncomfortable edge in a sector where uptime is non-negotiable.

Different teams and different forecasts

This should sound alarm bells because teams are already struggling to oversee their networks and respond quickly. Arguably, the biggest blocker is the long-standing and deep-rooted division between IT and OT. 

In a nutshell, the former manages the healthcare network and the latter manages the clinical technology that interfaces with the physical world. However, as more things become “smart” and connect to the wider health ecosystem, endpoints are crossing traditional boundaries. The resulting gaps mean that the different teams work off different forecasts. Separate alerting can make a problem invisible to one team and noise to another. Then, when an incident spans both domains, IT and OT typically think it’s the other side’s issue while the clock runs.

Timing is everything in cybersecurity and can be the difference between a successful and thwarted attack. Right now, the median dwell time is three days. This means that once an attacker is in your network, there are about 72 hours before they move laterally, infect more widely, and inflict greater damage. Not only is this shorter than previous years but it’s faster than most healthcare incident response cycles. This is why getting teams on the same page and achieving a single shared view is crucial.

How healthcare admins can (and should) fight back

In both the digital and physical world, preparing for a flood requires barriers. And, for healthcare networks facing an accelerating threat landscape, those barriers start with visibility. 

Map out the infrastructure and onboard solutions that work across IT and OT. This provides a foundation for understanding what’s connected, its state, and its behavior. Ideally, this requires a single view across the network that eliminates false positives and reduces alert fatigue.

Then, use architecture to limit the blast radius. Segmenting by device category – clinical equipment on one network, building systems on another, administrative systems on a third – means a breach in one zone stays in that zone. For example, a compromised MRI modality can’t expose your electronic health records if it doesn’t reside on the same network. This posture is further strengthened by zero-trust architecture, in which every device and user must continuously verify their identity and permissions. Nothing is trusted by default, even inside the network perimeter, which makes life that much harder for hackers.

Finally, don’t just let the hacking side of the ledger benefit from AI. Once your monitoring is standardized and unified, intelligent interpretation of baseline activity quickly flags abnormalities. Remember, attackers can hide malware but they can’t hide traffic. Keeping a finger on the network pulse and understanding what’s healthy activity (and what’s not) can go a long way to identifying breaches as soon as they happen.

We’re entering uncharted territory if bad actors can both launch zero-days and exploit unaddressed backdoors with new efficiency. This is why teams need to unify their network structure and better forecast what they’re up against. Knowing the “network weather” – and whether it’s raining, hailing, or shining – will make the difference between getting ahead of a breach or cleaning up after one.

Photo: Traitov, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.