Ty Greenhalgh, Healthcare Industry Principal at Claroty, on why healthcare organisations must adopt smarter, more structured approaches to identifying and mitigating risk
By Ty Greenhalgh, Healthcare Industry Principal at Claroty
The NHS’s digital infrastructure is high on the national agenda, with £2 billion pledged towards digitalisation in the government’s healthcare roadmap. Yet in the meantime many trusts are approaching crisis point, unable to secure the resources needed to manage ageing IT estates. Torbay and South Devon NHS Foundation Trust for example recently warned that funding cuts were increasing its cyber risk exposure, particularly with its inability to replace unsupported, end-of-life equipment.
Many healthcare services are stuck trying to do more with less – at a time when they face escalating cyber threats from ransomware to data breaches and operational disruption.
It’s clear that funding cuts and tighter budgets are becoming an ever-increasing norm. Healthcare organisations therefore must adopt smarter, more structured approaches to identifying and mitigating risk if they are to protect critical systems and patient care in an increasingly aggressive threat landscape.
Understanding the limits of traditional vulnerability management
Hospitals and healthcare delivery organisations (HDOs) face constant pressure to manage vulnerable technology assets – a challenge shared across most sectors but amplified in healthcare by unique structural complexities. Most providers operate sprawling IT estates with a high concentration of cyber-physical systems (CPS), from MRI machines to patient monitors. Years of piecemeal growth has left many without a clear or current asset inventory. As Torbay and South Devon NHS Trust reported, many also rely on end-of-life devices that can no longer be securely maintained.
These factors create an environment where cyber risk can quickly mount up. Claroty’s analysis of nearly three million devices across 351 healthcare providers found that 99% had at least one known exploited vulnerability (KEV). Among over 2.25 million Internet of Medical Things (IoMT) and 647,000 operational technology (OT) devices, 89% were exposed to actively exploited threats.
The traditional vulnerability management approaches attempting to deal with these exposures rely heavily on Common Vulnerability Scoring System (CVSS) ratings, leaving critical gaps. Focusing only on CVSS often overlooks exposures like insecure connectivity, default credentials, or cleartext communications – flaws that are simple for attackers to exploit but fall outside standard prioritisation models. Without broader context, organizations are faced with a dangerous blind spot and critical risks can go unaddressed, leaving care environments exposed.
Why cybercriminals are targeting healthcare – and where it hurts most
Healthcare delivery organisations have become prime targets for cybercriminal groups, not only because of the high-value data they hold but also due to the criticality of service continuity. Threat actors increasingly use double and triple extortion techniques, pairing system encryption with data theft and DDoS threats to maximise pressure.
Some of 2024’s most damaging incidents show the stakes. The attack by Qilin on pathology provider Synnovis cost an estimated £32.7 million and postponed more than 10,000 appointments.
BlackCat’s attack on Change Healthcare in the US disrupted services nationwide, triggered over $3.1 billion in losses, and prompted a $22 million ransom payment. Just months later, Black Basta targeted Ascension, one of the US’s largest hospital networks, leading to care disruption and $1.8 billion in financial impact.
These attacks exploit systemic weaknesses. Claroty’s analysis found that 99% of healthcare organisations had devices with known exploited vulnerabilities (KEVs). Hospital information systems and patient monitoring devices were especially likely to be vulnerable, with many combining KEVs and insecure internet connectivity – making them easy entry points. Even a small number of compromised imaging systems or building automation controls can delay surgeries, affect diagnostics, or jeopardise medication storage.
In such a high-stakes environment, understanding not only what is vulnerable, but where and how those vulnerabilities affect care, is essential to mounting an effective defence.
Exposure management – what it is and why it matters
The tendency for traditional vulnerability management to prioritise fixes based on severity scores often results in long lists of theoretical risks and little clarity on what to address first. Exposure management reframes this approach by focusing on real-world exploitability, business impact, and threat context.
This matters enormously in healthcare environments, where many devices cannot be patched immediately due to resource limits and clinical constraints. Exposure management helps organisations identify which systems are not only vulnerable but also actively exposed – such as devices linked to known ransomware campaigns or communicating over insecure connections.
This contextual approach drastically reduces the burden of discovering and resolving vulnerabilities. Claroty’s research found millions of exposed devices for example, but when filtered through an exposure management lens – factoring in connectivity, threat activity, and operational impact – the number of high-priority devices was reduced by more than 30 times. In one example, an initial list of 111,000 at-risk assets was refined to just 3,800 requiring urgent intervention.
This risk-based approach enables security teams to act with precision, targeting the devices with the highest likelihood of exploitation, ensuring the greatest protection with the least disruption to care delivery.
A five-step approach to managing exposure in healthcare
Given the scale and complexity of healthcare infrastructure, addressing every vulnerability equally is neither realistic nor effective. Instead, it’s best achieved by splitting the actions into five main steps, tailored to the sector’s unique challenges – particularly the regulatory and operational constraints that can delay patching.
- Scoping begins by identifying the critical processes most vital to patient care, mapped by department and device type.
- Discovery follows with a detailed inventory of connected assets, including medical devices, clinical IoT, and OT systems.
- Prioritisation then ranks these assets by exploitability, connectivity risk, and potential impact on operations delivering clinical services.
- Validation confirms which vulnerabilities are externally reachable and pose genuine exposure, not just theoretical risk.
- Mobilisation enables cross-functional teams to implement targeted mitigations – whether through segmentation, access controls, or compensating safeguards where patching isn’t feasible.
This structured approach helps hospitals focus limited resources where they matter most – on reducing the real-world risks that threaten patient safety and care continuity.
Making resilience realistic amid budget pressures
NHS trusts and healthcare providers are under relentless financial strain – but cyber threats won’t pause while budgets catch up. As digital systems become both more vital and more vulnerable, resilience demands more than just increased investment. It demands smarter strategy.
Exposure management offers exactly that. By cutting through the noise and focusing on the vulnerabilities that truly matter for patient care, it empowers stretched teams to protect what counts – without burning through time or resources.
All healthcare providers work hard to safeguard patient care, ensure continuity, and do it with precision. Because in today’s threat landscape, defending healthcare means working smarter – not just harder.
