Healthcare systems face costly cyber risks from outdated IoMT devices, necessitating a risk-first approach to prioritize and mitigate the most critical threats.

By Shankar Somasundaram

End-to-end visibility and protection for Internet of Medical Things (IoMT) devices have become increasingly critical for healthcare systems and partners, which are facing escalating threats and stiffer financial repercussions of insufficient security. IBM’s 2024 Cost of a Data Breach report found that the healthcare sector again has the highest data breach recovery costs—a spot it has held since 2011.

The industry also faces a knot of technology challenges and limitations no other industry faces. Often, legacy IoMT devices and equipment with little to no manufacturer security support must remain in use because they continue to be essential to patient care. These devices are often rife with vulnerabilities (with an industry average of six per device), but research shows that healthcare cybersecurity teams can mitigate just 5%-20% of known device vulnerabilities each month.

This predicament puts healthcare systems between a rock and a hard place: make expensive investments to increase cybersecurity effectiveness by traditional means or pay the much greater costs and consequences of cybersecurity failures. Many are operating on thin margins as it is. A Becker’s Hospital Review report finds that 30% of rural U.S. hospitals are at risk of closure and they cannot embark on major new cybersecurity spending despite the fact that a single cybersecurity incident could put them out of business.

Given this challenge, the strategy for healthcare systems becomes pursuing IoMT cybersecurity efficiency, adding visibility that allows teams to prioritize the highest risk vulnerabilities, ignore false threats, and optimize their efforts.

Hospital Horror Stories

When St. Margaret’s Health of Spring Valley, Ill. closed down last year, it marked the first time in history that a healthcare system cited a cyberattack as its reason for shutting down. The hospital had lost its ability to bill insurers for 14 weeks due to a ransomware attack, putting its parent company into a financial tailspin from which it never recovered.

Data breaches can be just as lethal. The ransomware and data exfiltration attack on Scripps Health disrupted operations, including patient service, for weeks; the data of 150,000 patients was breached. S&P Global Ratings lists the attack as costing Scripps $113 million. In another incident, Advent Health in Altamonte Springs, Fla. encountered the legal ramifications of data breaches, agreeing to a $500,000 settlement in a lawsuit over its alleged failures to properly protect patient data. These cautionary tales make clear that the success or failure of a hospital’s cybersecurity strategy is synonymous with the success or failure of its entire business.

Reputations and Lives Are on the Line

A Forbes report finds that 46% of companies experience reputation loss following a cyber incident. For healthcare systems, that can mean fewer patients and reduced revenue as individuals shy away from facilities due to a lack of trust.

However, the monetary and reputational impacts of cyberattacks are a small concern in comparison to the real risk of life and death consequences. Ponemon Institute research reveals a frightening 20% increase in healthcare system mortality rates as a direct impact of cyber incidents interrupting patient care. That chilling negative impact on patient outcomes also results in further reputational harm.

Optimizing Cybersecurity Incident Prevention

Healthcare systems facing rising IoMT cybersecurity risks and stagnant budgets can nevertheless maximize their security teams’ effectiveness by adopting a risk-first approach. While hospitals have vast (and ever-growing) heterogeneous fleets of IoMT devices teeming with vulnerabilities, the reality is that only a small fraction of those vulnerabilities present actual danger within a given network configuration or are very likely for attackers to exploit.

Pursuing a risk-first strategy means giving security teams the visibility and automation to detect and prioritize IoMT device vulnerabilities based on attackers’ tendencies and their realistic likelihood of causing a security incident. It means being as efficient as possible by leveraging the same techniques and technologies attackers use to stay ahead. Adversaries are well organized, well-staffed, and armed with software and AI defenders should strive for that level of preparedness as well.

Healthcare system cybersecurity and IT teams able to recognize the true risks to their organizations can inspire confidence by hardening the attack surface at all its weak points. By adopting a risk-first strategy, healthcare systems can protect their critical IoMT infrastructure, safeguard patient data, and ensure operational resilience against evolving cyber threats.


About the Author

Risk-Based Security

Shankar Somasundaram is the CEO of Asimily, an IoT and OT risk management platform. Previously, he worked on IoT analytics and security solutions at Symantec.