Stop Treating Patches Like They’re Riskier Than Ransomware

Far too often in healthcare, known vulnerabilities remain unpatched due to persistent resistance to patching. Many hospitals and providers identify legacy infrastructure and compatibility issues as pain points, and as a result, believe software patching is too complex and disruptive. 

However, our sector must remember that the risks of not patching endpoints far outweigh these manageable inconveniences. In fact, as AI accelerates vulnerability discovery, this aversion creates an increased risk of attacks on patient monitors, infusion pumps, and imaging systems.

In October, Sophos revealed that exploited vulnerabilities – known endpoint backdoors for which a fix exists but has yet to be applied – are the leading technical cause of healthcare ransomware. This is a big problem as successful attacks can disrupt patient care and the average cost of recovery exceeds $1 million.

The truth is that we’re losing the patching battle and therefore the ransomware war. Let’s explore how healthcare can change its perspective, improve patching, and better block ransomware pathways.

The challenge of patching

Patching is indeed easier said than done and there are legitimate challenges that prevent healthcare ecosystems from updating as soon as possible. 

For starters, there’s the issue of old machinery and compatibility. Many healthcare organizations run critical systems on older hardware that wasn’t designed for frequent updates. When these systems are tightly integrated with electronic health records and other clinical workflows, admins worry that a patch could break something essential.

And, if this happens, downtime is dangerous. A failed update that takes down a patient monitoring system or locks clinicians out of records is much more than just an IT problem. This is a sector with a duty of care and a need for uptime – understandably, anything that potentially risks patient care mightn’t be prioritized.

Patches also don’t always play nice. Testing before launch and the ability to roll back in an emergency are essential capabilities that teams often lack. Of course, these are all valid concerns, but they’re creating a dangerous status quo that delays patches and leaves known vulnerabilities open longer – and attackers know it.

The danger of not patching

Ransomware causes financial, reputational, and service-delivery damage, as evidenced last year when attackers exploited basic endpoint security failures to launch a successful attack against Change Healthcare. The result? Data theft, the cancellation of urgent surgeries, and an estimated $800 million in losses.

Unfortunately, the vulnerability landscape is worse than many realize. Recent analysis of more than 2 million internet-exposed assets found that 16% of healthcare and insurance assets contain exploitable vulnerabilities, including outdated software, exposed sensitive data, and misconfigurations.

While this places healthcare below sectors like education (31%) and government (26%), it still represents tens of thousands of vulnerable endpoints across the industry. It’s worth noting that these vulnerabilities were identified using the same black-box penetration testing techniques used by real attackers, meaning bad actors can find them just as easily.

Despite these risks, many in healthcare still choose to avoid patching a known critical vulnerability rather than schedule planned downtime. This backward logic is increasingly dangerous as bad actors discover and exploit vulnerabilities faster than ever. What was once a manageable security gap can now be weaponized at scale within hours of disclosure. Leaving these backdoors open simply isn’t a way forward.

The answer to defeating ransomware

The good news is that healthcare can nip this in the bud with just a few simple technical shifts.

First, automate patching during off-peak hours. This goes a long way to minimizing disruptions and maximizing troubleshooting time if something goes wrong. Modern unified endpoint management (UEM) platforms solve this by scheduling automatic updates during nights, weekends, or other low-activity windows.

UEM also helps answer how many devices are in the ecosystem and where they’re located. Solving this fundamental inventory problem and overseeing policy enforcement, configuration management, and remote wipes at the click of a button are vital to reinforcing defenses. Extended detection and response (XDR) platforms are also helpful here for monitoring endpoints in real time, identifying suspicious behavior, and enabling rapid incident response.

Finally, be realistic about devices. Not all legacy equipment can be replaced overnight but develop clear timelines for phasing out those that can no longer be securely maintained. And, when older medical equipment can’t be updated immediately, network segmentation becomes critical. Isolating these devices limits potential damage from any compromise. 

These gaps can and do have a real-world impact. Admins often feel increased pressure from senior leaders, anxiety or stress about future attacks, and feelings of guilt that an attack isn’t stopped. However, acknowledging these emotions isn’t enough – organizations must provide the tools and resources that prevent repeat ransomware incidents.

The manageable risks of patching are infinitely preferable to cancelled surgeries, compromised patient data, and avoidable recovery costs. It’s time for healthcare to treat patching with the urgency and oversight it deserves.

Photo: traffic_analyzer, Getty Images

Apu Pavithran is the founder and CEO of Hexnode, the award-winning Unified Endpoint Management (UEM) platform developed by Mitsogo Inc. Hexnode helps businesses manage mobile, desktop and workplace devices from a single place.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.