By Andrew Aiken, CISSP, CSIS, CySA+
Healthcare technology management (HTM) professionals, responsible for the safe and reliable operation of sensitive medical systems, have long operated under constraints that differ markedly from general IT environments. Here is a statement that will be a shock to no one reading this: medical systems are not engineered for rapid, frequent patching.
Rigorous validation coupled with zero tolerance for unplanned downtime makes patch deployment a deliberate, time-intensive process. For years, this methodical pace has drawn criticism from large organizational IT teams, who are often frustrated by our perceived lack of agility.
But here’s the twist: in the evolving world of cybersecurity, where AI now generates exploits at breakneck speed, our baked-in defense-in-depth controls are proving to be a strategic advantage. We’re not behind the curve – we’re ahead of it. Like the tortoise in the fable, our methodical approach is outlasting the hare’s sprint.
THE USUAL LANDSCAPE: LESSONS FROM WANNACRY
To illustrate, let’s revisit the infamous WannaCry ransomware attack of 2017 – a textbook case of enterprise-wide frenzy. This worm exploited a vulnerability in the Server Message Block (SMB) protocol on Windows systems, spreading via TCP port 445. It wreaked havoc globally, encrypting files and demanding ransoms, all while propagating like wildfire across networks. In healthcare settings, the response was frantic. Facilities compiled “burn lists” of patched versus unpatched devices, with demands for daily – or even hourly – progress reports rolling up the chain of command. Executives tended to fixate on one metric: patching completion. Explanations from biomedical staff concerning our various controls were less regarded than the one true cure-all … the patch. The posture persists to a large extent today. Success is often measured by a “green” spreadsheet, signaling full patching compliance. Those metrics are useful, but incomplete without control context.
THE NEW REALITY
Even for well-resourced enterprise blue teams overseeing general (non-specialized) systems, maintaining a competitive edge has consistently been a formidable task. Now, artificial intelligence (AI) is supercharging the threat landscape. AI tools can discover vulnerabilities in code with unprecedented efficiency and low cost, then generate exploits in minutes. Attacks iterate and evolve faster than defenders can deploy hotfixes – even in the most agile environments. Traditional patching, once the holy grail, is increasingly rendered ineffective. By the time a patch is validated and rolled out, the exploit may have already morphed. This shift demands a re-evaluation. If patching can’t keep up, what then?
THE ADVISED STRATEGY: A SHIFT TO RESILIENCE
Experts now emphasize a multi-pronged approach focused on containment rather than just prevention:
- Prevent Exploit Success: Block entry points at the network level to stop threats before they reach vulnerable code.
- Limit Impacts: Use segmentation and isolation to contain breaches, preventing lateral movement and widespread damage.
- Reduce Portability: Harden systems to make exploits harder to adapt and deploy across diverse environments.
These aren’t novel ideas – they’re cybersecurity fundamentals. But in an AI-accelerated world, they’re more critical than ever.
THE GOOD NEWS: HTM HAS BEEN HERE ALL ALONG
Fortunately, most healthcare delivery organizations (HDOs) are already well-positioned. Network isolation keeps medical devices off the open Internet; segmentation creates silos that limit blast radii; least-privilege access ensures only essential users can interact; server hardening strips away unnecessary features; and restricted physical access adds a tangible barrier. Together, these minimize the attack surface without relying on frequent patches.
Take WannaCry again: In many medical networks, TCP port 445 was already blocked locally or via firewalls, and if permitted at all, it was tightly restricted to specific source-destination pairs. This defense-in-depth neutralized the worm’s propagation vector, even on unpatched systems. Where segmentation and SMB restrictions weren’t in place, the impact was severe. While many traditional IT devices were patched immediately, our “slow” systems were quietly secure – proving that strategic controls can outpace reactive fixes.
In essence, the rise of AI exploits validates the isolation architectures that we have already had in practice for years. Patching is important, but it’s not the only tool in the kit and, although patching remains essential, compensating controls help reduce risk while the validation and rollout happen. By advocating for contextualized risk assessments and clear communication with leadership, we can bridge the gap with OIT, foster collaboration, and build more resilient healthcare ecosystems. The tortoise doesn’t just finish the race – it wins by design.
