Few industries face complex, high-stakes digital environments, such as healthcare, where a single violation can put both patients and providers at risk. HIPAA compliance and patient privacy dominate most cybersecurity debates, but many other important threats continue to be overlooked. These gaps can be utilized quietly, sometimes for several months, before they are detected.
Below, members of the Forbes Technology Council uncover the most underrated cybersecurity challenges in healthcare. They explain why addressing these risks is essential to protecting patient care, maintaining compliance and maintaining confidence in the healthcare system.
1. Aging, Interconnected Devices and Software
The biggest weakness is the interoperability between very different medical devices and software, and the stacks and ages between them. The industry relies on connected technologies from the cutting edge to the forefront. This forces advanced systems to communicate with less secure systems, inevitably negotiating security with the lowest common denominator, making the ecosystem vulnerable with the weakest links. -Gunter Ollmann, Cobalt
2. Vendor's Email System
We invest a lot in internal security, but the real risk is often in our vendor's inbox. Email is still the top attack vector, and we are all at risk when third-party partners have weak defenses. It's time to hold the ecosystem to a higher standard. We ask tough questions about authentication, phishing preparation, and account acquisition protection. – eye benishti, iron scale
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Are you qualified?
3. Third Party Software and Devices
Many hospitals and health systems rely on dozens (or hundreds of) third-party tools, including electronic health record plugins, diagnostic systems, billing platforms, and internet-connected medical devices. These vendors often require access to sensitive patient data or internal networks. However, it may not fall under the same security and compliance standards as the healthcare organization itself. – Jonathan Stewart, Zensource
4. Phishing Attack
One of the challenges that are often overlooked is the enormous amount of phishing attacks targeting healthcare organizations. Hackers target valuable patient data and leverage obsolete systems, vast supply chains and limited security training to help employees click on dupe links and interact with business email compromise attacks. This can lead to ransomware, and medical companies are more likely to pay to keep their critical services running. – Mike Britton, extraordinary AI
5. An outdated legacy system
Obsolete legacy systems are often overlooked weaknesses. Long depreciation cycles mean that critical connected medical devices and software are unable to update, often enforcing reliance on vulnerable, outdated policies. This broad problem creates a critical network attack surface. Better control, visibility, and micro-divisions are essential to limit access and reduce damage until patching is possible. -EREZ TADMOR, TUFIN
6. Lack of frontline cybersecurity training
Frontline staff often lack proper cybersecurity training and are susceptible to social engineering attacks. For example, patients who talk smoothly deflect the clinician and forget to lock the workstation before leaving the room. This could lead to the public disclosure of sensitive data, such as personally identifiable information and other patient health records. This poses serious risks to privacy and the security of your healthcare system. – First Citizens Bank, Sunny Banerjee
7. Missing data systems in AI-driven systems
In today's AI-driven healthcare delivery, the big gap no one can talk about is the system of data. We are obsessed with encryption and access control, but we rarely ask, “where did the data come from, how did it change, who touched it?” Clear tracking, quiet corruption, model addiction slip-through, quiet diagnostic accuracy, AI performance, and patient confidence erodes over time. – Kiran Elengickal, Siemba
8. On-premises server
One of the cybersecurity risks that healthcare often overlooks is its reliance on on-premises servers. Many practices still store sensitive patient data locally without regular updates, backups or monitoring. This creates serious vulnerabilities. A cloud-based platform with well-managed open APIs offers intensive security and more secure and scalable integration. -Eric Giesecke, Planet DDS
9. Manual Certificate Management
One of the challenges that healthcare cybersecurity often overlooks is manual certificate management. Expired or misunderstood digital certificates can eliminate the EHR system, delay care, and put patient safety at risk. Automated certificate lifecycle management is critical to maintaining secure, uninterrupted operation. -Jason Sabin, Digicert Inc.
10. Data Silo and BMA
One weakness or challenge that is often overlooked is data silos and business-managed applications. BMAs fly under the radar when it comes to security guidelines and are always at risk of exposure. BMAs also tend to have a risk of compliance failure at various levels. Financial or operational analysis involves high risk, highly sensitive and important data. -Sanath Chilakala, NTT Data
11. Outdated medical equipment
One of the key cybersecurity risks in healthcare is outdated medical devices. Many work with expensive legacy software to struggle to patch each cycle, making it a simple pick for bad actors on the internet. With limited encryption and little chance of being exchanged, they will continue to be plugged in to sensitive networks, dangerous patients, and client records integrity. -Sreekanth Narayan, Ltimidtree
12. And the practice of BYOD
Concealing it and bringing the practice of owning in healthcare, such as staff who use personal devices and apps conveniently, extends the offensive surface beyond what most systems monitor. These informal workflows bypass standard protection and expose patient data and core systems without anyone realizing it. – Mark Mare, Netactuate, Inc.
13. Safe data sharing during clinical trials
A often overlooked cybersecurity risk in healthcare is volatile data sharing during clinical trials. Multiple stakeholders and fragmented surveillance ensures sensitive patient data flows throughout the system without unified governance. This sector needs to design a secure interoperability framework that protects trust as much as innovation. -Rishi Kumar, MatchingFit
14. Unsecured data exclusion from medical IoT devices
An important but undiscussed vulnerability in healthcare is data exhaust from medical IoT devices such as injection pumps and smart monitors. These devices constantly stream telemetry, often secure, creating quiet, large-scale attack surfaces. Deploying an edge-based zero trust agent directly on these devices allows you to verify all outbound data packets in real time. – Nicola Sfondini, pwc
15. Legacy devices with hardcoded credentials
Legacy medical devices with hardcoded credentials or outdated firmware are huge blind spots. They often sit in flat networks and are invisible to the IT team. During an EHR violation, the compromised infusion pump or MRI interface provides quiet and permanent access, allowing patient care tools to be transformed into an attack surface. Cybersecurity is no exception and needs to evolve to treat these devices like endpoints. – Ragupara, Ford Motor Company
16. Continuous use of fax machines
A real threat in healthcare cybersecurity? Fax machine. Hospitals are sending patient data through outdated, unstable systems. Because “that's the way it is done.” We are not the hackers that we should be most afraid of. It's self-satisfaction. Security will not be patched in the past. That will come from rethinking it completely. -Oleg Sadikov, Deviqa
17. Lack of standardized secure communication protocols
Sharing secure communication between different companies is a risk. The healthcare industry has standards for HIPAA compliance, but no standards for communication. Some data is still being exchanged in physical form. The weakness occurs when data moves from one system to another and remains unencrypted. The best solution is to establish communication standards that use changing keys and algorithms. -Waije Coler, Infotracer
18. Weak endpoint security for mobile devices
One important but often overlooked challenge in healthcare cybersecurity is the lack of robust endpoint security for mobile devices used by healthcare professionals. These devices often remotely access sensitive patient data, but many organizations are unable to implement proper security measures such as encryption and remote wipe capabilities. This increases exposure to data breaches. -Roman Vinogradov, improvisation
19. Unsecured DEVOPS Pipeline
One risk that is often ignored is the unsecured DevOps pipeline of the medical technology stack. A rapid CI/CD deployment cycle (no quality control or cyber review) can bypass critical security gates and introduce ignored code into the patient data environment. Secure DevSecops integration is not an option. This is an important aspect of developing secure code, and is essential to protecting data integrity and maintaining clinical trust. – Dan Sorensen
20. Lack of comprehensive DSPM practices
Combining the irregular cloud adoption trends in the healthcare industry, different networks of legacy devices and lack of consistent cybersecurity training, it creates the best opportunities for malware and ransomware attacks. Integrating comprehensive data security attitude management allows teams to continue expanding their digital capabilities without sacrificing patient privacy. -Thyaga Vasudevan, Skyhigh Security
