ARMIS PLAYBOOK
Mastering Patient-Centric Cybersecurity for Healthcare
Download Your Copy Now
Introduction to Patient-Centric Healthcare Cyber Exposure Management
Healthcare organizations deliver lifesaving and life-improving care every day and rely on a wide array of technology assets to help patients, ensure better outcomes, and provide continuous care from intake to release. From infusion pumps and MRIs to mobile devices or building management systems, it is more important than ever for healthcare to bolster its defenses across every technology asset and patient touchpoint to prevent cyberattacks.
This playbook provides a foundational understanding of a patient-centric approach to cybersecurity in healthcare and actionable steps for healthcare delivery organizations (HDOs) to strategically adopt it, ensuring resilience in the face of evolving cyber threats.
Did You Know
| The average hospital uses thousands of network-connected assets – about 17 per hospital bed.
| Amis Labs research shows that most attacks begin within IoT assets.
| There is more to security than just medical devices.
Your Attack Surface
Managing the Expanding Attack Surface and Evolving Threats
The digital transformation push in healthcare is centered around providing an excellent patient experience across every touchpoint – from the building entrance to the operating room and beyond. More innovation and technology increase the vectors for attacks beyond just medical devices. HDOs need to monitor and secure all assets, spanning IT, OT, and IoT, as well as traditional medical devices and the Internet of Medical Things (IoMT).
There are more vulnerable areas within the healthcare ecosystem for bad actors to exploit. The attack surface is complex and ever-changing. It consists of:
- Assets you know exist, and you know they are unexposed.
- Assets you know exist, but are exposed and lack effective protection or compensating controls.
- Assets you know exist, but don’t know if they are exposed (often lacking context).
- Assets you don’t know exist, and therefore unaware of their exposure.
Lack of comprehensive, contextual visibility of your entire technology ecosystem can create dangerous blind spots that leave your organization susceptible to attacks.
Healthcare in the Crosshairs – The Market Challenge
- Healthcare organizations possess high value data, including protected health information (PHI), insurance, and payment information.
- Healthcare is therefore seen as a valuable and easy target for cyberattacks due to historically low investments in IT security and the essential nature of data and system continuity. The pressure to maintain operations and efficient patient care leaves healthcare organizations grappling with the choice of making ransom payments or putting patient lives at risk.
- Flat networks multiply the attack surface. The inability to patch certain medical assets promptly leaves critical assets vulnerable.
- Limited resources and budget constraints require more efficient processes and better use of existing resources, the pressure to do more with less.
Did You Know
| 92% of healthcare organizations surveyed by the Ponemon Institute experienced at least one cyberattack over a 12 month period.
Market Trends in Healthcare
| Significant Increase | Attack Surface |
Pace and Complexity |
Pressure to Act |
Awareness and Demand |
| More innovation and technology increases the vectors for attacks beyond just medical devices. Healthcare Delivery Organizations need to monitor and secure devices spanning IT, OT, and IoT as well as traditional medical devices and IoMT. | More frequent, targeted cyberattacks and greater complexity, beyond internal user error. Healthcare routinely targeted by ransomware attacks or exploited vulnerabilities to leverage sensitive data for malicious purposes. Third-party risk exposure more prevalent. | Increased pressure from governments, regulatory bodies, and general public to bolster cybersecurity in light of high profile attacks. Protecting patient data from exfiltration is top of mind. Direct accountability placed upon stakeholders for guaranteed data privacy. | Healthcare customers more cyber-aware, understand the risks and requirements and asking more of technology providers. Solutions must work within existing environments, be easy to use, and solve problems the customer is aware of and those they haven’t considered. |
Top Healthcare Cybersecurity Threats
Ransomware Attacks
Routinely levied at healthcare organizations to leverage sensitive data for malicious purposes. Leads to operational downtime and risks to patient safety. Ransomware attacks have doubled in frequency over the past two years.
Unpatched Software and Firmware
53% of medical devices have known vulnerabilities that are still exploited. Can lead to unauthorized access or manipulation of device functionality.
Third Party Risk
62% of organizations experienced a third-party data breach or cybersecurity incident in 2024. Attacks like Change Healthcare exposed sensitive records impacting over 100 million individuals worldwide. Third party risk exposure is more prevalent due to technology adoption and mergers and acquisitions.
Data Breaches
In 2023, 725 breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and exposed or impermissibly disclosed more than 133 million records.
Human Error
Internal error or IT failings remain the top vector for attacks in healthcare, with 88% of all breaches caused by human error. Bad actors are leveraging more advanced methods and technologies, including spear phishing to exploit the most vulnerable industry.
Did You Know
A recent study by IBM reveals that Personal Identifiable Information (PII) and Intellectual Property were the top 2 forms of data breach recorded in 2024.
Armis Centrix™ for Healthcare
See, Protect, and Manage Every Asset in the Modern Healthcare Environment
1. Overall Facility
- HVAC systems
- Building Management Systems
- IT and WiFi networks
- CCTV cameras
- Building security systems
- Staff scheduling systems
- Elevators
- Printers and FAX machines
2. Patient and Emergency Admission
- Hospital apps
- Electronic Patient Records
- Digital signage
- Queue management systems
- PA system
3. Triage and Medical Examination
- Patient entertainment systems
- Intercom
- Monitors
- Pagers & staff messaging apps
- Clinician mobile devices
- Medical devices
4. Treatment, Surgery, Procedures, Diagnosis
- Medication cabinets
- Medical devices for scans, imaging
- Third parties (pathology labs, etc)
- AI diagnostics tools
- Surgical robotic arms
Cybersecurity Health Checks:
Guidance for Building an
Effective Security Program
Conduct a ‘Full Physical’
- A comprehensive and holistic asset inventory is the cornerstone of any security program. Implement tools that provide real-time awareness and detailed inventory of every asset.
- A view of all medical/IoMT, enterprise, IoT, OT, cloud, remote, and virtual assets is key – ranging from MRI scanners to HVAC systems or Building Management Systems.
- Classify the clinical context of every asset by their role, criticality, behaviors, and risk level helps prioritize security efforts effectively to address the biggest potential impacts on patient care first.
Did You Know
Nearly 70% of CISOs admit they lack a comprehensive view of their organization’s attack surface, even though 94% of organizations claim “full visibility” is a top priority.
Strategic Considerations
- Ensuring that information and security policies are regularly reviewed and updated is fundamental to good cybersecurity posture.
- Set the tone at the top of the organization and ensure policies are always sufficient to address the reality of the current attack landscape. IT failure and human error still make up 23% and 22% of all security breaches.
- Automated response capabilities shorten response time and ensure consistent protection and vigilance.
Did You Know
Companies with extensive use of AI and automation security tools lower breach costs in some instances by an average of USD 2.2 million.
Triage, Assess, and Treat
- Vulnerability and security assessments for healthcare require a multi-detection approach including passive analysis for sensitive equipment, smart active querying, and clinical risk prioritization mechanisms.
- Use risk-based frameworks to identify, deduplicate, contextualize, and prioritize vulnerabilities and other security findings based on exploitability and patient impact.
- Automate workflows for task assignments including patching, configuration updates, or other remediation efforts to reduce time from initial notification to risk reduction.
Did You Know
Using AI-driven vulnerability prioritization reduces the average number of “critical” vulnerabilities organizations must address by 80%, improving operational efficiency.
Conduct Regular Checkups
- Eliminate blind spots around traffic movement and behavioral anomalies to prevent attack proliferation or “living off the land.”
- Monitor for known and unknown threats, including zero-day exploits and anomalous behaviors such as spikes in data access and exfiltration, lateral movement between unrelated zones, or authentication behaviors never before seen.
- Leverage artificial intelligence and proactive threat detection in regular monitoring and security awareness to preempt attacks before they manifest.
Did You Know
- Organizations without a zero-trust approach saw average breach costs 1.76 million less than organizations without.
- Zero-day vulnerabilities were the most time consuming to contain, according to IBM.
Manage Third Party Risks
- Catalog all vendor-managed assets, assess vendor credentials, site-to-site tunnels, and remote access software.
- Foster collaboration and accountability between security teams and other organizations, including clinical engineers, facilities management, and physical security for a successful cybersecurity program.
- Manage access to prevent unsanctioned or unsecured apps on unmanaged vendor servers, a top risk vector for healthcare.
Did You Know
62% of organizations experienced a third-party data breach or cybersecurity incident in 2024.
Preventive Cyber Care
- Monitor security trends and leverage automation to proactively build up your security posture in advance of an attack taking place, to reduce response time and prevent malware attacks.
- Educate and empower your teams to identify and mitigate threats. Enhance email security controls to combat phishing, the top vector for cyberattacks. Enable MFA across all external-facing systems and internal critical applications.
- Conduct dynamic and real-time risk assessments for continuous security improvement. Report on security posture efficacy to embed security as a priority throughout the organization.
Did You Know
- Healthcare organizations with effective cybersecurity programs boast better overall patient outcomes.
- Patients can bear the brunt of ransomware attack fallout, with a 28% increase in mortality rate for affected healthcare organizations in 2023.
Building a Patient-Centric
Strategy
Comprehensive Protection of the Entire Attack
Surface Across Medical Devices, IT, IoT, and OT
Why it Matters
Understanding and securing every asset across your environment is foundational to managing cyber risk and supporting innovation without exposing the expanding cyberattack surface. Many solutions only protect medical devices or have limited coverage for the entire technology ecosystem used in healthcare environments.
Key Principles
- Achieve Real-Time Visibility: Ensure full visibility into every asset— managed, unmanaged; physical and virtual.
- Contextual Asset Intelligence: Enrich asset data with details such as location, owner, configuration, and risk level.
- Clinical Risk Scoring: Accurately profile the asset and determine how it is and should be used to determine the clinical context needed for risk scoring in healthcare.
Strategic Steps
- Deploy a platform capable of automatically discovering and profiling all connected assets in real time.
- Establish a centralized asset inventory to break down silos between medical device, IT, OT, and IoT ecosystems.
- Classify and prioritize assets based on business criticality and risk profile.
- Continuously monitor asset behavior for anomalies.
Manage Clinical and Operational Risk
Why it Matters
Security teams in healthcare are inundated with vulnerabilities and dealing with fragmented processes and disparate tools with no clear mitigation steps. Effective identification, deduplication, contextualization, prioritization and remediation ensure that resources are allocated to address the most critical threats to patient safety first.
Key Principles
- Risk-Based Prioritization: Focus on vulnerabilities with the highest likelihood and greatest impact on the clinical environment.
- Automation: Leverage AI/ML to streamline vulnerability and security finding identification and triage.
- Closed-Loop Remediation: Integrate vulnerability management workflows with patch management and ticketing systems, automatically assigning owners and track tasks to completion.
Strategic Steps
- Implement a vulnerability management solution that integrates with your asset inventory to identify risks in context to understand clinical use and patient proximity.
- Use risk scoring to prioritize vulnerabilities based on threat intelligence, asset criticality, and exploitability.
- Automate workflows to notify appropriate teams and track remediation progress with a single point of access.
- Regularly assess the effectiveness of remediation efforts and clinical cyber risk reduction.
Protect Patient Safety and Sensitive Data
Why it Matters
Healthcare organizations have multiple asset types, many of which are legacy devices that are unseen or unmanaged. Any gap in coverage can result in downtime that disrupts patient care, puts PHI at risk, and can even directly cause patient harm. Ransomware attacks or medical assets operating improperly is a top concern. Detailed asset security and utilization insights maximize operational efficiency and ensure the healthcare environment is safe for patients and their personal information.
Key Principles
- Layered Detection: Use multiple detection techniques to identify known and unknown threats.
- Behavioral Analysis: Detect deviations from normal behavior across assets to ensure safe and optimized operations and catch early indications of data exfiltration.
- Device Recall and MDS² Information: Manage device recall and manufacturer information within a single pane.
Strategic Steps
- Employ a multi-detection framework to monitor for threat indicators.
- Monitor asset behavior for spikes in traffic or communication with suspicious domains.
- Ingest FDA recall and MDS² information on all devices for continuous patient safety.
- Monitor and alert on ePHI exfiltration attempts to prevent data breaches.
Mitigate and Prevent Ransomware Attacks
Why it Matters
Healthcare organizations are the largest and most lucrative target for ransomware attacks worldwide. Owing to the sensitive nature of the assets healthcare delivery organizations rely on, and the proximity of technology to patients, malicious actors have targeted HDOs for being more likely to pay ransomware demands to ensure continuity of patient care. A proactive approach to mitigating and preventing attacks is essential to uphold patient safety and trust.
Key Principles
- Comprehensive Visibility: Forensic asset visibility and continuous security are essential for early risk detection and neutralization.
- Multi-Detection Capabilities: Use multiple detection techniques to identify known and unknown threats at their most granular level.
- Automated Alerts: Leverage automation through connected platforms to reduce response times and prevent ransomware attacks.
Strategic Steps
- Establish baseline policies for asset permissions and behavior. Enforce compliance.
- Implement anomaly detection to identify deviations from baseline behavior.
- Integrate an asset intelligence engine to provide context for detection results.
- Continuously refine detection algorithms based on real-world findings.
Foster Effective Collaboration for Clinical Engineers, IT Security, and HTM
Why it Matters
Medical environments require an always-on, consistent approach to cybersecurity and technology protection to ensure essential operations remain uninterrupted and functioning in the most efficient way possible. This requires involvement and collaboration from clinical engineers, IT security, and healthcare technology management (HTM) as well as clinicians, nurses and physicians. All stakeholders should be able to use a single platform to communicate, collaborate, and meaningfully address cyber risks.
Key Principles
- Unified Data: Centralize data from disparate tools to provide a single source of truth (CMDB, CMMS).
- Automated Workflows: Enable automated responses by integrating with orchestration platforms and allowing users to easily take action and assign tasks.
- Medical and Technology Information Access: Consolidate all information on medical devices, technology assets, and contextualized clinical risks as well as remediation guidance, recall information and tactical response in a single platform.
Strategic Steps
- Map existing tools and identify integration points.
- Deploy APIs and connectors to synchronize data across platforms.
- Automate workflows for incident detection, investigation, and remediation.
- Develop and review executive reports for risk reduction and cyber exposure management.
Boost Operational Efficiency and Enhance Patient Care Capacity
Why it Matters
From eliminating unnecessary device purchases, to minimizing maintenancewindow- related disruptions to patient care, device utilization analytics can be invaluable to clinical, cybersecurity, and IT teams. Many teams today do not have clear metrics regarding medical device utilization versus their patient care capacity potential.
Key Principles
- Real-Time Asset Visibility: Provide an accurate inventory and utilization catalog of all assets, including patient care delivery medical devices.
- Monitor and Manage Utilization: Identify devices operating outside of normal times, determine optimal usage and avoid disruptions to patient services.
- Reports and Capacity Planning: Medical device utilization reports can be used to support capacity planning, future funding, and purchase requests.
Strategic Steps
- Identify unauthorized device utilization to detect potential cyberattacks earlier, track and review alerts for unusual anomalies in device activity and utilization.
- Prioritize vulnerability remediation and strategically plan for updates around medical device usage and peak care hours.
- Plan for downtime, maintenance, and upgrades with proactive schedule optimization.
- Provide evidence of utilization for funding requests to justify capital expenditure based on usage capacity, wait times, and future demand projections.
Proactive Protection and Early Warning Alerts to Prevent Patient Disruption
Why it Matters
A proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risk effectively and prevent massive disruptions and outages. By leveraging AI/ML-powered system insights into the vulnerabilities that threat actors are exploiting in the wild or are about to weaponize, organizations can understand their impact and take preemptive action.
Key Principles
- Early Warning Intelligence: Focus on timely, accurate, and evidence-based intelligence to focus efforts on vulnerabilities that are being exploited and prevent patient care disruption.
- Preempt Attacks: Provides time to secure your environment and mitigate risks before an attack is launched and prevent life-threatening risks to patients.
- Proactive Response: Leverage alerts to prioritize efforts based on clinical asset context, risk score, and early warning insights to shift cybersecurity from reactive to proactive.
Strategic Steps
- Deploy an Early Warning system that leverages AI/ML for threat detection and contextual analysis.
- Continuously update threat models with real-time data from your healthcare environment.
- Conduct regular threat-hunting exercises to validate and refine detection capabilities.
- Establish an incident response plan for threats identified by Early Warning systems.
Key Business Outcomes
Reduced Cyber Risk
By gaining complete visibility and prioritizing remediation efforts, healthcare organizations can significantly reduce their exposure to cyber threats and take action to mitigate emerging risks for ongoing protection.
Enhanced Operational Efficiency
Automation and integration streamline security operations, reducing the burden on IT and security teams. Medical utilization insights power effective patient flows and optimize resource allocation for greater ROI.
Effective Unified Collaboration
A single source of truth for all cybersecurity insights, breaking silos and facilitating collaboration across clinical engineers, IT security, and HTM, streamlining centralized cybersecurity ownership and incident response.
Improved Compliance
Meet regulatory requirements and demonstrate compliance with documentation and controls, manage medical device recalls and inform security-aware purchasing and device lifecycle management.
Stronger Cyber Resilience and Ransomware Protection
Proactive risk management ensures healthcare organizations are better prepared for and can recover from potential incidents.
Armis Patient-Centric
Healthcare Cybersecurity Checklist
| Category | Checklist Item | |
|---|---|---|
| Getting Started | 01. | Schedule a comprehensive assessment of your organization’s current exposure landscape. |
| 02. | Define an action plan based on assessment results and prioritize high-impact areas. | |
| 03. | Engage with trusted partners or vendors, like Armis, to implement and optimize your healthcare cybersecurity strategy. | |
| Patient-Centric Cyber Exposure Management Strategy |
01. | Conduct a baseline assessment to identify all assets, vulnerabilities, and existing security measures. |
| 02. | Align visibility of all enterprise assets – IoMT, IoT, OT (including Building Management Systems), cloud, remote, and virtual assets. | |
| 03. | Classify the clinical context of every asset by role, behaviors, risk, and patient proximity. | |
| Achieving Holistic Visibility | 01. | Implement dynamic security policies for cybersecurity posture management. |
| 02. | Ensure organizational alignment for security goals and personal accountability. | |
| 03. | Automate response capabilities for consistent protection. | |
| Risk Prioritization and Remediation |
01. | Use a risk-based framework to prioritize vulnerabilities and other findings based on exploitability and business impact. |
| 02. | Automate workflows for patching, configuration updates, and other remediation activities. | |
| 03. | Regularly update threat models and conduct penetration tests to validate security measures. | |
| Advanced Threat Detection | 01. | Deploy AI/ML-powered systems for anomaly detection and predictive threat analysis. |
| 02. | Integrate real-time threat intelligence to identify patterns indicative of potential attacks. | |
| 03. | Monitor for known and unknown threats including zero-day exploits and anomalous behaviors. | |
| 04. | Leverage artificial intelligence and proactive threat detection to pre-empt attacks. | |
| 05. | Establish and test incident response plans for rapid containment and recovery of threats. | |
| Manage Third Party Risks | 01. | Catalog all vendor-managed assets, assess vendor credentials, and remote access software. |
| 02. | Foster collaboration and accountability between teams and other organizations. | |
| 03. | Manage access to prevent unsanctioned or unsecured apps or unmanaged vendor servers. | |
| Preventive Cyber Care | 01. | Monitor security trends and leverage automation to proactively build up security posture. |
| 02. | Educate and empower teams to identify and mitigate threats. Enhance email security controls and MFA. | |
| 03. | Conduct dynamic and real-time risk assessments for continuous improvement. | |
| Continuous Improvement | 01. | Establish Key Performance Indicators (KPIs) to measure the effectiveness of the healthcare cybersecurity program. |
| 02. | Regularly review and refine strategies based on evolving threats and changes in the organization. | |
| 03. | Foster a culture of security awareness through training and ongoing communication. | |
| Benefits Realization | 01. | Confirm reduced cyber risk by measuring improvements in asset visibility and vulnerability/risk management. |
| 02. | Ensure operational efficiency gains through streamlined automation and integration efforts. | |
| 03. | Validate compliance with regulatory standards using updated documentation and controls. | |
| 04. | Assess organizational resilience through tabletop exercises and incident recovery simulations. | |