Patching Medical Devices Is Not Your Father’s IT Problem

Everyone working in cybersecurity knows the drill: Cybersecurity and Infrastructure Security Agency (CISA) releases an urgent advisory, or an Information Sharing and Analysis Center (ISAC) issues a bulletin of an urgent cybersecurity advisory to its membership, or the routine Microsoft Patch Tuesday.

Yet, with many, especially complex vulnerabilities like Urgent/11 or SweynTooth, you don’t get enough information on the risk and which devices are affected, or how – your staff is being sent on a wild patching medical device goose chase, again.

In most high-performing health organizations, these alerts trigger change management processes and organization-wide actions to identify and patch vulnerable Internet of Things (IoT) devices, networked endpoints, and servers. The goal is to reduce network exposure and data risks from the latest vulnerability while maintaining safe, continuous patient care.

As vulnerabilities and threats accelerate, so does organizational exposure. The challenge for healthcare providers is ensuring the right tools and processes are in place to identify and prioritize where to focus limited resources—mitigating vulnerabilities through patch management when possible or by applying other compensating controls.

The Complexities of Patching Medical Devices

For those who operate in the Health Technology Management (HTM), Clinical Engineering (CE), or healthcare information technology fields, the realities of responding to newly discovered vulnerabilities in IoT and Internet of Medical Things (IoMT) devices and deploying patch strategies are markedly different from handling traditional medical and IT assets. These devices often require a completely different timeline for updates.

Not to mention that it adds risks to patient safety and clinical operations if care cannot be delivered because of equipment downtime!

There are numerous complexities to managing IoMT device security. HTMs must balance regulatory constraints and clinical priorities with the need to patch vulnerable devices. As a result, some devices inevitably slip through the cracks, leaving unaddressed vulnerabilities that can be exploited. Data from ECRI’s 2025 report on the most significant health technology hazards ranks vulnerable technology vendors and cybersecurity threats third among healthcare’s top technology risks, emphasizing the urgency of addressing device security.

While the Federal Drug Administration (FDA)’s postmarket guidance includes greater flexibility for patch deployments, it clearly underscores that manufacturers remain fully responsible for the cybersecurity posture of their devices. Under the updated guidance issued in June 2025, manufacturers must ensure that software changes, especially for cybersecurity, are supported by rigorous risk assessments, verifying that the device’s intended use and functionality remain unchanged, and that changes are formally documented in their Quality System.

In reality, HTMs and CE teams are caught in a constant push-and-pull between meeting IoMT cybersecurity requirements and navigating operational constraints such as scheduling downtime, sterilization procedures, or vendor-controlled update cycles. Even when patch windows are arranged, security teams must weigh the risk that a patch could render the IoT device non-operational, despite FDA guidance to manufacturers on maintaining safe and functional performance after updates.

Balancing the Tradeoffs Between Patches and Medical Device Risk

For many healthcare organizations, the decision comes down to a risk tradeoff, which the  FDA recognizes. In some cases, the risk of not patching outweighs the potential operational risks of applying a patch. However, this is not a decision most healthcare providers are comfortable making unless their security program has reached a certain level of maturity. Beyond the device as an endpoint, the FDA postmarket guidance makes it clear that healthcare organizations “should evaluate their network security and protect their hospital systems.” … the individual organization or clinic has a clear responsibility to maintain the secure baseline of the connected medical devices they purchase and put on their network.

This is the reality and an area where emerging technology, such as security and lifecycle management platforms, can provide the greatest opportunity and support for an organization’s risk management and/or information technology programs.

Together, the organization and MDM are “responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance”.

It takes a partnership…

Clearly, it takes collaboration due to the number of devices and the number of MDMs that may be represented in each healthcare organization. This partnership must span many stakeholders and often many organizations. A recent study of IoMT security found that a typical U.S. hospital now deploys over 3,850 connected medical devices, from bedside monitors to networked imaging systems. As hospitals expand the number of beds they can serve, this attack surface will certainly be expanded.

The ideal partnership should include a vendor-partner that can provide an agentless deep-packet inspection platform that can differentiate medical device endpoints and their associated risks to ensure an effective, robust, risk-based approach to a connected medical device risk management program.

Understanding the Differentiation of Risks

Not all risks are created equal. Frameworks such as ANSI/AAMI/IEC 80001 help healthcare organizations differentiate medical device risk across patient safety, clinical effectiveness, and data/network security. With this level of insight, security teams can focus on the most urgent threats to patient care and reduce exposure across the environment.

In summary, for healthcare organizations to be successful with the complexities of connected devices, a risk management program requires prioritization and mitigation options specific to medical and connected devices, as well as collaboration and partnership.

The Asimily platform provides both

Utilizing risk methodologies developed specifically for medical and connected devices, Asimily research and machine learning algorithms combined with deep-packet inspection enable the Asimily platform to differentiate risk across the ANSI/AAMI/IEC 80001 risk management framework:

1. Patient Safety
2. Clinical Effectiveness
3. Data/Network Security

Often, the identified vulnerabilities can include a mitigation recommendation so identified risks can be mitigated with other technical or administrative controls when patching is not possible. This permits a tactical approach to the organization’s connected medical device risk management program. With this capability and approach the organization can focus its limited resources (time, money, people) on risks with a direct impact on patient safety. 

Not all vulnerabilities are equal…focus on serious risks first.

In the dynamic space of exponentially escalating cyber threats, it is essential for an organization to determine the real risks they want to focus their resources and efforts on and to understand how to mitigate risks when no manufacturer-certified patch exists or network segmentation and device quarantining techniques are not easily applied.

These capabilities are essential for the healthcare system to reduce risk, prioritize resources, and ensure patient safety and quality patient care.

Asimily can provide our clients with the differentiation of innovative exploit vector analysis combined with a comprehensive risk scoring mechanism, factoring in critical measures of risk and leading to a prioritized risk depiction. Asimily builds and maintains a complex inventory of devices, monitoring device behavior for anomalies, and simplifies the process of applying patches and updates, all within one unified platform. And now, Asimily allows organizations to scale their risk mitigation with IoMT patching in just a few clicks.

Asimily’s IoT Patching solution helps organizations automate the patching and update process, reducing the risk of IoT-related security incidents and maintaining the integrity of their IoT ecosystem. In addition to automated patching, teams can leverage scheduled and bulk patching to streamline risk reduction across their entire attack surface. It rigorously tests updates on devices in Asimily Labs to mimic the manufacturer’s recommendations, just at scale, with flexibility, and in a single place to simplify our customers’ patching programs.

To learn more about Asimily and the IoT patch management functionality, reach out now to book a demo.