The Devices in Your Practice Nobody Is Patching

The Devices in Your Practice Nobody Is Patching

The laptop at the front desk gets updates. The billing workstation gets updates. The server in the closet gets updated, more or less on schedule. But the ultrasound unit, the digital X-ray system, the infusion pump, the connected vitals monitor, the lab analyzer feeding results into the EHR? Those were installed years ago, but no one has touched their software since the day the vendor set them up.

Connected medical equipment has quietly become one of the largest security exposures in any practice that uses it, and most owners have no idea how many of these devices are on their network or what they're running.

How Bad the Exposure Actually Is

An FBI advisory reported that 53% of connected medical devices and other hospital IoT devices had known critical vulnerabilities, and that more than 40% were at end-of-life with little or no patch support from the manufacturer. Claroty's 2025 State of CPS Security report found known exploited vulnerabilities present in 99% of healthcare organizations it studied, and flagged that 8% of imaging systems carried vulnerabilities tied to active ransomware campaigns. Industry analysis pegs the average connected medical device at over six known vulnerabilities apiece.

These devices stay exposed because of how they're built and regulated. A digital imaging system might run an embedded version of Windows that Microsoft stopped supporting years ago. The practice can't simply update it, because the device manufacturer validated the machine on that specific software version, and changing it can void the warranty or the device's FDA clearance. So the equipment keeps running on an operating system that hasn't received a security patch in years, connected to the same network as everything else in the office.

Why a Vulnerable Device Is a Whole-Practice Problem

It's tempting to assume a compromised X-ray unit is a contained issue. It isn't. On the flat networks most small practices run, every device shares the same space, so an attacker who gains a foothold on an unpatched imaging system can move from there toward the EHR, the billing system, and the file server where protected health information lives.

That turns a device problem into a HIPAA problem. The HIPAA Security Rule requires covered entities to assess and address risks to electronic protected health information, and a known-vulnerable device with access to patient data is precisely the kind of risk an investigator asks about after a breach. When the Office for Civil Rights examines a breach, the question is whether the practice identified the risk and took reasonable steps to manage it. "We didn't realize the ultrasound machine was a security risk" is not an answer that holds up.

IBM's 2025 Cost of a Data Breach Report put the average healthcare breach at $7.42 million, the highest of any industry for the fourteenth year running, with healthcare incidents taking an average of 279 days to identify and contain. For a small practice, a breach that traces back to an unmonitored device is the kind of event that threatens the survival of the business.

What Actually Protects These Devices

The instinct to "just patch everything" isn’t without it’s obstacles. Many of these devices can't be patched without the manufacturer's involvement, and some can't be patched at all. Protecting them takes a different approach built around containment rather than updates.

To start, a practice needs a complete inventory of every connected device, what software it runs, and what it communicates with. Plenty of offices discover devices during this step that no one remembered were networked.

From there, the next and most important step is network segmentation. Medical devices get placed on a separate, isolated network segment, walled off from the office computers, the EHR, and the internet at large. If a vulnerable imaging system is compromised, segmentation keeps the damage from spreading to the systems holding patient records. The device can keep doing its job on outdated software because it can no longer serve as a doorway into everything else. Alongside segmentation, the device network gets monitored for unusual traffic, and remote access for vendor maintenance gets locked down and logged rather than left open.

Where a Managed IT Partner Helps

This is specialized territory that general office IT support and the device vendors themselves rarely cover. The imaging vendor services the imaging machine. Nobody in that arrangement is responsible for how the machine connects to the network or what it can reach.

A managed IT provider can take ownership of that space. The provider can build and maintain the device inventory, design the network segmentation that isolates vulnerable equipment, monitor the device network for signs of trouble, and document all of it in the form a HIPAA risk assessment requires. When a device reaches end-of-life, the provider can flag it and help plan a replacement before it becomes the weak point an attacker uses. For a practice owner whose attention belongs on patient care, this turns an invisible and growing risk into something actively managed by people who understand both the technology and the regulatory obligation attached to it.

If you don't have a current inventory of the connected devices on your practice's network, or you're not sure whether a compromised piece of equipment could reach your patient records, a Network Discovery might be in order. We'll map every connected device, show you how they're isolated, and identify the exposure before it becomes a breach.


Ready to take the next step? Contact the Connecting Point team today to discuss your organization's needs.

Fill out our Network Discovery Form to get started!

970.356.7224 | www.CPcolorado.com | sales@CPcolorado.com

Connecting Point is a trusted IT solutions provider based in Greeley, Colorado, helping businesses across Northern Colorado and beyond navigate technology decisions with confidence.