Few industries face a digital environment as complex and high-stakes as healthcare, where a single breach can endanger both patients and providers. While HIPAA compliance and patient privacy dominate most cybersecurity discussions, many other critical threats remain overlooked—hidden in workflows, medical devices and third-party partnerships. These gaps can be exploited quietly, sometimes for months, before they’re detected.
Below, members of Forbes Technology Council reveal the most underreported cybersecurity challenges in healthcare. They explain why addressing these risks is essential to safeguarding patient care, maintaining compliance and preserving trust in the healthcare system.
1. Aging, Interconnected Devices And Software
The biggest weakness is the interoperability between vastly disparate medical devices and software and the stacks and ages between them. The industry relies on connected tech ranging from cutting edge to 20 years old. This forces advanced systems to communicate with less secure ones, inevitably negotiating security down to the lowest common denominator and leaving the ecosystem vulnerable at its weakest link. – Gunter Ollmann, Cobalt
2. Vendors’ Email Systems
We invest heavily in internal security, but the real risk often sits in a vendor’s inbox. Email is still the top attack vector, and third-party partners with weak defenses put us all at risk. It’s time we hold our ecosystem to higher standards—asking tough questions about authentication, phishing readiness and account takeover protection. – Eyal Benishti, IRONSCALES
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Third-Party Software And Devices
Many hospitals and health systems rely on dozens (sometimes hundreds) of third-party tools: electronic health record plug-ins, diagnostic systems, billing platforms and Internet-of-Things-connected medical devices. These vendors often require access to sensitive patient data or internal networks; however, they may not be held to the same security and compliance standards as the healthcare organization itself. – Jonathan Stewart, ZenSource
4. Phishing Attacks
One overlooked challenge is the sheer volume of phishing attacks targeting healthcare organizations. Hackers target valuable patient data and exploit outdated systems, vast supply chains and limited security training to dupe employees into clicking links or interacting with business email compromise attacks. This can lead to ransomware, and healthcare firms are more likely to pay to keep critical services running. – Mike Britton, Abnormal AI
5. Outdated Legacy Systems
Outdated legacy systems are a major overlooked weakness. Long depreciation cycles mean critical connected medical devices and software often can’t be updated, forcing reliance on vulnerable old policies. This widespread issue creates significant network attack surfaces. Better control, visibility and microsegmentation are vital to restrict access and mitigate damage until patching is possible. – Erez Tadmor, Tufin
6. Lack Of Frontline Cybersecurity Training
Frontline staff often lack adequate cybersecurity training, making them susceptible to social engineering attacks. For instance, a smooth-talking patient might distract a clinician, who then forgets to lock their workstation before leaving the room. This could expose sensitive data, including personally identifiable information and other patients’ health records, which poses serious risks to privacy and healthcare system security. – Sunny Banerjee, First Citizens Bank
7. Missing Data Lineage In AI-Driven Systems
In today’s AI-driven healthcare offerings, one big gap no one talks about is data lineage. We obsess over encryption and access controls but rarely ask, “Where did the data come from, how was it changed, and who touched it?” Without clear tracking, silent corruption and model poisoning slip through, quietly eroding diagnostic accuracy, AI performance and patient trust over time. – Kiran Elengickal, Siemba
8. On-Premises Servers
One overlooked cybersecurity risk in healthcare is the reliance on on-premises servers. Many practices still store sensitive patient data locally, without regular updates, backups or monitoring. This creates serious vulnerabilities. Cloud-based platforms with well-managed open APIs provide centralized security and safer, scalable integrations. – Eric Giesecke, Planet DDS
9. Manual Certificate Management
One overlooked challenge in healthcare cybersecurity is manual certificate management. Expired or misconfigured digital certificates can take down EHR systems, delay care and put patient safety at risk. Automated certificate lifecycle management is critical to maintaining secure, uninterrupted operations. – Jason Sabin, DigiCert Inc.
10. Data Silos And BMAs
One overlooked weakness or challenge is data silos and business-managed applications. BMAs fly under the radar when it comes to security guidelines and are always at risk of exposure. BMAs also tend to be at risk of compliance failures at various levels. The risk is higher with financial analytics or operational analytics, which involve highly sensitive and critical data. – Sanath Chilakala, NTT Data
11. Outdated Medical Devices
One significant cybersecurity risk in healthcare is outdated medical devices. Many work with expensive legacy software and struggle each cycle to patch it, making them easy pickings for internet bad actors. With limited encryption and little chance of being swapped out, they continue to be plugged into sensitive networks, endangering patients and the integrity of client records. – Sreekanth Narayan, LTIMindtree
12. Shadow IT And BYOD Practices
Shadow IT and bring-your-own-device practices in healthcare, such as staff using personal devices or apps for convenience, expand the attack surface beyond what most systems monitor. These informal workflows bypass standard protections, leaving patient data and core systems exposed without anyone noticing. – Mark Mahle, NetActuate, Inc.
13. Insecure Data Sharing During Clinical Trials
An overlooked cybersecurity risk in healthcare is insecure data sharing during clinical trials. With multiple stakeholders and fragmented oversight, sensitive patient data often flows across systems without unified governance. The sector must adopt secure-by-design interoperability frameworks that protect trust as much as innovation. – Rishi Kumar, MatchingFit
14. Unsecured Data Exhaust From Medical IoT Devices
A critical but under-discussed vulnerability in healthcare is the data exhaust from medical IoT devices like infusion pumps and smart monitors. These devices stream telemetry constantly, often unsecured, creating a quiet but massive attack surface. Deploying edge-based zero-trust agents directly on these devices could validate every outbound data packet in real time. – Nicola Sfondrini, PWC
15. Legacy Devices With Hardcoded Credentials
Legacy medical devices with hardcoded credentials or outdated firmware are a massive blind spot. They often sit on flat networks and are invisible to IT teams. During EHR breaches, a compromised infusion pump or MRI interface could quietly offer persistent access, turning patient care tools into attack surfaces. Cybersecurity must evolve to treat these devices like endpoints, not exceptions. – Raghu Para, Ford Motor Company
16. Continued Use Of Fax Machines
The real threat in healthcare cybersecurity? Fax machines. Hospitals still send patient data through outdated, insecure systems because “that’s how it’s done.” It’s not hackers we should fear most; it’s complacency. Security won’t come from patching the past. It’ll come from rethinking it entirely. – Oleg Sadikov, DeviQA
17. Lack Of Standardized Secure Communication Protocols
Shared secure communication between different companies is a risk. While the healthcare industry has a standard for HIPAA compliance, there is no standard for communication. Some data is still exchanged in physical form. The weakness occurs when data moves from one system to another and is left unencrypted. The best solution is to establish a communication standard that uses changing keys and algorithms. – WaiJe Coler, InfoTracer
18. Weak Endpoint Security For Mobile Devices
One significant but frequently overlooked challenge in healthcare cybersecurity is the lack of robust endpoint security for mobile devices used by healthcare professionals. These devices often access sensitive patient data remotely, yet many organizations fail to implement adequate security measures such as encryption and remote wipe capabilities. This increases exposure to data breaches. – Roman Vinogradov, Improvado
19. Unsecured DevOps Pipelines
One risk that’s often ignored is unsecured DevOps pipelines in healthcare tech stacks. Rapid CI/CD deployment cycles (without quality control and cyber reviews) can bypass critical security gates, introducing unvetted code into patient data environments. Secure DevSecOps integration shouldn’t be optional; it’s a vital aspect of developing secure code and essential to protecting data integrity and maintaining clinical trust. – Dan Sorensen
20. Lack Of Comprehensive DSPM Practices
When you combine the healthcare industry’s irregular cloud adoption tendencies, disparate network of legacy devices and lack of consistent cybersecurity training, you create the perfect opportunity for malware and ransomware attacks. By integrating comprehensive data security posture management, teams can continue to grow their digital capabilities without sacrificing patient privacy. – Thyaga Vasudevan, Skyhigh Security
link