NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Schedule a Demo
Threat and Exposure Research

Peer-Reviewed Proof: Exposure Management Saves Lives

Hospital operating room. Photo by Piron Guillaume on Unsplash

A ransomware attack hits a hospital. Systems go dark. Lab results can’t be processed. Pharmacy requests stall. CT scans become inaccessible.

And for some patients, the consequences are fatal.

That’s not speculation. It’s now peer-reviewed research from the American Economic Journal: Economic Policy, published in February 2026. The study by Hannah Neprash, Claire McGlave, and Sayeh Nikpay linked a database of hospital ransomware attacks to Medicare claims data and found something that should stop every healthcare CISO in their tracks: among patients already admitted when a ransomware attack begins, in-hospital mortality increases by 34–38 percent.1

Let that sink in. More than a third more patients die when hospitals get hit.

The Operational Meltdown

The research also quantified what healthcare IT teams experience firsthand: hospital volume drops 17–24 percent during the initial attack week, with recovery occurring within three weeks.1 That’s three weeks of delayed care, diverted ambulances, and clinicians working blind.

We’ve seen this play out before. Remember when Hollywood Presbyterian Medical Center’s president declared an “internal emergency” during a ransomware attack? Departments paralyzed. FBI called in. Eventually, they paid approximately $17,000 in bitcoin—40 bitcoins at the time—just to restore access.2

But as this new research makes clear, the real cost isn’t measured in ransom payments. It’s measured in lives.

An Attack Surface That Keeps Growing

Here’s what makes healthcare uniquely vulnerable: modern hospitals aren’t just networks of computers. They’re sprawling ecosystems of IT, OT, and IoT devices—infusion pumps, patient monitors, imaging systems, HVAC controls, building management systems. According to the FBI, 53% of networked medical devices contain at least one known critical vulnerability.3 A Palo Alto Networks study found 75% of infusion pumps have vulnerabilities, with over half still running operating systems with flaws discovered years ago.4

These aren’t theoretical risks. ECRI named cybersecurity attacks the top health technology hazard for 2022.4 The FDA has issued safety communications. And still, the average hospital room contains as many as 20 connected devices vulnerable to attack.5

In the world of IT, OT, and IoT, people rarely connect vulnerabilities to survival. But they should. We save lives by fixing the right things first.

The Prioritization Problem That Kills

Here’s what frustrates security teams in healthcare: they know the threats are real. They’ve seen the scanner reports. They’ve logged the 200,000 “critical” vulnerabilities.

But where do you even start?

This is the reality we hear constantly from security leaders across industries. “The CVSS score is useless.” “I spend 80% of my time normalizing spreadsheet data.” “My board doesn’t care about the sheer volume of vulnerabilities.”

When you’re drowning in alerts and every vulnerability scanner screams that everything is critical, nothing is actually prioritized. And in healthcare, that gap between detection and remediation isn’t just an operational inefficiency. It’s a patient safety crisis.

Fix Less, Secure More: A Different Philosophy

The study’s findings reinforce something we’ve believed at NopSec for years: the goal isn’t to patch everything. It’s to reduce actual risk.

This is the core principle behind Continuous Threat Exposure Management (CTEM)—moving from reactive patching to proactive, risk-based remediation. Instead of treating every vulnerability as equally urgent, CTEM focuses security teams on the exposures that actually threaten critical systems.

Healthcare organizations face unique constraints. Limited security budgets. Human error in high-stress clinical environments. Legacy systems that can’t be taken offline. HIPAA compliance competing with security for attention and resources. Medical devices that remain functional for decades while their software reaches end-of-life.

The answer isn’t more scanning. It’s smarter prioritization.

When you can translate scanner data into real business (and patient) risk—when you can identify which vulnerabilities actually create exploitable paths to critical systems—you change the equation. Instead of chasing 200,000 alerts, you focus on the handful that could actually enable the next ransomware attack.

The Stakes Have Never Been Clearer

For years, we’ve talked about exposure management in terms of compliance, operational efficiency, and risk posture. This research gives us something starker: mortality data.

When hospitals get hacked, patients die at rates 34–38% higher than normal. That’s not a metric for a board presentation. That’s a wake-up call.

If your organization is still wrestling with spreadsheet-based vulnerability tracking, still arguing with IT over which tickets to prioritize, still watching “critical” alerts pile up faster than your team can triage them, this research should change the conversation.

Because managing cyber exposures isn’t just about protecting systems anymore. In healthcare, it’s about protecting lives.

Ready to stop chasing alerts and start reducing real risk? NopSec’s CTEM platform helps healthcare organizations cut through the noise, prioritize what actually matters, and close critical exposures faster. See how it works →

Sources

1 Neprash, Hannah, Claire McGlave, and Sayeh Nikpay. “Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients.” American Economic Journal: Economic Policy 18, no. 1 (February 2026): 256–81. https://www.aeaweb.org/articles?id=10.1257/pol.20240594

2 Healthcare IT News. “Hollywood Presbyterian gives in to hackers, pays $17,000 ransom to regain control over systems.” February 18, 2016. https://www.healthcareitnews.com/news/hollywood-presbyterian-gives-hackers-pays-17000-ransom-regain-control-over-systems

3 Federal Bureau of Investigation. “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities.” Private Industry Notification 20220912-001. September 12, 2022. https://www.ic3.gov/CSA/2022/220912.pdf

4 Schlanger, Steven. “The Ironic State of Cybersecurity in Medical Devices.” Biomedical Instrumentation & Technology 56, no. 3 (2022): 98–101. https://pmc.ncbi.nlm.nih.gov/articles/PMC10508857/

5 InformationWeek. “The Unique Cyber Vulnerabilities of Medical Devices.” November 14, 2023. https://www.informationweek.com/cyber-resilience/the-unique-cyber-vulnerabilities-of-medical-devices

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber thread exposure management system platform can organize your security chaos.