The following is a guest article by Hüseyin Can Yüceel, Security Research Lead at Picus Security
Hospitals across the U.S. are under relentless pressure to expand digital care while navigating funding cuts, workforce shortages, and a surge in cyberattacks. This is amplified by the fact that protected health information (PHI)-related data breaches have soared, exposing nearly 30 times more patient records in 2024 than in 2010.
That pressure has intensified following the recent passage of a federal bill that includes nearly $1 trillion in Medicaid cuts. The legislation significantly restricts provider taxes — a mechanism states have used for decades to draw additional federal Medicaid funds. These funds have been especially critical for rural hospitals, which rely on them to maintain essential services, recruit staff, and keep facilities open. For cybersecurity teams, this means defending more digital assets with fewer people and dollars.
To reduce risk without burning out resources, teams need a smarter way to focus their efforts. That’s where exposure validation (EV) comes in. By safely simulating real-world cyberattacks and measuring how existing defenses respond, EV identifies which vulnerabilities are actually exploitable and which are already blocked. This allows hospital security teams to cut through the noise, shrink patch queues, and protect critical systems more efficiently.
Rethinking Risk
Hospital cybersecurity teams, particularly in rural or underfunded areas, are being forced into difficult trade-offs. To stay within budget, they must cut staff, delay upgrades, or sunset tools — often without clear evidence of which capabilities keep attackers at bay and which don’t deliver value.
Traditional vulnerability management compounds the problem. It’s overly reliant on static scores like CVSS, EPSS, or KEV. These models prioritize theoretical severity, not actual risk within a hospital’s environment. As a result, security teams drown in lists of “critical” vulnerabilities — many of which are already blocked by existing controls, or never posed a threat in the first place.
In healthcare, the consequences of overprioritizing vulnerabilities are especially serious. A “critical” flaw in a nonessential system may pose little real risk but can still divert attention from a “medium”-severity issue, such as in a device regulating insulin or managing the electrical infrastructure needed to keep ventilators running. Exposure validation helps hospitals distinguish between critical and noncritical vulnerabilities with confidence. Rather than applying patches indiscriminately based on generic CVSS scores, hospitals can use EV to determine which vulnerabilities are already mitigated by existing controls. This reduces unnecessary disruption to clinical workflows, especially during peak care hours, and ensures that remediation efforts align with patient safety and operational continuity.
Protecting Patients Amidst Volatile Vulnerabilities
The threat landscape isn’t slowing down. So far in 2025, nearly 26,000 new Common Vulnerabilities and Exposures (CVEs) have been published, many labeled high or critical — even though less than 5% are typically exploited in the wild. That means thousands of vulnerabilities are creating noise, consuming resources, and exhausting teams.
For hospitals already stretched thin, this is unacceptable. Exposure validation flips the script and allows hospital IT and security teams to take a strategic approach to protecting infrastructure, data, and, most importantly, patients.
EV can simulate ransomware behavior, such as shadow copy deletion and privilege escalation to demonstrate how far an attack could go if controls fail. This enables hospitals to safely validate their ability to stop ransomware, insider threats, and advanced persistent threats without jeopardizing production systems.
Even if patching isn’t immediately feasible due to uptime requirements or vendor limitations, EV provides controls, such as endpoint detection and response (EDR) policies or firewall signatures, to reduce risk in real time. Hospitals can apply these alternatives to maintain protection until patches can be safely deployed.
Benefits of Exposure Validation in a Hospital Setting
Rather than assuming which vulnerabilities are dangerous based on outside-in metrics, EV tests them directly in an environment. It safely simulates real-world attacks across email, endpoints, network, and cloud defenses and observes how controls respond. The result is clear, empirical evidence of what an attacker could exploit inside a unique setup, and what’s already blocked by security defenses. For hospitals under financial and operational strain, this shift from assumption to evidence is critical. Here’s how it works:
-
EV helps security teams distinguish real threats from theoretical vulnerabilities already blocked by security controls
-
With empirical evidence of present and exploitable threats, teams can allocate their resources where they’re needed most
-
This allows teams to avoid unnecessary patching and disruption by verifying that existing controls (like next-gen firewalls or EDR systems) are already mitigating certain threats
-
Security leaders can clearly communicate risk to stakeholders, the board, and the public by showing real test outcomes; because this is in the context of their hospital system, it instills confidence in all concerned parties
Unlike annual penetration tests or periodic vulnerability scans, EV can be run continuously and automatically. Each new CVE, configuration change, or policy update can trigger another simulation. This allows teams to spot control regressions quickly, validate fixes, and continuously monitor high-value assets.
Using EV to Support Governance and Compliance
EV isn’t just useful for detecting security gaps — it also helps close them and prove they’re resolved. Security teams can rerun simulations to confirm that remediations worked and generate auditable evidence that vulnerabilities were fixed. This evidence simplifies regulatory reviews, especially in environments that are required to maintain compliance with HIPAA and HITECH security standards.
Instead of scrambling for screenshots or manually collected logs during audits, security leaders can present a clear timeline: The vulnerability was found, tested, mitigated, retested, and closed — all backed by real results. This transparency improves relationships with auditors and gives security teams peace of mind.
Protecting More With Fewer Resources
The number of published CVEs has more than doubled in the last five years. Of those exploited in 2024, 63% were found on healthcare networks. Meanwhile, funding from sources like Medicaid — which accounts for nearly 20% of healthcare spending in the U.S. and funds the tools and salaries of people responsible for protecting hospital systems — is being slashed. As resources shrink and cyberattacks grow in number and sophistication, security leaders must embrace a new mandate: do less, earlier, and with greater impact. Exposure validation makes that possible.
