Medical devices lead in unpatched CVEs, and operational technology assets face the highest volume of cyber attacks. The data has implications for every CISO.
A recent study has uncovered that medical devices are the most vulnerable asset class to unpatched CVEs, and that operational technology (OT) assets face the highest number of cyber attacks. The findings reinforce what frontline incident responders have been saying for years: the assets that run the physical world are the least protected.
Why These Asset Classes Are So Exposed
- Long lifecycles — devices designed for 10 to 20 years of service often outlast vendor patch support.
- Patching is operationally hard — taking a CT scanner or a PLC offline to apply a patch may be impossible without scheduled downtime.
- Limited security tooling — many devices cannot host an EDR agent or even reliable logging.
- Flat networks — historically deployed without segmentation from IT.
- Default credentials and protocols designed without authentication still in production.
What to Do About It
- Build an authoritative inventory of medical and OT assets, including firmware versions and CVE exposure.
- Segment ruthlessly — these networks should be isolated by design with explicit cross-zone gateways.
- Use passive monitoring (Claroty, Nozomi, Dragos, Armis class tools) where active scanning would disrupt the device.
- Compensating controls when patching is infeasible — virtual patching, ACLs, application-layer gateways.
- Tabletop the worst case: ransomware hits the manufacturing floor or the hospital, the EHR is unreachable, the PLCs go offline. Exercise the response.
Medical and OT security are no longer adjacent disciplines. They are the front line.
