TL;DR: Healthcare organisations are moving from CVSS-driven vulnerability triage to exploitability management, using KEV, EPSS, and environmental context to focus limited resources on risks that can actually be reached, according to Elisity’s interview with Claroty and MultiCare leaders. In healthcare, the question is no longer which vulnerabilities exist, but which ones can still be exploited before they reach patient systems.
At a glance
What this is: This interview argues that medical device security should prioritise exploitability over blanket vulnerability remediation, because healthcare teams cannot patch or mitigate every CVE across connected clinical environments.
Why it matters: For IAM and security teams, the shift matters because effective control depends on reachability, segmentation, and constrained access paths, which is the same governance logic that underpins least privilege in NHI and human identity programmes.
By the numbers:
- 89% of healthcare organizations operate connected medical devices with known exploitable vulnerabilities.
- Healthcare breaches cost an average of $7.42 million per incident, the highest of any industry for the 14th consecutive year
- Only a small percentage of published CVEs have a high probability of exploitation within 30 days.
👉 Read Elisity’s analysis of exploitability management for medical device security
Context
Medical device security is moving away from the idea that every vulnerability can or should be fixed on the same timetable. In connected healthcare environments, the real constraint is not awareness of CVEs but the ability to distinguish theoretical exposure from paths an attacker can actually exploit. That same logic matters in identity governance, where standing access and over-broad reach create blast radius even when the underlying system remains unchanged.
The article centres on exploitability management, a control approach that prioritises reachability, real-world exploitation data, and environmental context over raw vulnerability counts. For healthcare teams, this is a governance problem as much as an operations problem: the question is how to bound risk when patch cycles, device availability, and patient care needs collide. That framing is typical for large clinical environments, but the willingness to abandon CVSS-first thinking is still atypical.
Key questions
Q: What breaks when medical device teams rely on CVSS alone?
A: CVSS alone breaks prioritisation because it treats theoretical severity as if it were equivalent to real-world exposure. In healthcare, that leads teams to spend time on vulnerabilities that cannot be reached or exploited while leaving reachable systems underprotected. Effective programmes combine exploitability data, reachability, and criticality to focus effort where patient impact is most likely.
Q: Why does segmentation matter so much in connected healthcare environments?
A: Segmentation matters because many medical devices cannot be patched quickly and often sit on highly interdependent networks. If an attacker can move laterally from one device to another, the vulnerability becomes operationally relevant. Strong segmentation reduces that movement path and can make a device effectively non-exploitable even when the underlying flaw still exists.
Q: How do security teams know whether exploitability management is working?
A: Teams should look for fewer high-priority findings tied to reachable assets, shorter response times for KEV-listed issues, and a measurable drop in lateral movement paths toward clinical systems. If remediation decisions are still driven mainly by raw CVE counts, the programme has not shifted from vulnerability management to exploitability management.
Q: Who is accountable when an exposed medical device leads to patient-impacting disruption?
A: Accountability sits with both security and operational leadership because exploitability management is a governance decision, not just a technical one. If segmentation, asset visibility, and remediation prioritisation were not aligned to clinical risk, the organisation failed to manage the exposure path, not just the vulnerability itself.
Technical breakdown
Exploitability management versus CVSS scoring
CVSS tells you how severe a vulnerability could be in the abstract. Exploitability management adds context: whether the asset is reachable, whether the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, whether EPSS suggests likely exploitation, and whether compensating controls already narrow the attack path. That turns a flat queue of thousands of CVEs into a smaller set of issues that actually change risk. In healthcare, this matters because many clinical devices are difficult to patch and cannot tolerate downtime. The better control question is not whether a flaw exists, but whether the flaw can be used in your environment.
Practical implication: build prioritisation around exploitable reach, not score alone, and treat segmentation as part of remediation.
Why microsegmentation changes the medical device risk model
Microsegmentation works because it reduces the number of communication paths an attacker can use after discovering a vulnerable device. In operational technology and Internet of Medical Things environments, this is often more realistic than trying to eliminate every vulnerable endpoint. The article’s Thermopylae analogy is accurate: defenders do not need to protect every system equally if they can secure the critical pass that leads to patient-impacting assets. Identity-based microsegmentation adds enforcement by constraining which systems may talk to each other, which is especially valuable when legacy devices remain unpatchable for long periods.
Practical implication: map critical communication paths first, then enforce deny-by-default rules around the few flows that truly matter.
Data quality is the foundation for exploitability decisions
Exploitability management depends on accurate asset inventories, clean dependency maps, and reliable device metadata. Without that foundation, teams cannot tell which device is exposed, which system depends on it, or which compensating control is already in place. This is where many healthcare programmes fail: they have vulnerability data, but not the operational context needed to act rationally. The article correctly links this to AI readiness as well, because poor inventory discipline today becomes poor decision quality tomorrow. In governance terms, this is a lifecycle issue, not just a scanning issue.
Practical implication: invest in discovery and inventory quality before expecting exploitability scoring to improve decisions.
Threat narrative
Attacker objective: The attacker aims to turn a reachable medical device into a path toward clinical disruption or higher-value systems.
- Entry occurs through a device or service with a known vulnerability that remains reachable inside the clinical environment.
- Escalation happens when the attacker uses flat network paths or weak segmentation to move from the exposed device toward higher-value systems.
- Impact follows when the vulnerable device becomes a foothold for disruption, patient-care interference, or broader compromise of connected clinical operations.
NHI Mgmt Group analysis
Exploitability management is the right corrective lens for healthcare risk. CVSS-heavy vulnerability programmes create a false sense of completeness because they treat all critical findings as equally urgent. In connected clinical environments, the real governance problem is not the number of CVEs, but which ones can be reached, chained, and used against patient-facing systems. That makes exploitability a better decision variable than severity alone, and it is the correct lens for teams with constrained patch windows.
Identity-based microsegmentation is now a clinical risk control, not just a network design preference. The article’s strongest point is that reachability determines whether a vulnerability matters. That is an identity and access problem at machine scale: if a device cannot initiate or receive traffic outside its approved path, its exploitable surface shrinks. For practitioners, this means access policy must be tied to device identity and communication intent, not just address-based segmentation.
Data quality debt is becoming exploitability debt. The article links inventory discipline, device relationships, and future AI readiness, which is exactly right. Organisations that cannot maintain trustworthy asset and dependency data will continue to mis-rank risk and over-invest in low-value remediation. The named concept here is exploitability debt: the accumulated governance failure that makes it impossible to distinguish theoretical vulnerability from actual exposure. Practitioners should treat inventory quality as a control objective, not a housekeeping task.
Healthcare security programmes need outcome-based prioritisation, not remediation theatre. The cost of chasing every CVE is operational churn without proportional safety gain. The better model is to protect the paths and assets that actually affect care delivery, then accept residual exposure where compensating controls have made exploitation unrealistic. That approach aligns security spending with patient safety and gives clinical leadership a measurable basis for trade-offs.
Segmentation is becoming a compliance and resilience expectation, not an optional hardening layer. The article’s discussion of the proposed HIPAA Security Rule updates reflects a broader shift toward demonstrable containment. Healthcare teams should expect regulators and auditors to care less about whether every device is patched and more about whether exposed devices are isolated, monitored, and prevented from becoming launch points. Practitioners should prepare for that accountability shift now.
What this signals
Exploitability debt will become a useful programme lens for teams that manage large fleets of clinical, operational, or service-connected assets. The organisations that can maintain trustworthy inventory, communication-path mapping, and containment policy will make faster decisions and absorb fewer surprises when new exposures appear.
Healthcare programmes should expect more pressure to prove containment rather than simply report patch counts. That means identity-aware segmentation, better dependency data, and governance evidence will matter more in board conversations and audit responses, especially where patient safety and availability are part of the control objective.
For practitioners
- Prioritise exploitability scoring over severity scoring Use KEV, EPSS, reachability, and asset criticality together so remediation effort goes to vulnerabilities that can actually be used in your environment.
- Map the critical communication paths first Identify the small number of device-to-device flows that lead to high-value clinical systems, then focus compensating controls on those paths.
- Enforce identity-based segmentation around clinical devices Tie policy to device identity and approved communication intent so unmanaged or legacy systems cannot freely traverse the network.
- Improve asset and dependency data before expanding automation Clean inventory, ownership, and dependency records so exploitability decisions are based on reliable operational context rather than incomplete scans.
Key takeaways
- The article argues that medical device security should be judged by exploitability, not by raw CVE volume or CVSS severity alone.
- The evidence points to a healthcare environment where thousands of vulnerabilities and limited patch capacity make prioritisation by real attack path essential.
- Teams that control reachability, improve asset data, and enforce segmentation will reduce risk faster than teams still chasing every vulnerability equally.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Reachability and access restriction are central to exploitability management in healthcare devices. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement aligns with containment of reachable medical device paths. |
| CIS Controls v8 | CIS-5 , Account Management | Identity and access governance underpins control of connected systems and privileged paths. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article is fundamentally about stopping attackers from moving from an exposed device to impact. |
| NIST Zero Trust (SP 800-207) | Zero trust principles support continuous verification of device communication and containment. |
Apply zero-trust policy to connected devices so trust is based on verified path and context, not network location.
Key terms
- Exploitability Management: Exploitability management is the practice of prioritising vulnerabilities based on whether they can actually be used in a specific environment. It combines vulnerability intelligence, asset reachability, and compensating controls so teams focus on exposure that can lead to real operational impact.
- Known Exploited Vulnerabilities Catalog: The Known Exploited Vulnerabilities catalog is a list of vulnerabilities that have been confirmed as exploited in the wild. Security teams use it to separate theoretical issues from problems already proven dangerous in real environments, especially when remediation capacity is limited.
- Identity-Based Microsegmentation: Identity-based microsegmentation restricts system communication by identity and policy rather than by broad network location. It reduces lateral movement by allowing only approved device-to-device or workload-to-workload flows, which is particularly useful in legacy and clinical environments.
- Exploitable Reachability: Exploitable reachability describes whether an attacker can actually get to a vulnerable asset through the network paths and trust relationships that exist in production. It is a more practical signal than severity alone because it reflects the environment an attacker would face.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- The interview-specific framing from Claroty and MultiCare leaders on how exploitability management changes day-to-day prioritisation.
- The Thermopylae analogy applied to healthcare segmentation decisions and where to place the strongest controls.
- The practical workflow linking discovery, dependency mapping, and enforcement across clinical environments.
- The article's discussion of how AI readiness depends on the same inventory and data-quality discipline.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle practices. It is suitable for practitioners who need a stronger control model for access, ownership, and lifecycle discipline across modern identity programmes.
Published by the NHIMG editorial team on 2026-04-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org