Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Medical device exploitability management: what teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Healthcare organisations are moving from CVSS-driven vulnerability triage to exploitability management, using KEV, EPSS, and environmental context to focus limited resources on risks that can actually be reached, according to Elisity’s interview with Claroty and MultiCare leaders. In healthcare, the question is no longer which vulnerabilities exist, but which ones can still be exploited before they reach patient systems.

NHIMG editorial — based on content published by Elisity: Medical Device Security in 2026, featuring a discussion with Claroty and MultiCare leaders on exploitability management

By the numbers:

Questions worth separating out

Q: What breaks when medical device teams rely on CVSS alone?

A: CVSS alone breaks prioritisation because it treats theoretical severity as if it were equivalent to real-world exposure.

Q: Why does segmentation matter so much in connected healthcare environments?

A: Segmentation matters because many medical devices cannot be patched quickly and often sit on highly interdependent networks.

Q: How do security teams know whether exploitability management is working?

A: Teams should look for fewer high-priority findings tied to reachable assets, shorter response times for KEV-listed issues, and a measurable drop in lateral movement paths toward clinical systems.

Practitioner guidance

  • Prioritise exploitability scoring over severity scoring Use KEV, EPSS, reachability, and asset criticality together so remediation effort goes to vulnerabilities that can actually be used in your environment.
  • Map the critical communication paths first Identify the small number of device-to-device flows that lead to high-value clinical systems, then focus compensating controls on those paths.
  • Enforce identity-based segmentation around clinical devices Tie policy to device identity and approved communication intent so unmanaged or legacy systems cannot freely traverse the network.

What's in the full article

Elisity's full article covers the operational detail this post intentionally leaves for the source:

  • The interview-specific framing from Claroty and MultiCare leaders on how exploitability management changes day-to-day prioritisation.
  • The Thermopylae analogy applied to healthcare segmentation decisions and where to place the strongest controls.
  • The practical workflow linking discovery, dependency mapping, and enforcement across clinical environments.
  • The article's discussion of how AI readiness depends on the same inventory and data-quality discipline.

👉 Read Elisity’s analysis of exploitability management for medical device security →

Medical device exploitability management: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Exploitability management is the right corrective lens for healthcare risk. CVSS-heavy vulnerability programmes create a false sense of completeness because they treat all critical findings as equally urgent. In connected clinical environments, the real governance problem is not the number of CVEs, but which ones can be reached, chained, and used against patient-facing systems. That makes exploitability a better decision variable than severity alone, and it is the correct lens for teams with constrained patch windows.

A question worth separating out:

Q: Who is accountable when an exposed medical device leads to patient-impacting disruption?

A: Accountability sits with both security and operational leadership because exploitability management is a governance decision, not just a technical one. If segmentation, asset visibility, and remediation prioritisation were not aligned to clinical risk, the organisation failed to manage the exposure path, not just the vulnerability itself.

👉 Read our full editorial: Exploitability management is reshaping medical device security



   
ReplyQuote
Share: