Software vulnerabilities, such as unpatched or outdated devices, are prevalent in the healthcare industry and a leading cause of data breaches. In fact, 99% of healthcare organizations from the recent State of CPS Security Report: Healthcare Exposures 2025 confirmed that they were vulnerable to publicly known software exploits. Such weaknesses are an attractive entry point to threat actors who want to access and/or steal patients’ protected healthcare information (PHI).
See also: HIPAA compliant email: The definitive guide (2025 update)
The Health Insurance Portability and Accountability Act (HIPAA) sets the rules and regulations surrounding access to and disclosure of PHI. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of electronic PHI (ePHI). To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.
HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. New accounts also show that healthcare data breaches exposed 275 million records in 2024.
Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.
The rapid adoption of technology in healthcare has expanded the attack surface of hospitals, providing more opportunities for cyberattackers to infiltrate health systems. It also brought about a new set of challenges concerning privacy, data security, and regulatory compliance. Under HIPAA, healthcare organizations must protect PHI, which means that any software they use must remain secure and up to date.
All software used in the healthcare industry by covered entities and their business associates that collect, store, transmit, and/or process PHI is subject to HIPAA. Typically, software vulnerabilities occur because of operational constraints or compatibility issues. Unsupported and unsafe software, such as those that no longer receive updates, patches, or technical support, is a risk because it exposes healthcare networks and systems to cyberattacks.
Once in a system, a hacker can hunt for a wide range of sensitive information, starting with medical records that contain patient information, health histories, diagnoses, treatments, and medications. Many legacy systems can no longer be updated or patched because manufacturers no longer support them, making them prime targets for attacks.
Such vulnerabilities open back doors to cyberattackers who can then infiltrate a system using such cyber threats as phishing, malware, ransomware, and even spoofing to access or steal PHI. While many devices can run on outdated software, they eventually become vulnerable to cyber intrusions.
Learn more: Healthcare email systems, security patches and vulnerability updates
Despite being known security risks, software vulnerabilities persist in healthcare largely due to financial and logistical reasons. Providers do not tend to invest in cybersecurity or cyber expertise. Most small to medium-sized providers typically don’t have the funds to spend on cybersecurity and/or updated software versus patient care. Then, large providers tend to have too many attack surfaces to be able to protect them all.
Furthermore, older software is typically incompatible with advanced security solutions like endpoint detection or real-time threat monitoring. Cybercriminals actively monitor systems for unsupported, unblocked software, as it provides an easy entry point into an organization’s network. To add to this, human error is common in healthcare, which is why hackers look for software vulnerabilities to infiltrate and use malware and social engineering. Healthcare workers are often targeted by phishing.
Once a system is compromised, attackers can then decide to move laterally across a network to view and retrieve PHI. If accessed through a vendor, they can also move from organization to organization.
Vertikal Systems software stores patients’ records, scheduling, billing, and financial information for multi-user clinical and hospital management systems. Hospital Manager helps with the efficient running of healthcare organizations. In October, researchers discovered two vulnerabilities within Vertikal’s Hospital Manager Backend Services: CVE-2025-54459 and CVE-2025-61959.
The vulnerabilities were found to affect software versions of Hospital Manager released before September 19, 2025. According to the Cybersecurity and Infrastructure Security Agency (CISA), vulnerability CVE-2025-54459 could let a remote attacker access sensitive information through a low-complexity exploit. Vulnerability CVE-2025-61959 was found to disclose internal system details to attackers.
Since the report, Vertikal Systems has fixed the access points and released updates to patch both vulnerabilities. The company recommends that all user organizations upgrade their software and avoid exposing the system directly to the internet in the future.
There can be numerous consequences for organizations that fall victim to software vulnerabilities, including:
Replacing or updating parts of a system can be costly, but the continued use of unsupported software introduces cybersecurity weaknesses that could result in a data breach, HIPAA violation, and even patient death.
The reality is that software-related breaches occur all the time. Therefore, healthcare organizations must know what to do to mitigate the situation. Healthcare providers need to continuously monitor their systems after a breach for anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI.
Organizations can utilize vulnerability scanning tools for known issues or outdated software. These tools can help identify weaknesses that attackers want to exploit. Healthcare organizations can further begin to reduce the impact of such breaches by updating and then implementing rigorous security measures.
They should also conduct thorough security audits and compliance reviews to identify further vulnerabilities. After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again.
HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify weaknesses and develop strategies to address them. Other steps to avoid software vulnerabilities include:
HIPAA compliance regulations aim to protect patient health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.
CISA issues warnings about software vulnerabilities through its Known Exploited Vulnerabilities (KEV) Catalog. Within the catalog, CISA provides recommendations for what to do with software issues. According to the agency, organizations should patch or otherwise mitigate vulnerabilities as soon as possible to reduce active threats and implement security measures to control systems.
Moreover, CISA also states that software manufacturers should develop software with security in mind. Such messages were repeated in the entry for the Vertical Systems’ vulnerabilities, where CISA recommended that users, besides applying updates, “take defensive measures to minimize the risk of exploitation.”
Yes, especially with technologies like blockchain and encryption protocols in place. Additionally, compliance with regulations like HIPAA helps ensure that digital health data is kept confidential, secure, and accessible only to authorized parties.
The Privacy Rule requires that patients must be able to access, inspect, and request copies of their PHI.
Remote access should only be granted through secure channels such as virtual private networks (VPNs). These VPNs should also be updated regularly and configured with strong authentication to minimize exposure.