Operational resilience is being tested at the seams. As we head into March, we continue to see the risk environment being defined through AI adoption pressures, emergency patching realities, and nation-state–aligned actors targeting critical infrastructure.
Under the backdrop of increased geopolitical tensions with Iran, this month’s brief will discuss improving resilience through cyber vigilance and patching in a hyper-connected ecosystem
CISO Signal: Geopolitical Tensions and Cyber Vigilance
Why it Matters Now
At the time of this writing, there are no confirmed large-scale retaliatory cyber campaigns targeting US healthcare organizations, related to the geopolitical developments involving the United States and Israel with increased tension with Iran. However, history shows that periods of escalation often correlate with increased cyber activity from state-aligned or proxy actors.
What Leaders Should Know
Healthcare remains a high-visibility sector where disruption has immediate operational and public impact. In similar environments, we typically observe credential harvesting campaigns, exploitation of unpatched perimeter devices, DDoS activity, and opportunistic ransomware attempts.
Recommendations
This is not a moment for alarm. It is a moment for validation. Executive teams should:
- Confirm patch posture of internet-facing systems
- Enforce MFA across privileged access
- Review external attack surface exposure
- Validate incident response escalation procedures.
Resilience in healthcare is measured by continuity of care. Periods of geopolitical uncertainty are when disciplined operational maturity matters most.
Microsoft Patching as a Resilience Conversation
Why It Matters Now
Patching is no longer a speed metric. It is a resilience decision.
Emergency out-of-band releases, interdependencies across Windows, Office, browsers, identity infrastructure, and legacy systems have turned patching into a patient safety and operational continuity discussion.
Aggressive patching without testing can disrupt care. Delayed patching increases exposure. To walk the line between these risks, organizations must treat patching as a risk management discipline, not an IT task.
What Leaders Should Understand
Ownership of patching must be explicit, as shared accountability without defined authority results in delays.Who owns endpoint patching end-to-end: IT operations, security, clinical engineering, or an outsourced provider?
Emergency deployment criteria must be documented in advance. Define the triggers for immediate deployment versus controlled testing to eliminate confusion and enable faster action. Specifically, zero-days affecting authentication, remote access, or email delivery should have predefined response paths.
Practiced patching procedures also reduce remediation time. Tabletop the decision process before the next out-of-band event.
Threats To Be Aware Of
Emergency Patch Ready for Exploited Microsoft Office Bypass
- Overview:
- Microsoft released emergency out‑of‑band patches to fix a security feature in multiple versions of Microsoft Office. The flaw allows attackers to bypass OLE security mitigations, enabling the delivery of malicious document payloads.
- Healthcare Impact:
- A document-delivered exploit that bypasses security mitigations is not a theoretical risk, it’s an operationally probable in hospitals where clinical, vendor, payer, and legal documents are opened daily. CVE‑2026‑21509 represents a high‑severity, actively exploited Office vulnerability with direct implications for patient safety, operational continuity, and HIPAA compliance.
- Recommended Actions:
- Patch all affected Microsoft Office versions immediately and apply registry-based mitigations on Office 2016 and 2019 where updates cannot be deployed
- Apply Attack Surface Reduction rules and restrict legacy COM/OLE and ActiveX behavior to limit exploit paths
- Monitor endpoints with EDR for abnormal Office, COM, or OLE activity and phishing-delivered document execution
- Validate backups and regularly test incident response plans, including containment and recovery workflows for Office zero-day exploitation
- Questions to Ask Your Team:
- Are we still exposed anywhere, and when will we be “done”?
Ask for a quick inventory: how many endpoints run Office 2016/2019 vs LTSC/365, what percentage are already on the fixed builds, and the committed completion date for the remainder. - Where can’t we patch immediately, and what compensating controls are in place? Specifically for Office 2016/2019 exceptions: confirm the registry-based mitigations are applied, ASR rules are enforced, and legacy COM/OLE and ActiveX paths are restricted. Ask how the team validated those controls (and how they’ll prove it).
- Are we still exposed anywhere, and when will we be “done”?
Peer Pulse: Patching for Resilience with Preston Duren
This month we sat down with Preston Duren, VP, Threat Services at Fortified to get back to the fundamentals: Patching. Preston brings 16+ years of IT/security expertise, spanning threat & vulnerability management, security engineering, security program development, digital forensics, and SOC. Previous roles include engineering/architecture at Community Health Systems & Information Security Officer at RCCH Health.
Russell: Who ultimately owns patch management; security, IT operations, or clinical engineering?
Preston: One thing we’ve seen is that there really needs to be one accountable executive owner. In most mature environments, the IT and infrastructure teams are responsible for pushing the patches. The security teams set risk thresholds, provide guidance around prioritization, and measure progress. Final authority for deployment timing must be clearly assigned. You need a true partnership between IT and security to be successful. If not, you’ll end up with shared ownership without authority which will slow things down.
Russell: How do you prioritize patching in a hospital environment where uptime is critical?
Preston: We generally prioritize assets based on two things: how critical they are to clinical operations and how exploitable they are. Internet-facing systems, identity infrastructure, and email platforms move to the front of the line. We also closely monitor the CISA Known Exploited Vulnerabilities (KEV) catalog, since anything on that list immediately raises the urgency. The key is having that risk-based prioritization defined in advance so you’re not trying to sort it out while responding to an incident.
Russell: What does “acceptable patching risk” look like in your opinion?
Preston: For me, vulnerabilities affecting authentication, remote access, email delivery, or lateral movement are automatic emergency reviews. Once exploit code is public and the system is externally exposed, waiting becomes hard to justify. Security leaders can make the recommendation, but the organization’s risk tolerance around patching should really be set in advance by executive leadership.
Russell: How do you handle zero-day vulnerabilities in systems that can’t be patched immediately?
Preston: If you can’t patch immediately, you need to put compensating controls in place. That might mean tightening segmentation, isolating the system, using virtual patching if it’s available, hardening identity controls, increasing monitoring, or limiting access. Any unpatchable zero-day should also have a documented mitigation plan, a clear owner, and a scheduled review date.
Russell: How involved is executive leadership in patching decisions?
Preston: Executive leadership should be involved whenever risk tolerance is exceeded. If patching has the potential to disrupt patient care, that’s no longer just an IT decision — it becomes an operational risk decision. We’re also seeing boards ask for more visibility into exposure windows and how quickly organizations are actually remediating these issues.
Closing Perspective
Healthcare cybersecurity maturity is no longer defined by the number of tools deployed or the volume of policies written. It is demonstrated through disciplined ownership, rehearsed decision-making, and operational transparency across the enterprise.
Healthcare is a target, regardless of the geopolitical environment. The healthcare organizations that will withstand the next wave of disruption are those that can clearly answer three questions without hesitation: who owns this, how do we know it is working, and when will it be complete.
Stay safe, healthcare.
