Security

CTEM for Healthcare: A Guide to Continuous Threat Exposure Management

The CTEM framework focuses on a continuous approach to vulnerability management that enables uninterrupted healthcare.

Twitter

Brian T. Horowitz is a writer covering enterprise IT, innovation and the intersection of technology and healthcare.

In traditional vulnerability management, organizations react to, detect and patch known software flaws, but a framework called Continuous Threat Exposure Management offers an iterative strategy for managing and mitigating threats in real time.

First introduced by Gartner, CTEM allows organizations such as health systems to take a continuous approach to fighting cyberthreats such as ransomware and credential leaks. While traditional vulnerability management is periodic and volume-driven, with a long list of findings that may not reflect real-world risk, CTEM is continuous and “threat-informed,” according to Cristian Rodriguez, field CTO for the Americas at CrowdStrike.

“CTEM correlates exposures and then prioritizes based on exploitability, adversary behavior and business impact. In healthcare, that distinction is critical,” Rodriguez says. “Security teams don’t have time to chase theoretical risks. CTEM allows them to focus limited resources on the exposures that matter most.”

Solutions that support the CTEM framework include Check Point Software Technologies’ Exposure Management (formerly Cyberint), a platform that helps healthcare organizations address the full CTEM life cycle; and the Tenable One exposure management platform, which maps technical findings to regulatory frameworks to help healthcare organizations comply with the HIPAA Security Rule. Meanwhile, CrowdStrike Falcon Exposure Management also helps organizations such as health systems streamline their cybersecurity strategies through the CTEM lifecycle.

DISCOVER: CTEM helps healthcare organizations better prioritize security threats.

What Is CTEM in Healthcare? Understanding Continuous Threat Exposure Management

A key aspect of CTEM is its continuous approach to mapping attack surfaces as well as prioritizing remediation. Continuous management is essential for uninterrupted care, according to Rodriguez.

“Hospitals and health systems manage sensitive patient data, legacy systems and connected medical devices, all while delivering uninterrupted care,” Rodriguez says. “CTEM helps security teams prioritize the exposures most likely to disrupt clinical operations or compromise protected health information, providing measurable risk reduction in environments where operational resilience is critical.”

The five stages of CTEM include scoping out the organization’s attack surface and identifying critical threats; discovery of assets, misconfigurations and vulnerabilities; prioritization of risks; validation that threats are actionable; and mobilization, which includes coordination between security and IT teams, remediation efforts and tracking progress.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

Measuring CTEM Success

Under CTEM, healthcare organizations adopt metrics that reflect an organization’s resilience rather than just the number of patches applied, according to Liat Hayun, senior vice president of product management at Tenable.

“In the highly regulated healthcare landscape, these metrics serve as a bridge between technical security and HIPAA compliance,” Hayun says.

Metrics include key performance indicators and regulatory compliance tracking, in which KPIs measure risk reduction and operational performance, she explains. It also includes tracking remediation-level service-level agreements as well as peer benchmarking, which compares exposure scores and KPIs against those of peer organizations.

“Evaluation criteria for healthcare include support for legacy systems, security-certified medical device monitoring and the ability to ensure business continuity during remediation,” Hayun says.

Measurable risk reduction is a key aspect of CTEM performance metrics, according to Rodriguez.

“Ultimately, CTEM success is measured by a sustained decrease in prioritized risk and improved ability to prevent incidents that could impact patient care or sensitive data,” he says.

Metrics include reduction in critical threat–relevant exposures, time to remediate high-risk issues and a drop in overall risk score, Rodriguez says.

Why Healthcare Needs CTEM: The Evolving Threat Landscape

“By unifying visibility across complex environments, including legacy systems and connected medical devices, security teams can prevent downtime, secure sensitive patient health information and innovate without introducing unnecessary risk,” Hayun says.

Healthcare could benefit from CTEM because it is the most targeted sector for cyberattacks, and patient data generates a high monetary value, Hayun notes. In addition, operational continuity is necessary, and health systems cannot afford downtime. Healthcare also has a vast attack surface that includes telehealth, remote patient monitoring, cloud-based health records and widespread connected medical devices, she says.

In healthcare, CTEM shifts the focus away from “check the box” vulnerability assessments and remediation to focus on safeguarding the most critical data and systems to protect patient and hospital safety, Hayun says.

Healthcare organizations need a CTEM framework because of the visibility and control challenges of IoT devices, Rodriguez says.

Building a Healthcare CTEM Program

CTEM implementation must be a continuous implementation process rather than a “set-it-and-forget-it, point-in-time process,” Hayun explains. That includes routinely testing security controls and updating exposure management processes as necessary.

“Exposure management is an operational journey that enables security teams in healthcare organizations to build a proactive defense program that protects their most critical assets, even as the digital landscape evolves,” she says.

Security teams don’t have time to chase theoretical risks. CTEM allows them to focus limited resources on the exposures that matter most.”

Cristian Rodriguez Field CTO for the Americas, CrowdStrike

Here are some strategies for successfully adopting a CTEM framework:

Pursue a Platform Approach

Rather than using fragmented point tools, healthcare organizations should look for a platform strategy, Rodriguez advises. The platform approach would “continuously correlate exposure data and turn it into prioritized action.”

Comprehensive Asset Visibility

This process involves continuous discovery across an entire attack surface, which includes IT, operational technology, AI and identity systems, Hayun says.

Unify visibility across endpoints, identities, cloud workloads and connected devices, Rodriguez adds.

Automate Exposure Management

Healthcare organizations need automated simulations to test that controls indeed block threats as intended, says Hayun.

“AI-driven exposure management helps understaffed teams continuously identify and prioritize risk without adding operational burden,” Rodriguez says. “In healthcare, CTEM is not about fixing everything; it’s about reducing the exposures most likely to disrupt care or compromise sensitive data.”

Risk-Based Prioritization

Rodriguez recommends contextual risk scoring that considers exploitability, asset criticality and regulatory exposure rather than just severity ratings.

Risk-based prioritization consists of “analytics that weigh technical severity against business criticality,” Hayun says.

CTEM should be a long-term process of continuous visibility and risk management rather than a one-time initiative, Rodriguez says.

“Ultimately, CTEM should become part of how healthcare organizations measure and manage risk over time, with success defined by sustained reduction in prioritized exposures and stronger protection of patient care delivery,” he says.

bixpicture/Getty Images