Medical Device Security in 2026: Claroty CTO and MultiCare CISO on Exploitability Management

According to Claroty Team82's State of CPS Security: Healthcare Exposures 2025 report, 89% of healthcare organizations operate connected medical devices with known exploitable vulnerabilities. Meanwhile, the average healthcare organization manages thousands of CVEs across its connected device fleet, with security teams expected to patch, prioritize, or mitigate each one. For healthcare CISOs, the math simply does not work: there are too many vulnerabilities, too few resources, and patient safety is on the line every day you defer action.

In a recent video interview at RSAC 2026, we spoke with Skip Sorrells, CTO at Claroty, and Jason Elrod, CISO at MultiCare Health System, about a fundamental shift in how healthcare organizations should approach this problem. Their shared perspective challenges a core assumption most security programs still operate under: that the goal is to fix every vulnerability. Instead, they argue, the future of medical device security lies in understanding which vulnerabilities can actually be exploited and focusing your limited resources there.

Who are Skip Sorrells and Jason Elrod?

Skip Sorrells serves as CTO at Claroty, one of the leading cyber-physical systems (CPS) protection platforms in healthcare and industrial environments. Claroty's platform, xDome, provides asset discovery, vulnerability management, and threat detection across connected clinical and operational technology environments. Claroty was recognized as a Leader in the 2026 Gartner Magic Quadrant for CPS Protection Platforms.

Jason Elrod is the CISO at MultiCare Health System, one of the Pacific Northwest's largest not-for-profit health systems. With more than 16 years of experience in healthcare cybersecurity, Elrod brings a practitioner's perspective on what it takes to secure clinical environments at scale without disrupting patient care. MultiCare operates across multiple hospitals and hundreds of clinics, managing a complex multi-vendor network environment that spans IT, Internet of Medical Things (IoMT), and operational technology.

Sorrells builds the platform. Elrod runs it in a real hospital environment. That combination matters because most conversations about medical device security stay theoretical. This one didn't.

"Vulnerability management is a fool's errand"

Sorrells did not mince words during the conversation. As he put it: "Vulnerability management is a fool's errand. It's an exercise in futility that we thought was the right thing to do for many years. But I've come to the conclusion that I want to know what gets me breached today. And that's going to be looking through a platform or solution that tells me what's exposed. But more importantly, is it exploitable?"

Traditional vulnerability management programs rely heavily on CVSS (Common Vulnerability Scoring System) scores to prioritize remediation. A device with a CVSS 9.8 vulnerability gets flagged as critical regardless of whether that vulnerability has ever been exploited in the wild, whether the device is reachable from the network, or whether compensating controls are already in place.

Exploitability management incorporates real-world exploitation data from CISA's Known Exploited Vulnerabilities (KEV) catalog and the Exploit Prediction Scoring System (EPSS), a probabilistic model that estimates the likelihood a vulnerability will be exploited within the next 30 days. When you layer in environmental context like network reachability, existing controls, and device criticality, you move from thousands of theoretical risks to a focused set of actionable priorities.

Elrod confirmed the shift is already happening in practice at MultiCare: "We don't even refer to it as vulnerability management in my particular org anymore. We refer to it as exploitability management."

The Thermopylae principle: defend the pass, not the entire city

Elrod used a vivid analogy to describe how MultiCare operationalizes exploitability management. "This is the path of Thermopylae," he said. "I can't necessarily protect Athens over here, all of the infrastructure, because it's an enormous task. It's actually not achievable. You cannot patch and protect enough there. But what you can do is say, where can I focus my mitigation controls? Where is that path of Thermopylae?"

For healthcare security teams, the equivalent is identifying the critical communication paths where an attacker must pass to reach high-value clinical systems and concentrating your best controls there.

As Elrod continued: "I may not be able to protect the entire city, but I can protect this one pass. And if I do that, it doesn't really matter if it's vulnerable. It's got to be vulnerable, but it's no longer exploitable. Or at least I can put the best controls, the best visibility, the best auditability right there."

This is where CPS visibility platforms and microsegmentation enforcement work together. Claroty xDome provides the dependency mapping to identify which systems communicate with which, revealing paths that security teams often did not know existed. Identity-based microsegmentation then provides the enforcement layer: constraining those communication paths to only what is operationally necessary.

Patient safety as the cybersecurity north star

Elrod kept circling back to one point: cybersecurity in healthcare is about patient outcomes. Every technical decision maps back to whether a patient gets the care they need.

"If I spend a dollar in cybersecurity, it's not a dollar I spend in a NICU," Elrod said. "There's only one dollar there, so where am I going to spend it? If I'm going to spend it up here, I want to protect all the NICUs. Not just that one."

The HHS 405(d) Health Industry Cybersecurity Practices framework reinforces this point: healthcare organizations should align security investments to patient safety outcomes rather than purely technical risk scores. Elrod's approach at MultiCare reflects this alignment. Every security control must justify itself against the opportunity cost of clinical spending.

For CISOs making budget cases, this shifts the conversation from "we need to reduce our CVE count" to "we need to ensure our most critical clinical systems cannot be compromised." The first is an infinite treadmill. The second is a bounded, measurable objective that clinical leadership can understand.

"Choose your hard": data quality as the foundation for everything

Elrod opened the conversation with a phrase he uses often: "choose your hard." The concept is straightforward. Healthcare organizations face a choice: invest in the difficult, unglamorous work of data quality, lifecycle management, and configuration discipline now, or face the harder consequences of deferred maintenance later.

As Elrod described it: "When you don't choose to have the discipline over time to do certain things in an infrastructure, to maintain a good cadence around life cycles, data quality, data inventories, keeping things up, that's caught up with us. Because the risk of not changing is now so great that it overwhelms any risk of possibly having changed or updated or spent in these past areas."

The connection to AI readiness made his point even more urgent. "Data is the oil of the information age," Elrod said. "But it's the DNA of the AI age." Healthcare organizations that want to use AI-driven security tools (or any AI capability) need clean, well-structured, well-inventoried data. If you skipped that foundational work for the past decade, you now face the compounded cost of catching up before you can move forward.

This is where Elrod sees platforms like Claroty providing value beyond security. "It's tools like Claroty that can show us where all our data is, what should have access to it," he explained. "It will show us, hey, this system talks to this system 99% of the time. I can go to those two systems, say, what is the data, what is the quality? Not only do I see the communication path, but I can now go to this boss and say, I never actually knew there's this third thing that it actually talked to. And it's actually essential to this conversation."

Sorrells reinforced this idea with the concept of "data loneliness," describing isolated, undiscovered data sources across healthcare infrastructure that create blind spots for both security and clinical operations. A nurse call system that communicates with a medication dispensing unit through an undocumented path, for instance, represents both a security blind spot and an unmanaged data dependency. CPS platforms surface these hidden relationships, providing operational intelligence that extends well beyond vulnerability scanning.

From visibility to enforcement: making controls rational

Elrod described something that will resonate with any security leader who has tried to enforce controls without good data: the difference between irrational controls and rational ones.

"I can come in and put irrational controls everywhere," Elrod noted. "But what gives us a rationality to it is the mechanism. I prefer well-formed thoughts and logical narratives, not just thoughts and narratives. And this puts that tooling in place for organizations that, for whatever reason, have that legacy issue, have that legacy debt."

The workflow he described follows a clear pattern: Claroty xDome discovers devices, maps their communication dependencies, and identifies which connections are normal operational traffic versus anomalous. That intelligence feeds into policy decisions. As Elrod put it, "This is the correct pattern. And we can now drop that in and shrink wrap that essentially and have the proper controls that are based on the proper intelligence. So we don't actually impact operations at all and gain the controls."

At MultiCare, this discovery-to-enforcement workflow operates across a broad environment spanning multiple hospitals and hundreds of clinics, with integrations connecting Claroty (Medigate), CrowdStrike, Microsoft Defender, ServiceNow, and identity-based microsegmentation. The breadth of that integration stack reflects a reality that Elrod described as "the flexibility of the controls that you might have with Elisity and the sheer depth of knowledge and intelligence you get from a platform like Claroty." As he put it: "Elisity really helps us build that bridge from where we have been to where we need to go. It's the first solution I've ever seen that does that in a rational fashion."

What exploitability management doesn't solve

The shift to exploitability management is not without challenges. Organizations should consider several practical realities before adopting this approach.

EPSS scores and KEV catalog data are imperfect. EPSS is a probabilistic model, not a guarantee. A vulnerability with a low EPSS score can still be exploited in a targeted attack against your specific environment. The KEV catalog only covers vulnerabilities with confirmed exploitation, meaning zero-day threats are by definition excluded. Elrod acknowledged this directly: "I obviously posit that everybody is vulnerable right now. They just don't necessarily know it. It's called zero days."

The foundational work is genuinely hard. Complete asset inventory, accurate dependency mapping, and clean data require sustained investment. As the SANS 2025 State of ICS/OT Security Survey found, 21.5% of organizations experienced a cybersecurity incident affecting their ICS or OT systems, with 40% of those causing operational disruption. The organizations most affected were those with incomplete visibility into their connected environments.

Compensating controls are not permanent solutions. Network segmentation and microsegmentation reduce exploitability, but they do not eliminate the underlying vulnerability. Organizations still need lifecycle management programs to replace end-of-life devices and maintain patch currency where feasible.

Frequently asked questions about medical device security

How does exploitability management differ from traditional vulnerability management in healthcare?

Traditional vulnerability management prioritizes remediation based on CVSS severity scores, treating all high-scoring vulnerabilities equally regardless of context. Exploitability management incorporates real-world data from CISA's KEV catalog, EPSS exploitation probability scores, and environmental factors like network reachability. For healthcare organizations managing unpatchable medical devices, this focuses resources on vulnerabilities that pose actual risk. As MultiCare CISO Jason Elrod put it, the goal is to make a device "no longer exploitable" even if it remains technically vulnerable.

Why is network segmentation required for healthcare cybersecurity compliance in 2026?

The proposed updates to the HIPAA Security Rule, expected to be finalized in 2026, reclassify network segmentation from an addressable implementation specification to a required standard. This means healthcare organizations will need to demonstrate network segmentation controls as part of their compliance program, not merely document why they chose not to implement them. The HHS 405(d) framework and NIST Cybersecurity Framework 2.0 both reinforce segmentation as a foundational control for protecting electronic protected health information (ePHI) and connected medical devices.

What is the role of cyber-physical systems visibility in protecting healthcare infrastructure?

CPS visibility platforms discover and classify connected devices across clinical and operational environments, including medical devices, building automation systems, and legacy equipment that traditional IT tools miss. Without knowing what devices exist and how they communicate, security teams cannot create policies that protect critical systems without disrupting clinical workflows. Platforms like Claroty xDome provide this asset intelligence, which then informs enforcement decisions through integration with microsegmentation tools.

How can healthcare organizations prepare their data quality for AI-driven cybersecurity?

Start by establishing comprehensive asset inventories that include device identity, communication patterns, and data dependencies. Jason Elrod described data as "the DNA of the AI age," noting that organizations that deferred data quality investments now face compounded costs. Practical steps include deploying CPS discovery platforms to map device communications, integrating asset data across security tools via APIs, and establishing data governance processes for device lifecycle management.

Building the bridge from where we are to where we need to go

The conversation between Sorrells and Elrod surfaced a reality that many healthcare security leaders recognize but few discuss openly: the traditional playbook is not working. Scanning for vulnerabilities, generating reports with thousands of findings, and chasing patches on devices that cannot be patched is not a strategy. It is an exercise in throughput that produces compliance artifacts without meaningful risk reduction.

The alternative these practitioners described is pragmatic, not radical. Know your environment through comprehensive CPS visibility. Understand which vulnerabilities are actually exploitable given your network architecture and controls. Focus your resources on the critical passes, the Thermopylae points where enforcement has the greatest impact on patient safety. And build the data quality foundation now, because every capability you want to deploy in the future depends on it.

Paired with deep device intelligence from CPS visibility platforms, healthcare organizations have a practical path to medical device security that moves from overwhelmed vulnerability management to focused, outcome-driven exploitability management. The choice is yours, but as Elrod would say: choose your hard. The cost of continuing to defer is higher than the cost of acting now.

Further reading

• Securing OT: Elisity integration with Claroty xDome
• What is Claroty? Medical device security and CPS protection
• Healthcare microsegmentation: how SIH secured 400 hospital beds
• 15+ HIPAA network segmentation control examples
• Top healthcare cybersecurity vendors 2026
• Inside the transformation: how Main Line Health secured its network
• HIMSS medical device security survey: microsegmentation findings
• The golden age of microsegmentation in healthcare
• Elisity and Claroty integration for cyber-physical system security