Hospitals sometimes simply have a lack of resources with which to maintain an adequate level of full-time cybersecurity staffing. The wide range of patient care devices that now have internet connective capabilities also presents a unique challenge in terms of keeping up with patches and vulnerabilities. In some cases, very expensive pieces of equipment may not be patchable but are also too critical to be taken out of service until the hospital can source a replacement. One vector by which hospitals are exploited is one that is common to every type of business: email phishing. And as with any other type of organization, the primary defense is in raising awareness at the individual employee level via regular notices and training. Strong password policies and the implementation of multi-factor authentication help in this area as well.
The other major vector has been created by the push to have connected and "smart" devices distributed throughout hospitals in recent years, each of which creates a new potential point of attack for intruders looking to penetrate the network. Even an attack that aims to use a particular subset of equipment for a botnet attack or as a cryptocurrency miner could have devastating effects similar to the tragedy seen at the German hospital if the equipment slows down or crashes at the wrong moment.
Cybersecurity has become a strategic issue for healthcare facilities. Branded as easy targets with obsolete defenses and poor IS and IT organization, hackers don't hesitate to attack them in order to get any profit they can: paralyzing the systems using ransomware, hacking into hospitals' databases and selling patients' information to the highest bidder, threatening to release private information, cutting off their power supply, etc. These are only a few examples of the numerous cyber-attack types healthcare facilities would have to deal with.
Hospitals need to move forward together to make the industry less attractive to cybercriminals. Although compliance is essential, it does not equal security and hospitals should set their target level of cybersecurity beyond the requirements of just compliance. Knowing your vulnerability and the way in which the attackers could exploit them are one of the greatest insights you can get in improving your security program.