Oracle system vulnerability highlights precarious security in healthcare
The industry’s urgency to install a patch for an Oracle business system underscores the need for a proactive, ‘whole of nation’ approach.
Cyberattacks remain a challenge for the healthcare industry, with hospitals and other organizations being warned about significant vulnerabilities that lurk just below the visible horizon.
Earlier this month, one such vulnerability was of such importance that even the Federal Bureau of Investigation raised a warning flag. Its urgent warning pointed to a security alert from Oracle about installing an essential patch.
This critical vulnerability alert was quickly circulated around the industry, and Oracle issued information on a patch it developed to avert the chance that a remote code could be executed to gain entry to versions of its E-Business Suite.
The Oracle application is in wide use, including by healthcare organizations. It is described as a complete business solution for customers, running in the cloud to provide flexibility and enable quick adaptation to changing business demands.
Details of the security gap
But that open access capability also increases the risk of security gaps. And that’s just what was publicized this month.
In its advisory, Oracle noted that the vulnerability can be “exploited without authentication, i.e., it may be exploited over a network without the need for a user name and password. If successfully exploited, this vulnerability may result in code execution.”
Translation: You’re wide open to attack by bad actors, who can strike at the heart of your business operations.
The warning from the FBI’s Brett Leatherman pulled no punches on the risks. “In plain terms: if your EBS environment is reachable on the network, and especially if it’s Internet facing, it’s at risk for full compromise,” he wrote on LinkedIn. “This is ‘stop-what-you’re-doing and patch immediately’ vulnerability. The bad guys are likely already exploiting in the wild, and the race is on before others identify and target vulnerable systems.”
The vulnerability also has been detailed by the National Institute of Standards and Technology, which has listed a deadline of October 27 to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are unavailable.”
In addition to Oracle, the FBI and NIST, awareness to the vulnerability was raised by the federal Cybersecurity and Infrastructure Security Agency (CISA), indicating that it enabled an attacker “to compromise Oracle Concurrent Processing,” noting that successful attacks “can result in takeover” of that capability.
The vulnerability has been exploited for about two months. Crowdstrike indicated that the first known use of it in attack occurred on August 9, although it noted that investigations into its use “remain ongoing.”
For organizations that haven’t acted quickly, the risk is heightened, Crowdstrike contends. “CrowdStrike Intelligence further assesses that the October 3, 2025, proof-of-concept (POC) disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against Internet-exposed EBS applications … This assessment is made with moderate confidence based on the historical precedent of threat actors leveraging public POCs as well as the often-observed transition from targeted exploitation to opportunistic exploitation following vulnerability disclosures and accompanying media and industry attention.”
The FBI urges quick response. Users of the business suite should isolate or firewall related servers to ensure they’re not exposed to the network. And “monitor your threat intel feeds — exploit activity could escalate quickly,” Leatherman notes. “Oracle EBS remains a backbone ERP system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast.”
Healthcare industry jitters
It’s no secret that the healthcare industry is one of the preferred targets of attack by cybercriminals.
And attacks on the financial aspects of the business are of particular concern. The ransomware attack that crippled Change Healthcare had huge downstream cash flow ramifications for the industry, particularly regarding the hundreds of organizations with which Cha nge has business relationships.
That’s the unfortunate nature of the intertwined healthcare industry – there are multiple vectors for attack, including business associates and technology providers.
Responses to such attack vectors in the healthcare industry remain primarily reactive, and the Oracle incident is a perfect case in point. A lot of access – and monetary loss – can be experienced in the two months of known vulnerability. And no one can be sure that the gap wasn’t used by attackers to enable future attacks through planted code, once public attention on this incident has waned.
A call to action
Thus, reactive responses will never be sufficient to protect the industry, both as a business with financial cash flow and as a repository of sensitive patient information.
That’s a point underscored by Rick Pollack, president and CEO of the American Hospital Association, in its AHAToday newsletter distributed on October 10.
Hospitals’ and health systems’ defenses “block most attacks,” Pollack writes. “But no individual hospital can defend against all of these very sophisticated criminal and nation-state sponsored attacks. That’s why we need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys as it has effectively done in counterterrorism.”
This type of coordinated, proactive effort stands the best chance of preventing cyberattacks and minimizing vulnerabilities, he contends.
Pollack urges a “whole-of-nation” approach. “We continue to encourage our government partners to disseminate threat intelligence and use all their tools — including military, intelligence and offensive cyber capabilities — to disrupt these actors before they attack and prepare to assist when an attack does occur,” he says. “A strong, swift and certain response from the federal government and allied nations to increase risk and consequences for cyber adversaries must be part of the mitigation solution.”
While the federal government remains mired in a politically inspired shutdown, a coordinated response seems like a pipe dream. But preventive action is necessary, Pollack concludes.
“As we observe Cybersecurity Awareness Month this October, we must remain aware that the scope, frequency and sophistication of cyber incursions into healthcare have increased steadily,” he notes. “The evolving tactics used by bad actors to steal information, encrypt systems, delay and disrupt patient care, and shut down vital systems continue to put patient care and safety at risk.”
Fred Bazzoli is the Editor in Chief of Health Data Management.