Back to Insights

Nurse Call Systems Are the Next Attack Surface. 39% Have Critical Unpatched Vulnerabilities.

ยท Tech for Senior Living

When senior living operators think about cybersecurity, they think about email phishing, ransomware, and stolen passwords. They rarely think about the nurse call system mounted on the wall of every resident room. They should.

Research by Armis, a leading IoT (Internet of Things) security firm, found that nurse call systems are the single riskiest connected device category in clinical environments. 39% have critical-severity unpatched Common Vulnerabilities and Exposures (CVEs). 48% have unpatched vulnerabilities of any severity. These are not theoretical weaknesses. They are known, documented, and exploitable.

Why Nurse Call Systems Are Different

A compromised workstation in the business office is a cybersecurity incident. A compromised nurse call system is a life-safety event.

When a resident falls in the middle of the night and presses the call button, that signal travels through the nurse call infrastructure to alert staff. If that system is unavailable, delayed, or manipulated, the resident does not receive timely care. In a memory care unit, where residents may be unable to call out verbally or reach a phone, the nurse call system is often the only alert mechanism.

State surveyors treat nurse call system failures as immediate jeopardy findings. It is not a technology problem in the eyes of regulators. It is a resident safety deficiency.

How Nurse Call Systems Become Vulnerable

Most nurse call systems were designed for reliability, not security. Older systems use proprietary protocols that were never built to resist network-based attacks. Newer IP-based systems connect to the facility's network, which means they are reachable from any device on the same network segment.

Three factors compound the problem in senior living communities.

Firmware updates are rare. Nurse call vendors release patches infrequently, and many communities do not have a process for tracking or applying them. The Armis data shows that nearly half of all deployed nurse call systems are running firmware with known vulnerabilities.

Flat networks are common. In many communities, the nurse call system, business workstations, clinical applications, IP cameras, and guest Wi-Fi all share the same network. An attacker who compromises a single device, even a guest's laptop on the Wi-Fi, can potentially reach the nurse call infrastructure.

No one owns the security of these devices. The nurse call vendor handles installation and maintenance. The IT provider manages computers and servers. The nurse call system falls into a gap between the two, and neither side is actively monitoring it for security threats.

The Expanding IoT Attack Surface

Nurse call systems are not the only connected devices at risk. The Association for the Advancement of Medical Instrumentation (AAMI) and other industry bodies report that smart hospitals and clinical facilities are deploying over 7 million IoMT (Internet of Medical Things) devices globally in 2026. In senior living, this includes:

Each of these devices expands the network perimeter that must be monitored and defended. Most general-purpose IT providers do not include IoT devices in their security scope.

What Operators Should Do

  1. Isolate nurse call and clinical IoT on dedicated network segments. Network segmentation using VLANs (Virtual Local Area Networks) ensures that a compromised business workstation cannot reach the nurse call system, and vice versa. This is a fundamental architectural control that most communities can implement without replacing existing equipment.
  2. Track firmware versions for every connected device. Maintain a documented inventory of all nurse call panels, IP cameras, environmental sensors, and other IoT devices, including their current firmware version and last update date. This belongs in your IT documentation platform alongside your server and workstation inventory.
  3. Require your nurse call vendor to demonstrate patch currency. Ask your vendor when the last firmware update was released, what vulnerabilities it addressed, and what their patch release cadence is. If they cannot answer these questions, that is a finding for your risk assessment.
  4. Include IoT devices in your annual risk assessment. The proposed HIPAA Security Rule update will require risk analysis to cover all systems that store, process, or transmit electronic Protected Health Information (ePHI). Nurse call systems that integrate with clinical platforms meet this definition. A risk assessment that only covers workstations and servers is incomplete.
  5. Monitor for anomalous network traffic from IoT devices. Nurse call systems should generate predictable, low-volume network traffic. A nurse call panel suddenly communicating with an external IP address or generating high-volume traffic is an indicator of compromise that should trigger an alert.

The Competitive Advantage of Getting This Right

Senior housing occupancy hit 89% in Q4 2025 and is approaching historic highs. Institutional investors are pouring capital into senior living acquisitions. Operators who can demonstrate mature cybersecurity posture, including IoT security and network segmentation, are better positioned for favorable insurance premiums, clean state surveys, and investor confidence during due diligence.

The operators who treat nurse call security as an IT afterthought are the same operators who will face the hardest questions when something goes wrong.

Related Reading

Do you know what is connected to your network?

Tech for Senior Living designs network architectures specifically for senior living communities, with dedicated VLANs for clinical systems, IoT devices, and business operations. We track firmware versions, monitor for anomalous traffic, and include every connected device in your compliance documentation.

Schedule Your Free Assessment