Medical device security improves, but cyberattacks remain pervasive

Healthcare strengthens medical device security

"Medical device cybersecurity has entered a new phase. Healthcare organizations are strengthening procurement requirements, increasing investment, and adopting new security practices," the report stated.

Medical device security has evolved in recent years, with healthcare organizations bolstering procurement requirements and adopting new security practices.

Nearly 81% of respondents rated a software bill of materials (SBOM) as "important" or "essential" when evaluating devices, and 35% said they would not consider a device without one.

Additionally, 56% of respondents said they had rejected a device due to cybersecurity concerns, up from 46% in 2025. More than three-quarters of respondents said they would pay a premium for devices with advanced cybersecurity protections, and 77% of respondents said their organizations increased cybersecurity resources in the past year.

More than 80% of respondents said they had deployed or are actively piloting runtime exploit protection tools, which defend devices when patches cannot be applied.

These notable improvements have been driven in part by regulations and guidance from the FDA -- 79% of respondents said regulations have meaningfully influenced their procurement processes. In June 2025, the FDA finalized its mandatory lifecycle security requirements for medical devices.

The survey responses show that healthcare organizations are  raising their security standards during device procurement, signifying a positive shift for the sector.

Device security risks persist

Cybersecurity standards are rising, but so is risk, the report indicated. Nearly 60% of respondents said they were extremely concerned about a cybersecurity incident impacting medical devices. For nearly a quarter of respondents, that concern had already become a reality.

Of the respondents who experienced a cyberattack, 80% reported moderate or significant impact on patient care, from extended hospital stays to manual workarounds and downtime.

Nearly 30% of respondents said they were operating devices past end-of-support, and 44% said they were running end-of-support devices with known, unpatched vulnerabilities.

AI has added another layer of complexity to medical device security. More than half of respondents said they use AI-enabled medical devices, and most (80%)  were concerned about the potential cybersecurity risks AI introduced.

"Cyberattacks are becoming more frequent, the impact on patient care is worsening, and legacy device exposure persists in critical environments," the report stated. "The data suggests that while organizations are strengthening how they buy and secure devices, the underlying sources of risk -- unpatchable systems, expanding connectivity, and emerging technologies--are not being reduced at the same pace."

RunSafe recommended that healthcare organizations formalize cybersecurity requirements across all device categories, develop AI-specific cybersecurity frameworks and maintain a complete device inventory to promote full visibility.

As the cyberthreat landscape continues to evolve, healthcare organizations, manufacturers and policymakers will have to continue to prioritize medical device security and balance innovation with risk.

Jill Hughes has covered health tech news since 2021.