Healthcare organizations are reporting an increase in both the frequency and severity of cyberattacks affecting medical devices, with documented impacts on patient care and operational continuity.
Rising Concern Over Medical Device Cybersecurity
A survey conducted by RunSafe Security among 551 healthcare professionals in the United States, United Kingdom, and Germany identified sustained concern regarding cybersecurity risks to medical devices. Fifty-nine percent of respondents reported being extremely or very concerned about a cybersecurity incident involving medical devices. Nearly one-quarter indicated that an incident impacting medical devices had already occurred within their organization.
Among respondents who experienced a cyberattack, 80 percent reported a moderate or significant impact on patient care. This represents an increase from 75 percent reported in the previous year.
Operational Impact and Downtime
Cyberattacks affecting medical devices frequently result in operational disruption. Thirty-nine percent of respondents reported experiencing downtime lasting 5 to 12 hours; 37 percent experienced 1 to 4 hours downtime. Eleven percent reported 13 to 24 hours downtime, while 5 percent reported over 3 days downtime.
Electronic medical records were the most commonly affected systems, impacting 35 percent of organizations. Other affected systems included patient monitoring devices at 23 percent, networked surgical equipment at 10 percent, medical imaging systems at 8 percent, and lab and diagnostic equipment at 1 percent.
Remote Access and Exposure Risks
The survey identified increased exploitation of remote access pathways, with 38 percent of respondents reporting incidents involving remote access exploitation. Organizations without network segmentation, access controls, or runtime protections were identified as having higher exposure to these risks.
Persistent Use of Legacy Medical Devices
Healthcare organizations continue to operate legacy medical devices that are past end-of-support. These devices are being used in different care environments, such as inpatient wards, emergency departments, operating rooms, outpatient settings, and intensive care units.
Twenty-eight percent of respondents stated using legacy devices, 44 percent confirmed using devices with known and unpatched vulnerabilities. Thirty-eight percent stated occasionally or frequently unable to apply patches to certain devices.
Of the respondents that used legacy devices, 42 percent reported that 10 to 25 percent of the devices used unsupported operating systems.
The primary reasons cited for continued use include lack of acceptable replacements at 38 percent, budget constraints at 36 percent, regulatory or approval constraints at 34 percent, absence of a vendor upgrade path at 24 percent, and lack of formal risk acceptance by leadership at 17 percent.
Growth of AI-Enabled Medical Devices
Fifty-seven percent of respondents reported current use of AI-enabled or AI-assisted medical devices. Eighty percent of these respondents are concerned about cybersecurity risks with the use of these technologies.
Procurement Practices and Security Controls
Eighty-five percent of respondents reported including cybersecurity requirements in procurement processes, an increase from 83 percent in the prior year. Fifty-six percent indicated that they have rejected a medical device due to cybersecurity concerns.
Eighty-one percent of respondents rated software bills of materials as important for medical devices. Seventy-nine percent reported that regulatory guidance, including FDA cybersecurity guidance or EU MDR requirements, has influenced procurement decisions, up from 73 percent in the previous year.
To minimize the risks associated with using unsupported devices, 82 percent of respondents stated using exploit protection as a compensating control.
Ongoing Risk Conditions
The survey findings indicate that while healthcare organizations have increased focus on medical device security, the rate of cyber threats continues to rise alongside the severity of their impact on patient care. In compliance with HIPAA laws, additional security measures are required to address both newly introduced devices and legacy systems that remain in operation.