A new report casts light on the security challenges and spending patterns of cybersecurity leaders in healthcare. The survey – based on a poll of more than 600 healthcare IT decision-makers who play a role in medical device purchasing – found that 22% had experienced cyberattacks targeting their organizations’ medical devices.
Of those, 75% tied those incidents directly to patient care compromise.
WHY IT MATTERS
Many showed lack of confidence in their organization’s ability to defend against cybersecurity attacks on medical devices. That feeling is so acute that 46% of survey respondents reported having declined to purchase devices, said McLean, Virginia-based Runsafe Security, which commissioned the survey.
The report, 2025 Medical Device Cybersecurity Index, released Thursday, is based on research involving IT professionals with close knowledge of medical device security from the U.S. and abroad. Their opinions revealed a troubling pattern about the security of the patient diagnosis, treatment and monitoring equipment on which providers rely, researchers said.
“While electronic health records systems experienced the highest rate of compromise at 52%, many cyber attackers have moved beyond data theft to operational disruption,” they noted in the new report. “This includes the direct targeting of critical medical devices that come into contact with patients and sustain life.”
Targeting mission-critical infrastructure and the software and firmware powering medical devices and other health IT applications is intentional, disrupting equipment that can cause fatalities, which is being exploited for maximum impact.
While one-third of organizations surveyed experienced ransomware designed to disrupt device operations over the last year, cybercriminals pursue malware infections (51%) and network intrusions (44%) as primary weapons.
The situation is forcing health systems to quarantine devices, isolate entire systems from their networks and look for built-in security to minimize the burden of post-deployment patching.
Of the organizations that said they experienced medical device compromise, 43% reported one to four hours of downtime, 31% said they have faced five to twelve hours of outages, and 19% lost use of medical devices for more than thirteen hours.
“Transparency through software bills of materials is also emerging as a critical requirement,” researchers said, with 78% of respondents citing them as “essential” or “important” in procurement decisions.
Most of these buyers (79%) said that they are willing to pay more for advanced runtime protection or built-in exploit prevention.
THE LARGER TREND
The healthcare industry has been demanding collective action to address vulnerabilities exploited by advanced persistent threat groups, but health tech industry efforts to create software bills of materials (SBOMs) have languished since before a significant spike in activity two years ago.
The SBOMs are critical to helping enterprise end users evaluate and track underlying technologies, according to Darren Lacey, the former chief information security officer at Johns Hopkins.
“If we are, for example, evaluating a large language model, we need to understand enough about underlying training data and model function in order to put together a testing program,” he told Healthcare IT News last year. “These are all deep technical issues that require an educated and continuously educating IT workforce.”
ON THE RECORD
“With healthcare buyers willing to pay premium prices for enhanced security features, medical device manufacturers now have the economic foundation to invest more heavily in security innovation, ultimately raising the baseline security standards across the industry,” researchers said in the report.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
