The integration of wearable devices into modern healthcare enables continuous patient monitoring and data-driven treatment. Yet, with this digital transformation comes significant cybersecurity risk. Once isolated threats are now global concerns as the Internet of Medical Things (IoMT) becomes a critical infrastructure in healthcare. Vulnerabilities in supply chains, hardware backdoors and inadequate regulations could turn life-saving technologies into entry points for malicious actors. As the boundaries between medical devices and consumer electronics blur, ensuring security at every stage of their development and deployment is now essential to safeguard both individuals and health systems.
From Fictional Threats to Real-World Weaknesses
Cybersecurity threats to medical devices once seemed far-fetched, often relegated to fictional portrayals. However, these narratives have become a precursor to real-world vulnerabilities. Early warnings about implantable cardioverter-defibrillators inspired ethical hackers to replicate potential attacks, and although these cases were fictional or hypothetical, they raised legitimate concerns. In 2016, a report accused a major device manufacturer of vulnerabilities that could allow remote control of implants. While clinically significant attacks could not be replicated independently, the fallout included a major stock dip, a congressional hearing and the first device recall due to cybersecurity risks. Similar concerns were uncovered in insulin pumps and other devices.
Over the past decade, IoMT has shifted from high-cost, embedded implants to affordable, disposable devices. Many now resemble consumer wearables, incorporating components sourced from global, often opaque, supply chains. These systems underpin modern remote care and Hospital-at-Home models, marking a fundamental shift in healthcare delivery. However, their growing complexity and international sourcing have amplified the risks of supply chain infiltration and device manipulation, exposing critical healthcare infrastructure to unprecedented levels of vulnerability.
Supply Chain as a Geopolitical Battleground
The risk landscape has evolved beyond software flaws. Recent incidents highlight the possibility of deliberate sabotage within global supply chains. Some devices have reportedly been compromised during production to cause harm. These developments have shifted the cybersecurity conversation towards hardware vulnerabilities, particularly those introduced through foreign-manufactured components.
Must Read: Wearable AI: Elevating Patient Safety and Precision in Clinical Care
A prominent example involved the discovery of a backdoor vulnerability in the Contec CMS8000 patient monitor, used widely in both clinical and home settings. This hardware flaw allowed remote code execution, raising the spectre of undetected data manipulation or alarm suppression. While no specific malicious intent was confirmed, the implications for patient safety and national security are profound. As these examples demonstrate, the infiltration of medical supply chains is no longer a theoretical threat—it is an emerging geopolitical concern.
Building a Resilient IoMT Ecosystem
Securing the future of IoMT requires both regulatory action and technical innovation. Regulatory frameworks such as the EU’s Cyber Resilience Act mandate lifecycle-wide cybersecurity requirements, but notably exclude medical devices. While the EU Medical Device Regulation and the US Federal Food, Drug and Cosmetic Act provide some guidelines, these remain less detailed in the context of cybersecurity. The growing complexity of the IoMT ecosystem demands more explicit and enforceable security standards.
Technical measures must also form a core part of the response. A secure foundation starts at the manufacturing stage through the use of a Root of Trust—embedding components such as eSIMs or Trusted Platform Modules (TPMs) that authenticate software and prevent tampering. TPMs, for instance, can verify device integrity at boot and ensure only authorised software is executed. In contrast, eSIMs are essential for network authentication but provide limited protection against internal compromise.
At the software level, adopting the “Secure by Design” approach, guided by the Principle of Least Authority, can minimise exposure. Software managing sensitive patient data should operate within strict access controls to reduce harm if compromised. The use of modular “chiplet” architectures, which separate hardware functions by supplier, offers further protection against component-level threats.
Once devices are deployed, Zero Trust models provide ongoing defence, continually verifying device and user identity, and segmenting network access. These combined strategies offer a comprehensive security architecture, necessary to address the invisible risks embedded within complex IoMT supply chains.
The evolution of medical devices over the past decade has introduced powerful tools for patient care but also new vectors for harm. What began as hypothetical scenarios have materialised into verifiable vulnerabilities, exposing the fragility of the IoMT ecosystem. As medical devices transition from isolated systems to interconnected platforms, the risks associated with supply chain compromise, embedded backdoors and software manipulation have grown exponentially.
A coordinated response is needed. Regulatory frameworks must be strengthened and adapted to the specific needs of IoMT, ensuring clarity and enforcement across borders. Manufacturers must integrate robust security features from the earliest stages of production, adopting practices such as Secure by Design, Roots of Trust and Zero Trust architectures. Transparency and traceability in global supply chains must improve, backed by formal verification methods and proactive monitoring.
Protecting the future of healthcare requires vigilance, innovation and collaboration. Without immediate action, the very technologies that promise to improve patient outcomes could become sources of personal and national risk. Securing the IoMT must be treated as a critical priority for both policymakers and industry leaders.
Source: npj digital medicine
Image Credit: iStock
