Medical devices are firmly embedded in interconnected healthcare systems. From infusion pumps to patient monitors, these devices are no longer peripheral tools; they are integral to clinical operations and patient survival. Consequently, the rise in cyberattacks targeting this operational technology (OT) is pushing healthcare organisations to overhaul procurement strategies and prioritise cybersecurity as a critical pillar of patient safety. Findings from a recent survey illuminate this dramatic shift, drawing on a survey of 605 healthcare executives across the US, UK and Germany.
Cyber Threats Disrupting Patient Care
The threat to medical devices is no longer theoretical. According to the index, 22% of healthcare organisations have suffered cyberattacks on medical devices, with 75% of those incidents directly impacting patient care. These attacks have led to operational disruptions including manual process reversion, delayed diagnoses, prolonged hospital stays and patient transfers. In the most severe cases, device downtime extended beyond three days, significantly compromising care delivery.
Must Read: Reforming EU Medical Device Rules for Better Care
Attackers have begun deliberately targeting high-impact systems such as infusion pumps and monitors, recognising their critical role in life-sustaining procedures. Malware and ransomware, which once primarily focused on data theft, are now being designed to cripple devices central to patient monitoring and treatment. Additionally, 26% of attacks stemmed from supply chain compromises, showing that vulnerabilities can propagate across the healthcare ecosystem undetected. These developments make clear that protecting medical devices is no longer a technical issue—it is a matter of clinical safety.
Procurement Processes Shaped by Cybersecurity Demands
The urgency of the cybersecurity threat is dramatically altering how healthcare institutions evaluate and acquire medical devices. Cybersecurity has transitioned from a secondary consideration to a procurement prerequisite. The index shows that 83% of organisations now embed cybersecurity standards in their request-for-proposal (RFP) processes, with 38% including detailed, non-generic requirements. Almost half of surveyed organisations have already refused device purchases due to insufficient security.
This new scrutiny reflects a broader shift: vendor relationships are now contingent on demonstrable security practices. A third of healthcare organisations report a loss of trust in vendors following security incidents and are demanding additional verification—even from previously trusted suppliers. The influence of regulatory frameworks is also profound. The FDA’s recent mandates and the EU’s Cyber Resilience Act require cybersecurity transparency and preparedness, driving buyer expectations further. Devices must now meet not only functional and clinical standards but also regulatory cybersecurity compliance to access these markets.
Built-In Protection and Budget Priorities
While budgets for OT and medical device security are increasing—75% of organisations have allocated more funding over the past year—confidence in current defences remains low. Only 17% of respondents express strong confidence in their ability to detect and contain attacks. This discrepancy underscores the inadequacy of traditional IT security strategies when applied to medical devices, which often run on legacy systems and require continuous availability.
Healthcare buyers are responding by seeking devices with built-in security features rather than relying on post-market fixes. Sixty percent of respondents now prioritise such protections, and 79% are willing to pay a premium—up to 15% more—for devices equipped with runtime protection or exploit prevention. Transparency is also a growing demand, particularly through Software Bills of Materials (SBOMs), which 78% of organisations consider essential or important. Despite technical challenges in generating reliable SBOMs for embedded systems, their role in vulnerability management is undeniable.
The convergence of regulatory mandates, operational risks and financial incentives is redefining what constitutes an acceptable medical device. Procurement is no longer driven solely by cost and functionality; cybersecurity has become a central determinant of market access and clinical suitability. Healthcare organisations are making risk-based purchasing decisions, willing to invest more in devices that assure both protection and transparency.
Medical device manufacturers must adapt to this new reality. Those who integrate security features at the design stage, provide accurate SBOMs and offer runtime protections are positioned to lead. In contrast, those that delay security considerations risk exclusion from an increasingly discerning and regulated marketplace. In a healthcare environment where cyber threats can derail care and endanger lives, cybersecurity becomes a foundation for trust, operational continuity and patient safety.
Source: RunSafe
Image Credit: iStock
