Providers flex purchasing muscle to buy safer medical devices
While cybersecurity efforts are increasing, widely known vulnerabilities are still in place, exacerbated by fears about AI-enabled devices.
Nearly a decade ago, in an award-winning article in Health Data Management, we were one of the first publications to expose the growing risks that medical devices posed to information security.
“Security experts and federal officials say the devices could become the focal point of a perfect storm for compromising healthcare data security and placing patient safety at risk,” the article presciently noted. “That’s because the vulnerability of devices to cyberattacks is well known, and hackers are becoming emboldened to find new ways to attack healthcare organizations.”
Despite the risk of hacks, warnings from federal agencies and continuing alarms sounded by security professionals, security risks posed by medical devices continue to increase, frustrating healthcare organizations.
Now, more organizations are ramping up pressure on device manufacturers, according to recent research by RunSafe Security. Increasingly, they’re using purchasing muscle to shift equipment buys to companies that manufacture secure products.
This is essential, because cyberattacks against devices continue to rise, as artificial intelligence is imbued in devices, and as there is continued reliance on “unsupported vulnerable systems in clinical environments,” RunSafe analysts note.
Still, analysis of data by RunSafe suggests that providers are wielding security requirements prior to purchase to get device manufacturers to adhere to better security practices.
Seller, get on board
Providers are feeling the cybersecurity pressure to button down their networks, and medical device vulnerabilities are now in their crosshairs. They’re responding by becoming careful purchasers and laying down stiffer requirements in their requests for proposals.
“Healthcare organizations are strengthening procurement requirements, increasing investment and adopting new security practices,” notes the introduction to RunSafe Security’s 2026 Medical Device Cybersecurity Index. The report’s results are based on a survey of 551 healthcare professionals throughout the U.S., the United Kingdom and Germany.
The stakes are rising, researchers assert, because of concerns that AI-enabled medical devices introduce risks to security. In addition, attack vectors are rising because of the continued reliance on unsupported, vulnerable systems in clinical environments. Attempts to mitigate those risks include the “emergence of runtime protection and continuous monitoring as adaptive defenses.”
But the survey data indicates that most providers are flexing their purchasing muscles to purchase safer medical devices. “Healthcare organizations are making measurable progress in integrating cybersecurity into procurement, operations and investment decisions,” the researchers concluded.
The survey found that 84 percent of healthcare organizations “include cybersecurity requirements in vendor (requests for proposal) – 43 percent with detailed requirements, up from 38 percent in 2025.” More than half (56 percent) of respondents said their organization had rejected the purchase of a medical device because of cybersecurity concerns, an increase from 46 percent in the previous year.
Defensive postures
Purchase decisions continue to weigh heavily on whether vendors provide a software bill of materials (SBOM), which is a list of ingredients that make up software components. The Cybersecurity and Infrastructure Security Agency notes that SBOM “has emerged as a key building block in software security and software supply chain risk management.” Nearly 81 percent of survey respondents say they now rate an SBOM as important or essential; more than a third (35 percent) say they will not consider purchasing devices that don’t have one.
Runtime protection – technology that defends devices even when patches can’t be applied – is being deployed or piloted by 82 percent of organizations, with nearly a third of those saying they’ve deployed it widely.
Still, it’s risky for business
However, greater security awareness for devices is facing increased threats from attackers, survey respondents indicated.
“Cyberattacks on medical devices are becoming more frequent, and more harmful to patient care,” the RunSafe analysts conclude.
Security professionals find they are “under pressure from regulators, attackers and the compounding risks of legacy devices that cannot be patched” to ensure adequate security, data from the survey shows.
Nearly six in 10 respondents (59 percent) reported being extremely or very concerned about a cybersecurity incident affecting medical devices. And concerningly, nearly one out of every four respondents (24 percent) said their organizations have already experienced an attack.
Patient harm is a top-of-mind concern among respondents. Of those whose organizations have faced a cyberattack, 80 percent of respondents reported moderate or significant impact on patient care. “Extended stays and manual workarounds affected nearly half of the impacted organizations, and recovery times are growing longer,” researchers noted.
Systems affected by medical device-related cyberattacks include EHR systems, reported by 35 percent; patient monitoring devices, 23 percent; laboratory and diagnostic equipment, 18 percent; networked surgical equipment, 10 percent; and imaging systems, 8 percent.
In describing the nature of the attacks, nearly half (48 percent) involved malware infection requiring device quarantine; 41 percent resulted in network intrusion requiring device isolation; 38 percent involved remote access exploitation; 32 percent involved ransomware that affected device operation; and another 32 percent involved vendor-identified vulnerability that required urgent patching.
Legacy devices remain a significant vulnerability. Some 28 percent of organizations operate devices past end-of-support, and 44 percent of respondents acknowledge running end-of-support devices with known, unpatched vulnerabilities.”
Device-related cybersecurity incidents are affecting purchasers’ trust of vendors, RunSafe data indicate. In 2026, 40 percent of organizations “reported that security incidents had affected their trust in specific vendors and were now requiring additional verification. Seven percent report having stopped purchasing from specific vendors entirely, and 23 percent report heightened caution in vendor evaluation going forward.”
Finally, there’s general concern about AI-enabled or AI-assisted devices, reported to be in use at 57 percent of organizations. Some 80 percent of respondents “express at least moderate concern about the cybersecurity risks that (these devices) introduce,” researchers noted.
Still providers are living in a paradoxical world, the analysis finds. “While healthcare organizations are improving how they evaluate and purchase secure devices, they remain exposed to risks that procurement alone cannot solve,” the researchers conclude.
The RunSafe Security report can be accessed here.
Fred Bazzoli is the Editor in Chief of Health Data Management.