That security gap may not last forever, as healthcare organizations have spent several years building better procurement defenses against medical device cyber risk.
Cybersecurity requirements are appearing in more vendor requests for proposals with greater specificity. Software Bills of Materials (SBOMs) have moved from emerging best practice to near-universal expectation. Budgets are growing for the second consecutive year.
That gap sits at the center of RunSafe Security's 2026 Medical Device Cybersecurity Index, based on a survey of 551 healthcare professionals across the U.S., UK, and Germany.
And yet, by nearly every outcome measure, the risks are worsening.
Eighty percent of organizations hit by a device attack reported moderate or significant patient care disruption, and a separate Halcyon/Health-ISAC study found that in-hospital mortality increased by 33% during ransomware incidents.
The 2024 Synnovis attack in London resulted in a confirmed patient fatality.
Also, medical‑device suppliers themselves are high‑value targets. Consider the recent Stryker attack. Stryker became a prime target because of their role in the U.S. military supply chain and ties to Israel, explains Allie Mellen, principal analyst at market research firm Forrester.
"Stryker is a large U.S. publicly traded company, with offices globally, including a company that they acquired in Israel. They're also a big supplier for the U.S. military for medical devices," she says.
As medical device attacks become more frequent, harm is growing
The share of organizations that experienced a cyberattack via vulnerability exploits in a medical device rose from 22% in 2025 to 24% in 2026. More significant than frequency is severity: Among those affected, 80% reported a moderate or significant impact on patient care. That's up from 75% the prior year. Extended stays and manual workarounds affected nearly half of the impacted organizations, and recovery times are growing longer.
Related:
George V. Hulme
George V. Hulme
George V. Hulme
The typical downtime window lasted 5 to 12 hours, affecting 39% of those affected. While 5% experienced disruptions lasting more than three days. Attack types are also shifting. While malware infections and network intrusions remain common, remote access exploitation has become a significant threat vector, according to 38% of respondents who experienced an incident.
This reflects a fundamental risk: devices once isolated from networks are now connected, and that expanded attack surface is being actively targeted. Organizations without network segmentation, access controls, and runtime protections in place carry measurable exposure.
The downstream effects are also affecting vendor relationships. In 2025, 32% of organizations said incidents had affected their trust in specific vendors and prompted additional verification. In 2026, that figure climbed to nearly 40%. Seven percent report having stopped purchasing from certain vendors entirely.
The difficulty associated with securing healthcare environments makes device security especially critical as part of a layered defense. "These are not IT assets, and they can't be managed like IT assets," says James Winebrenner at zero trust network security provider Elisity. "
Legacy devices are the weak link
While procurement is improving, the harder problem is what organizations cannot buy their way out of: Nearly three in 10 operate devices past the manufacturer's end-of-support date, and 44% of those acknowledge running devices with known, unpatched vulnerabilities. These are not edge cases sitting in storage; they are operating in emergency departments, ICUs, and operating rooms.
When organizations were asked why they continue to run vulnerable devices, the answers reflect genuine constraints. The most cited reasons were the absence of an acceptable clinical replacement (38%), budget limitations (36%), and regulatory or approval hurdles (34%). In many cases, keeping vulnerable hardware running is the least-bad clinical option available.
This gap is almost certainly driving the rapid adoption of runtime exploit protection. Runtime exploit protection defends devices against attacks without requiring a patch. In 2025, 36% of organizations actively sought devices with these capabilities. In 2026, 82% report having deployed or actively piloted them.
Good news: procurement standards are tightening and working
Eighty-four percent of organizations now include cybersecurity requirements in vendor RFPs, with 43% specifying detailed requirements, up from 38% in 2025. More telling: 56% have rejected a device on security grounds, up sharply from 46% the prior year.
The most common rejection grounds include known vulnerabilities, lack of patching support, and weak authentication. Absence of an SBOM accounts for 34% of rejection decisions. That figure reflects how quickly SBOM expectations have hardened. Currently, 81% of respondents rate SBOMs as important or essential, and 35% say they will not consider a device without one. For manufacturers without that capability, that is an effective disqualifier in more than a third of the market.
AI devices are arriving faster than security frameworks
The biggest emerging concern involves AI-enabled and AI-assisted medical devices. More than half of the surveyed organizations (57%) are already using them. However, the security frameworks needed to evaluate and monitor them are significantly less mature than those for existing software and hardware security.
The attack surface introduced by these devices is distinct from conventional device vulnerabilities. Model manipulation, data poisoning, and adversarial inputs represent risk categories that standard procurement checklists are not built to assess. Most organizations have not developed evaluation criteria specific to AI-enabled devices. That's a gap that, if prior technology adoption patterns hold, will accumulate exposure for years before the industry catches up.
The core challenge procurement alone can't meet
The RunSafe Security 2026 Medical Device Cybersecurity Index data captures an industry that is improving the quality of what it buys while carrying an installed base that it cannot always patch, replace, or fully inventory. Continued budget growth and stricter RFPs address the margin of new procurement. They do not address the mass of legacy exposure already in clinical use.
Closing that gap requires security built into devices before they reach clinical environments and practical compensating controls for devices already deployed that cannot be replaced. Both are necessary. At current rates, neither is keeping pace with the threats.
