One-in-four (24%) healthcare organizations (HCOs) experienced cyber-attacks impacting medical devices over the past year, causing potentially significant disruption to patient care, according to RunSafe Security.
The security vendor polled 551 healthcare professionals across the US, UK and Germany to produce its 2026 Medical Device Cybersecurity Index.
It revealed that, in 80% of cases, attacks affecting devices had a “moderate” or “significant” impact on patients.
This could range from delayed imaging and postponed procedures to interruptions to critical care delivery, RunSafe claimed.
Read more on medical devices: Nine in Ten Healthcare Organizations Use the Most Vulnerable IoT Devices
Cybersecurity is increasingly being integrated into procurement and operations. Some 82% of respondents said they have deployed or are actively piloting runtime exploit protection, 84% said they include cyber in vendor RFPs, and 76% that they would pay extra for advanced protection.
However, legacy equipment continues to expose many HCOs.
Over two-fifths (44%) of responding organizations said they use devices with known, unpatched vulnerabilities, and 28% admit operating devices past end-of-support.
Medical Device Manufacturers Hit by Major Cyber-Attacks
The findings come as device manufacturers themselves come under attack.
This week, US giant Medtronic admitted suffering a data security incident after notorious extortion group ShinyHunters listed the firm on its leak site in mid-April.
The threat actors claimed to have exfiltrated more than nine million records containing personal information, alongside large volumes of internal corporate data.
Separately, Fortune 500 medical technology vendor Stryker was impacted in March when the Iranian-sponsored Handala group wiped tens of thousands of corporate devices after accessing an Intune admin account.
“The findings land against a backdrop of large-scale healthcare cyber incidents that have disrupted care delivery and revenue flows, underscoring how quickly attacks on device-adjacent systems can translate into patient harm,” said Joseph Saunders, CEO of RunSafe Security.
“Medical device cybersecurity is increasing in importance to healthcare buyers as they see it as a patient safety and regulatory imperative.”
The tension between security and productivity in HCOs is likely to continue into the AI age.
Over half (57%) of organizations polled by RunSafe said they have adopted AI-enabled or AI-assisted medical systems. Yet 80% reported moderate to high concern about the cybersecurity risks associated with these technologies.
More positively, 56% of respondents said they rejected devices at a procurement stage due to cybersecurity concerns, up from 46% last year.
