Key Takeaways
- Cyberattacks on medical devices are becoming more frequent and more harmful, with breach rates rising from 22% (2025) to 24% (2026) and the proportion of attacks causing significant patient‑care impact increasing from 75% to 80% over the same period.
- Hospital leaders are responding by allocating more cybersecurity budget, refining security practices, and tightening procurement protocols, yet the threat landscape is outpacing these defensive measures.
- A strong majority of decision‑makers (59%) are “extremely” or “very” concerned about device‑related cyber incidents, and 24% of facilities have already experienced an attack.
- The adoption of AI‑enabled medical devices is growing (57% of organizations), and 80% of respondents express at least moderate concern about the new risks these technologies introduce.
- Software transparency is gaining importance: 35% of purchasers will not consider a device lacking a software bill of materials (SBOM), and 84% of organizations now embed cybersecurity requirements in vendor RFPs—43% with detailed specifications, up from 38% in 2025.
- More than half (56%) of hospitals have rejected a device due to cybersecurity worries, a notable increase from 46% the prior year.
- Regulatory guidance from the FDA and the EU Medical Device Regulation influences procurement at nearly 80% of institutions.
- The report’s authors conclude that merely increasing spending and tightening procurement is insufficient; security must be built into devices before they reach clinical settings, and legacy equipment must be protected where replacement is not feasible.
Survey Overview and Methodology
The data presented originate from an online survey conducted in March by cybersecurity vendor RunSafe Security. The effort captured 551 verified responses from medical‑device purchasers representing various tiers of hospital management across small, medium, and large facilities in the United States, the United Kingdom, and Germany. Respondents were selected to ensure they hold decision‑making authority over device acquisition, thereby providing a reliable snapshot of current procurement attitudes and cybersecurity experiences within the health‑care sector.
Rising Frequency and Severity of Device‑Focused Cyberattacks
Between 2025 and 2026, the proportion of organizations reporting a breach affecting at least one medical device rose modestly but steadily from 22% to 24%. More alarmingly, among those breached, the share of incidents that produced a significant impact on patient care climbed from 75% to 80%. This dual trend indicates that attackers are not only striking more often but are also achieving greater clinical consequences, such as disruption of therapy delivery, alteration of diagnostic data, or temporary loss of life‑support functions.
Hospital Defensive Measures Are Intensifying
In response to the escalating threat, hospitals have bolstered their cybersecurity posture along several fronts. Survey participants reported increased allocation of funds specifically for device security, refinement of internal security policies and incident‑response playbooks, and the implementation of stricter vendor‑evaluation procedures. Despite these efforts, the upward trajectory of attacks suggests that defensive investments are struggling to keep pace with the evolving capabilities of threat actors.
Level of Concern Versus Actual Experience
A striking disconnect emerges between perception and reality: 59% of respondents characterize their concern about a device‑related cyber incident as “extremely” or “very” high, yet only 24% of facilities admit to having suffered an attack in the observed window. This gap may reflect heightened awareness driven by media coverage and regulatory scrutiny, or it could indicate that many incidents remain undetected or unreported, underscoring the need for improved monitoring and disclosure practices.
Growing Adoption of AI‑Enabled Devices and Associated Risks
Artificial intelligence is rapidly permeating the medical‑device landscape, with 57% of surveyed organizations currently deploying AI‑equipped equipment. Correspondingly, 80% of those organizations express at least moderate concern about the cybersecurity implications of AI integration, citing worries about model poisoning, adversarial inputs, and the expanded attack surface introduced by complex software stacks. The findings highlight that innovation must be accompanied by parallel advancements in security assurance.
Demand for Software Transparency via SBOMs
Transparency in software composition is becoming a procurement prerequisite. Thirty‑five percent of purchasing decision‑makers state they will not consider a device that lacks a software bill of materials (SBOM), a document enumerating all third‑party and open‑source components embedded in the device’s firmware. This shift reflects a broader industry move toward supply‑chain risk management, enabling hospitals to assess known vulnerabilities and comply with emerging regulatory expectations.
Cybersecurity Requirements in Vendor RFPs
The integration of cybersecurity clauses into request‑for‑proposal (RFP) documents is now commonplace. Eighty‑four percent of organizations include such requirements, with 43% specifying detailed criteria—up from 38% in 2025. These detailed provisions often mandate secure development lifecycle practices, vulnerability disclosure policies, and proof of penetration testing, indicating that buyers are moving beyond generic assurances to enforceable technical standards.
Device Rejection Based on Cybersecurity Concerns
Proactive risk avoidance is evident in the rising rate of device rejections due to cybersecurity worries. Fifty‑six percent of respondents have already turned down a prospective purchase because of identified security deficiencies, a notable increase from 46% the previous year. This trend suggests that hospitals are willing to forego potentially beneficial technology when security assurances fall short, thereby exerting market pressure on manufacturers to prioritize security in product design.
Influence of FDA and EU Medical Device Regulation
Regulatory frameworks continue to shape procurement decisions. Nearly 80% of organizations report that guidance from the U.S. Food and Drug Administration (FDA) and/or the European Union Medical Device Regulation (MDR) has impacted their purchasing processes. These influences manifest as mandatory cybersecurity documentation, post‑market surveillance obligations, and alignment with recognized standards such as IEC 62443 and ISO/IEC 27001, reinforcing a baseline of security expectation across geographies.
Conclusion: Closing the Gap Between Response and Risk
The report’s authors offer a sobering assessment: while hospitals are investing more money and refining procurement rigor, the velocity of cyber threats matches or exceeds the pace of defensive improvements. They argue that closing this gap will require more than budgetary increments and contractual clauses; it will necessitate security‑by‑design principles embedded into devices before they reach clinical environments, coupled with robust strategies for protecting legacy equipment that cannot be readily replaced. Only through a combination of proactive engineering, vigilant monitoring, and collaborative information sharing can the health‑care sector hope to safeguard patients against the growing peril of medical‑device cyberattacks.