Medical device cyberattacks push hospitals into crisis mode

22% of healthcare organizations have experienced cyberattacks that directly impacted medical devices, according to RunSafe Security. Three-quarters of these incidents disrupted patient care, including 24% that required patient transfers to other facilities.

The survey reveals that healthcare cybersecurity has evolved from primarily an IT concern to a patient safety imperative driving procurement decisions and operational strategies. In fact, the findings demonstrate a shift in healthcare cybersecurity priorities, with 35% of organizations now identifying OT systems like medical devices as their biggest cybersecurity concern, compared to traditional IT systems.

Heightened concerns come as hospitals digitize and interconnect everything from infusion pumps to imaging systems. The FBI’s Cyber Division recently reported that 53% of networked medical devices have at least one known critical vulnerability, while healthcare experienced more cyber threats in 2024 than any other critical infrastructure industry.

Cybersecurity incidents disrupt core healthcare operations

Cybercriminals are successfully targeting the very systems healthcare providers depend on most for patient diagnosis, treatment, and monitoring. While electronic health records systems experienced the highest rate of compromise at 52%, many cyber attackers have moved beyond data theft to operational disruption.

Among healthcare organizations that experienced medical device cybersecurity incidents, 46% also required manual processes to maintain operations, 44% reported delayed diagnoses or procedures, and 44% had extended patient stays. When systems failed, 43% experienced up to 4 hours of downtime, while 31% faced up to 12 hours without critical systems.

These extended outages force healthcare providers into crisis mode, requiring backup procedures that may be less accurate, more time-consuming, and potentially compromise the quality of care patients receive.

The 26% rate of supply chain compromises is also concerning, as these attacks can affect multiple healthcare organizations simultaneously and are often harder to detect until widespread damage has occurred.

Procurement transformation

83% of healthcare organizations now integrate cybersecurity standards directly into their medical device RFPs (requests for proposal), with 46% declining purchases due to cybersecurity concerns. 73% report that new FDA cybersecurity guidance and EU cybersecurity regulations are already influencing their procurement decisions.

Transparency through SBOMs is also emerging as a critical requirement. 78% of organizations consider SBOMs essential or important in procurement decisions.

Healthcare leaders invest in security

While 75% of organizations increased their medical device and operational technology security budgets over the past 12 months, only 17% feel extremely confident in their ability to detect and contain attacks on medical devices.

The convergence of regulatory pressures and real-world attacks has led to healthcare organizations demonstrating a strong willingness to invest in advanced security. 79% of executives say their healthcare organization is willing to pay a premium for devices with advanced runtime protection or built-in exploit prevention, with 41% willing to pay up to 15% more.

Buyers clearly recognize the real investment required for sophisticated security capabilities. In fact, only 12% of organizations expect these advanced protections to be provided at no additional cost.

“Healthcare organizations are no longer treating medical device cybersecurity as checkbox compliance – these attacks could disrupt patient care today and force providers to make life-or-death decisions when systems fail,” said Joe Saunders, CEO of RunSafe Security.