The main driver of the increase in medical device cyberattacks, according to RunSafe, is the prominence of death technology in healthcare environments.
Cyberate attacks on medical devices are becoming more frequent and disturbing, according to a report released by US cybersecurity firm RunSafe Security today (April 29).
The Medical Device Cybersecurity Index 2026, based on a March 2026 survey of 551 healthcare professionals across the US, UK and Germany involved in device purchase decisions, found that 24pc of healthcare organizations surveyed had experienced a cyberattack on a medical device – a 2pc increase compared to last year.
Of those who experienced an attack, 80pc reported a moderate or significant impact on patient care as a result, with a quarter of the group reporting a significant impact.
According to the report, the most affected systems include electronic health records (cited by 35pc of affected organisations), patient monitoring equipment (23pc), laboratory and diagnostic equipment (18pc), networked surgical equipment (10pc) and imaging systems (8pc).
The most prominent cyberattack methods seen in these incidents were malware infections requiring device shutdown – which were responsible for almost half of incidents (48pc) – and network intrusions requiring device isolation (41pc), with both types of incidents maintaining their dominant popularity from 2025.
However, one type of incident that RunSafe identified as particularly prevalent in 2026 was remote access exploitation, which was seen in 38pc of incidents. RunSafe pointed out that this showed that attackers are “adapting to the growing remote access of connected devices”.
“Organizations that did not implement network isolation, access controls and runtime protection are being exposed,” the company said.
For those organizations that experienced a cyberattack on a medical device, the recovery was not so easy.
Almost half (49pc) of reported incidents caused “extended stays or required interactions”, according to the report, with the most common recovery scenario – experienced by 39 affected organizations – involving five to 12 hours of downtime. Meanwhile, 5pc of affected organizations experienced a delay of more than three days.
Problems of inheritance
The main driver of the growing medical device cyberthreat, according to RunSafe, is the prevalence of expensive devices that cannot be easily patched or replaced.
The report found that three out of 10 responding organizations use medical devices that have passed the manufacturer’s end-of-life date. A significant portion of those devices carry known, unpatched vulnerabilities, according to RunSafe.
Reasons reported as to why these health care organizations continue to use high-risk materials include clinical, financial and structural barriers.
38pc of respondents said there was no “acceptable” replacement currently available for the legacy device in question, while 36pc said they could not afford a replacement.
34pc cited regulatory or regulatory barriers, 33pc said replacing a device or system would cause significant disruption and interestingly, 17pc said the risks presented by this legacy technology have been formally acknowledged by leadership.
“The inability to patch, combined with continued clinical reliance on vulnerable devices, creates a security gap that cannot be closed by procurement alone,” said RunSafe in an analysis of the topic of dying devices.
“This gap is likely the main driver in the increase in runtime protection adoption seen in 2026. Runtime protection technology – which protects devices without requiring a patch – acts as a control that compensates for the problem of buying new devices that you can’t solve.”
As the report notes, runtime protection technology is emerging as an important “compensating control”, with 82pc of respondents saying they have widely deployed or are evaluating runtime exploit protection.
A vulnerable sector
The increase in cyberattacks on medical devices highlighted by this report comes as the healthcare industry continues to experience serious breaches and attacks, as noted by RunSafe founder and CEO Joseph M Saunders.
“The findings come against a backdrop of major healthcare cyber incidents that have disrupted care delivery and revenue flow, underscoring how attacks on systems around devices can translate into patient harm,” he said.
“Medical device cybersecurity is growing in importance to healthcare consumers as they see it as critical to patient safety and control.”
Last month, medical equipment manufacturing giant Stryker was hit by a cyberattack that disrupted the global network. Reports at the time suggested the company’s Cork factory, which employs more than 4,000 people, had been affected by the attack – which the Iranian cyber-backed organization Handala claimed.
Meanwhile, a few weeks ago, Dublin recruitment platform Healthdaq – used by health trusts in Northern Ireland – was reportedly hit by a cyberattack from the new XP95 hacker group, which claimed access to hundreds of thousands of files.
Don’t miss out on the information you need to succeed. Sign up for Daily BriefSilicon Republic’s digest of must-know sci-tech news.
