Cybersecurity concerns plague medical devices, even in 2025

When hackers target healthcare systems, medical devices can be high-impact casualties.

Clinical technology is complex and multifaceted, incorporating online systems with hardware devices. The technology has led to advances in care and diagnostic success, but also increased potential vulnerabilities. When a network is knocked offline, medical devices can also be affected.

As cyberattacks against healthcare increase, so does risk to medical devices. One recent survey of healthcare executives found 22% of healthcare organizations suffered at least one attack aimed at devices. When attacks do occur, they can threaten patients’ lives and cost healthcare organizations millions of dollars.

As of March 2023, the FDA requires all new medical device submissions to include evidence the devices are cybersecure, a software bill of materials, and a plan to monitor and address cybersecurity vulnerabilities post-market. But these requirements do not apply retroactively, and many providers still use older medical devices with legacy operating systems—73%, according to a 2021 survey by cybersecurity company Kaspersky.

On Oct. 1, for instance, the FDA recalled a heart pump controller over concerns it could be hacked. Its manufacturer, Johnson & Johnson’s Abiomed, advised users to disconnect the device from their network until a security fix was available.

“The bad guys, once they’re in the network, may deploy ransomware, which encrypts the pathways to medical devices—potentially the medical devices themselves—denying the availability of the device for clinicians and patients. That’s where the real potential risk and harm is,” John Riggi, national advisor for cybersecurity and risk at trade and lobbying group the American Hospital Association (AHA), told us.

Security flaws add up

Efforts to keep medical devices secure have come in good faith but haven’t always been well thought out, cybersecurity nonprofit Health-ISAC (Information Sharing and Analysis Center) VP of Medical Device Security Phil Englert told us.

Rather than focusing on the narrow yet effective tactic of risk management, he said healthcare IT teams used to want to take a “Hippocratic stance” of just one bad outcome is too many.

“They wanted to manage all IT devices as if they were traditional IT devices, meaning every three years we’re replacing a laptop or a desktop and replacing the operating system,” Englert said. “That’s not always practical.”

In actuality, it’s common for properly maintained medical devices to remain in use for many years.

In January 2022, 53% of connected hospital devices had “known critical vulnerabilities,” according to a 2022 white paper by the FBI’s cyber division, which advised replacing, auditing activities, or taking affected medical devices offline.

To a certain extent, though, security is out of a hospital’s control. Hospitals largely rely on third parties to maintain it, cyber resilience platform Halcyon’s CEO Jon Miller told us.

Miller gave the example of MRI machines. They are typically owned and operated by third parties with their own proprietary software, leaving the responsibility for patching and security to the manufacturer.

That’s just part of the problem with medical devices—hardware supply chain is another—and it all adds up.

“By the time it reaches the market, there are security vulnerabilities in it—not just from the manufacturer, but from the supply chain that supplies the different components of the software that makes up the architecture,” Miller said.

Physical security is lacking

Another issue is some medical devices have software that can be accessed via physical ports. If a device’s data isn’t encrypted and there aren’t additional authorization requirements, that’s an easy way in.

Axel Wirth, chief security strategist of medical device cybersecurity consultancy MedCrypt, told us it would be unusual for hackers to physically enter a hospital to attack a specific medical device—though not impossible.

“We have seen plenty of examples where these devices got hacked into…because the device fit the attack profile,” Wirth said.

But if a hacker chooses to attack a device this way, they might not face resistance. Real-world hacking attempts can succeed when threat actors go in person to facilities and target devices through physical attacks. Such attackers rely on people’s impulse to help, as IT Brew reported in November.

As a consultant, Englert recounted experiences walking through hospitals without being stopped and theoretically having access to multiple machines. In clinical labs, however, techs challenged him, showing that a culture for protection does exist around devices in some aspects of the healthcare system.

Putting the onus for basic security steps on the industry rather than care providers, Englert said, could be the key to securing devices.

“That allows the clinicians to do their job of patient care and allows technicians to do their job of monitoring the state of the devices,” Englert said.