Medical device cybersecurity is drawing more investment, stricter procurement requirements, and wider regulatory scrutiny than ever before, yet cyberattacks on connected clinical equipment are becoming both more frequent and more damaging to patient care. That is the central finding of RunSafe Security’s 2026 Medical Device Cybersecurity Index, a survey of 551 healthcare professionals across the U.S., United Kingdom, and Germany who are directly involved in device purchasing decisions.
HotSpot Take
RunSafe Security’s 2026 Medical Device Cybersecurity Index, based on a survey of 551 healthcare decision-makers in the U.S., UK, and Germany, documents a widening gap between improving procurement practices and persistent cyber risk. According to the report, 24% of organizations have experienced a cyberattack affecting a medical device, up from 22% in 2025, and 80% of those affected reported moderate or significant impact on patient care. At the same time, 84% of organizations now include cybersecurity requirements in vendor RFPs, 56% have rejected a device on security grounds, and 82% have deployed or are piloting runtime exploit protection. RunSafe Security, a provider of embedded software security tools for medical devices and critical infrastructure, publishes the report.
Attacks on Devices Are Reaching Patients More Often
Cybersecurity has become a standard element of medical device procurement across U.S. and international health systems.
The share of organizations reporting a cyberattack or exploited vulnerability affecting a medical device rose from 22% in 2025 to 24% in 2026, according to the report. More significant than prevalence is severity: among those who experienced an incident, the proportion reporting moderate or significant impact on patient care climbed from 75% to 80% year over year.
The report arrives against a backdrop of high-profile incidents that have demonstrated how quickly digital disruptions translate into clinical consequences. The 2024 ransomware attack on Change Healthcare affected an estimated 192.7 million individuals, according to the U.S. Department of Health and Human Services, and remains the largest healthcare data breach ever recorded. In March 2026, a cyberattack on Stryker disrupted the company’s global Microsoft environment, forcing some health systems to delay surgical procedures and causing Stryker’s Lifenet electrocardiogram transmission system to go nonfunctional across large portions of Maryland, according to multiple published reports and Stryker’s own SEC disclosures.
The report’s downtime data reflects the operational impact of these incidents. According to the report, among organizations that experienced an attack, the most common recovery window was 5 to 12 hours of device downtime, affecting 39% of impacted organizations. Extended hospital stays and manual workarounds affected nearly half of those hit. According to the company, incidents are translating into operational disruptions, including delayed imaging, postponed procedures, and interruptions in critical care delivery.
“Medical device cybersecurity is increasing in importance to healthcare buyers as they see it as a patient safety and regulatory imperative.” — Joseph M. Saunders, Founder and CEO, RunSafe Security
“The findings land against a backdrop of large-scale healthcare cyber incidents that have disrupted care delivery and revenue flows, underscoring how quickly attacks on device-adjacent systems can translate into patient harm,” said Joseph M. Saunders, Founder and CEO of RunSafe Security. “Medical device cybersecurity is increasing in importance to healthcare buyers as they see it as a patient safety and regulatory imperative.”
Cybersecurity Now Functions as a Procurement Filter
Healthcare organizations have responded by hardening their purchasing processes. The report finds that 84% of surveyed organizations now include cybersecurity requirements in vendor RFPs, with 43% specifying detailed security requirements, up from 38% in 2025. More than half (56%) have rejected a device outright on cybersecurity grounds, a 10-percentage-point increase from 46% in 2025.
The most common grounds for rejection, according to the report, include known vulnerabilities (cited by 48% of those who rejected a device), lack of security patching support (47%), and weak authentication or access controls (46%). These rejection criteria align closely with what organizations are embedding in their RFPs: secure software update mechanisms were required by 62% of organizations, followed by secure authentication and access controls at 61%.
Regulatory frameworks are reinforcing procurement standards from the outside. According to the report, 79% of respondents say FDA cybersecurity guidance or EU Medical Device Regulation requirements have meaningfully influenced their procurement processes, up from 73% in 2025. The FDA finalized updated cybersecurity guidance in June 2025, introducing mandatory lifecycle security requirements for new devices. The EU’s Cyber Resilience Act has also moved into active implementation for connected products across European markets.
The Legacy Device Problem Resists a Procurement Solution
Tighter procurement standards address new devices entering clinical environments. They do not address what is already there. The 2026 report identifies legacy device exposure as a structural gap that purchasing reform alone cannot close.
According to the report, 28% of organizations operate devices past the manufacturer’s end-of-support date. Among those, 44% acknowledge running end-of-support devices with known, unpatched vulnerabilities. The barriers to replacement are predictable: 38% cited no acceptable clinical alternative, 36% cited budget constraints, and 34% cited regulatory or approval hurdles.
These devices are not sitting in storage. The report finds them concentrated in emergency departments, general inpatient wards, and intensive care units, the clinical settings where device failures carry the highest patient risk.
Runtime exploit protection has emerged as the primary compensating control. Unlike patching, runtime protection can secure devices without requiring a software update, making it applicable to equipment that cannot be patched. According to the report, 82% of organizations have deployed runtime exploit protection or are actively piloting it, with 29% having deployed it widely and 53% on at least some devices. In 2025, only 36% of organizations actively sought devices with runtime protection capabilities in procurement.
AI Devices Add a New Layer of Complexity
The report identifies AI-enabled and AI-assisted medical devices as an emerging risk category that procurement frameworks have not yet caught up with. According to the report, 57% of surveyed organizations are currently using AI-enabled or AI-assisted medical devices, while 80% express at least moderate concern about the cybersecurity risks those devices introduce.
The report characterizes this pattern as familiar: rapid adoption outpacing security readiness, echoing the experience organizations had with connected devices more broadly in recent years. Specific risks associated with AI-enabled clinical tools, including model manipulation, data poisoning, and adversarial inputs, require procurement and monitoring frameworks that most healthcare organizations have not yet developed, the report notes.
Investment Is Growing, but the Gap Persists
Budget growth is consistent and sustained. The report finds that 77% of organizations increased cybersecurity resources in the past 12 months, up from 75% in 2025. Willingness to pay a premium for devices with stronger security features remains high: 76% of respondents say they would pay more, with 49% willing to pay 5% or more above standard device pricing.
RunSafe Security, which publishes the index annually and provides embedded security solutions including Software Bill of Materials (SBOM) generation and runtime protection for medical devices, notes that SBOM adoption has also hardened into a near-universal expectation. According to the 2026 Medical Device Cybersecurity Index, 81% of respondents rate SBOMs as important or essential when evaluating devices, and 35% say they will not consider a device that lacks one.
The report’s conclusions point to a structural paradox: organizations are improving how they evaluate and buy secure devices, yet the underlying sources of risk (unpatchable legacy systems, rapidly expanding device connectivity, and the arrival of AI-enabled equipment) are not being reduced at the same pace. The report recommends that healthcare organizations extend cybersecurity beyond procurement into active risk management across their existing installed base, and that device manufacturers treat SBOM provision and post-market security commitments as baseline market access requirements rather than optional features.
— This original article was created with AI support.
