Cyber-attacks on medical devices are on the rise

Cyberattacks on medical devices are endangering patients and may potentially cost lives. The 2026 Medical Device Cybersecurity Index from RunSafe Security reports that 24 per cent of healthcare organisations are experiencing cyberattacks on medical devices and that 80 per cent of cyberattacks on medical devices have the effect of disrupting patient care.

Based on a survey of 551 healthcare professionals across the United States, the United Kingdom, and Germany, the 2026 Medical Device Cybersecurity Index underscores escalating cyber threats.

"Cyber incidents involving medical devices are no longer isolated IT issues but increasingly translate into operational disruptions, such as delayed imaging, postponed procedures, and interruptions in critical care delivery," says RunSafe.

Legacy devices creating critical vulnerabilities

New to the 2026 Index is the finding that almost three in ten organizations operate medical devices that are past the manufacturer's end-of-support. More concerning is that a significant proportion of those devices carry known, unpatched vulnerabilities. Legacy devices are concentrated in clinical environments. Thirty-nine per cent of both general inpatient wards and emergency departments, with 38 per cent of outpatient and ambulatory settings, also using legacy devices that are past their end-of-support, creating potential vulnerabilities to cyber-attacks.

AI adoption outpacing security readiness

An increased cyber-risk is also the result of the rapid adoption of AI-enabled and AI-assisted medical devices. More than half of surveyed organizations (57 per cent) already use AI-enabled or AI-assisted medical devices or clinical systems.

According to RunSafe: "This rapid adoption is outpacing confidence in understanding the associated cybersecurity risks. As AI-driven diagnostics and decision support become standard, the attack surface they create, including model manipulation, data poisoning and adversarial inputs, will demand specific procurement and monitoring frameworks that most organizations have not yet developed."