Race tightens between cybersecurity pros in healthcare and cyber bad guys everywhere

A new survey of medical-device purchasers shows cyberattacks on medical devices rising in both frequency and harmfulness to patients.  

Frustratingly to hospital leaders, the upward trajectory is happening despite hospitals’ striving to be more proactive with defensive measures.

These include allocating more money for cybersecurity, finetuning security practices and beefing up procurement protocols. 

The survey was conducted online in March for a cybersecurity vendor, RunSafe Security. 

The effort yielded 551 responses from verified device decision-makers representing various levels of hospital management across small, medium and large institutions in the U.S., U.K. and Germany. 

The results show the rate of breaches affecting medical devices rose from 22% in 2025 to 24% in 2026. 

Further, among the organizations that got hit, the rate of significant impact on patient care climbed from 75% in 2025 to 80% in 2026. 

Also: 

• 59% of respondents are “extremely” or “very” concerned about a cybersecurity incident impacting medical devices, yet 24% of facilities have already experienced an attack.
   
• 57% of organizations currently use AI-equipped medical devices, and 80% express at least moderate concern about the cybersecurity risks they introduce.
   
• 35% of purchasing decision-makers will not consider a device without a software bill of materials. In addition, 84% of organizations include cybersecurity requirements in vendor RFPs—43% with detailed requirements, up from 38% in 2025. 
   
• More than half (56%) have already rejected a device due to cybersecurity concerns, up from 46% in 2025.
   
• FDA guidance and European Union Medical Device Regulation requirements have influenced procurement processes at nearly 80% of organizations. 

“The lesson of the past year is not that investment and attention are failing but that the risk is moving at least as fast as the response,” the report’s authors remark. “Closing that gap will require more than procurement rigor and budget growth. It will require security built into devices before they reach clinical environments, as well as the ability to protect devices already in place that cannot be replaced. That is where the industry’s work remains.”

The report is available in exchange for contact info here.