A new report shows that security concerns shift from IT systems to operational technology.
Twenty-two percent of healthcare organizations have experienced cyberattacks that directly impacted medical devices, according to the 2025 Medical Device Cybersecurity Index released by RunSafe Security, specializing in cyberhardening technology for embedded systems across critical infrastructure. Three-quarters of these incidents disrupted patient care, including nearly a quarter (24%) that required patient transfers to other facilities.
RunSafe’s 2025 Medical Device Cybersecurity Index surveyed 605 healthcare executives across the US, UK, and Germany. It reveals that healthcare cybersecurity has evolved from primarily an IT concern to a patient safety imperative driving procurement decisions and operational strategies.
In fact, the findings demonstrate a sharp pivot in healthcare cybersecurity priorities, with 35% of organizations now identifying operational technology (OT) systems like medical devices as their biggest cybersecurity concern, compared to traditional IT systems.
Heightened concerns come as hospitals digitize and interconnect everything from infusion pumps to imaging systems. The FBI’s Cyber Division recently reported that 53% of networked medical devices have at least one known critical vulnerability, while healthcare experienced more cyber threats in 2024 than any other critical infrastructure industry.
The consequences of these attacks extend far beyond data breaches. Among healthcare organizations that experienced medical device cybersecurity incidents, 46% also required manual processes to maintain operations, 44% reported delayed diagnoses or procedures, and 44% had extended patient stays. When systems failed, 43% experienced up to 4 hours of downtime, while 31% faced up to 12 hours without critical systems.
Additional key findings from RunSafe Security’s 2025 Medical Device Cybersecurity Index:
- Procurement transformation: 83% of healthcare organizations now integrate cybersecurity standards directly into their medical device RFPs, with 46% declining purchases due to cybersecurity concerns
- Regulatory influence: 73% report that new FDA cybersecurity guidance and EU cybersecurity regulations are already influencing their procurement decisions
- OT Budgets increase but confidence lags: 75% of organizations increased their medical device and OT security budgets over the past 12 months. Yet, only 17% feel extremely confident in their ability to detect and contain attacks on medical devices
- Premium pricing acceptance: 79% of executives say their healthcare organization is willing to pay a premium for devices with advanced runtime protection or built-in exploit prevention, with 41% willing to pay up to 15% more
- Transparency demands: 78% of providers consider Software Bills of Materials essential or important in procurement decisions
The survey also reveals conscious targeting of critical infrastructure, with malware infections (51%) and network intrusions (44%) serving as primary attack vectors. More than a third of organizations experienced ransomware specifically designed to disrupt device operations, while 26% faced supply chain compromises affecting multiple facilities simultaneously.
“Healthcare organizations are no longer treating medical device cybersecurity as checkbox compliance. These attacks could disrupt patient care today and force providers to make life-or-death decisions when systems fail,” says Joe Saunders, founder and CEO of RunSafe Security, in a release. “Threat prevention has moved from the server room to the operating room, and our research shows it’s fundamentally reshaping how healthcare organizations evaluate, purchase, and deploy medical devices.”
ID 367414213 © Iryna Kushnarova | Dreamstime.com
We Recommend for You:
