Medical Device Cybersecurity in 2026: Progress Is Real, But the Gap Is Widening

Posted on April 29, 2026
Author: RunSafe Security

Key Takeaways

  • Cyberattacks on medical devices are rising despite stronger procurement requirements. 80% of affected organizations reported moderate or significant impact on patient care.
  • Legacy devices are the gap that procurement cannot close. More than a quarter of organizations are running end-of-support devices with known, unpatched vulnerabilities in ICUs, ORs, and emergency departments.
  • SBOMs have crossed from best practice to hard requirement. 35% of healthcare buyers will not consider a device without one.
  • Runtime protection is now a mainstream defense. 82% of organizations have deployed or are actively piloting it—largely because so many devices in clinical use cannot be patched.
  • AI-enabled devices are the next readiness gap. More than half of organizations already use them, but most lack the security frameworks to assess or monitor the risks they introduce.

 

In March 2026, a cyberattack on Stryker, one of the world’s largest medical device manufacturers, disrupted global operations. It’s the most recent example of how a successful attack can have widespread consequences, and it’s because of attacks like these that healthcare professionals responsible for procurement, security, and patient safety are paying closer attention to cybersecurity than ever before.

Now in its second year, RunSafe Security’s 2026 Medical Device Cybersecurity Index—based on a survey of 551 healthcare professionals involved in device purchasing across the U.S., UK, and Germany—finds an industry that has absorbed the reality that attacks are increasing and responded with changes to procurement, investment, and security operations. The progress is genuine. The problem is that the threat is moving at least as fast.

Attacks Are Increasing and Causing Greater Patient Harm

The share of organizations that have experienced a cyberattack or exploited vulnerability affecting a medical device ticked up from 2025 to 2026, reaching 24%. More troubling is what happens when those attacks land: 80% of affected organizations reported moderate or significant impact on patient care, up from 75% the prior year. Extended stays and manual workarounds affected nearly half of the impacted organizations.

Attacks Are Increasing and Causing Greater Patient Harm

The attack profile is also shifting in ways the full report details. Remote access exploitation has emerged as a major threat vector, reflecting the growing remote access footprint of connected devices. Attackers are adapting to how devices are deployed and accessed, and organizations without layered defenses are carrying compounding exposure.

Vendor trust has taken a corresponding hit. A growing share of organizations report that security incidents have affected their trust in specific vendors, and some have stopped purchasing from specific manufacturers entirely. Each incident wave has a longer tail.

The Industry Response

In response, healthcare organizations have made measurable changes to how they evaluate and purchase devices. Eighty-four percent now include cybersecurity requirements in vendor RFPs—and the depth of those requirements is growing, with significantly more organizations specifying detailed security specifications than a year ago. More than half have already rejected a device on cybersecurity grounds, a figure that has jumped 10 points since 2025. That reflects enforcement and intention.

Cybersecurity is now a standard

The top requirements driving those rejections center on sustained vendor engagement: secure software update mechanisms, strong authentication and access controls, and third-party security testing. When vendors cannot demonstrate basic security hygiene on these dimensions, they are being filtered out before purchase.

Regulatory pressure is amplifying this shift. Nearly 79% of respondents say FDA cybersecurity guidance or EU MDR requirements have meaningfully influenced their procurement processes, up from 73% in 2025. The FDA’s finalized June 2025 guidance—which introduced mandatory lifecycle security requirements—and the EU Cyber Resilience Act, now moving into active implementation, have given procurement teams both the mandate and the vocabulary to demand more.

SBOMs Have Crossed the Threshold

One of the clearest expressions of this hardening is what has happened to Software Bills of Materials (SBOMs). SBOMs have moved from an emerging best practice to a procurement prerequisite. In 2026, 81% of respondents rated them as having a strong influence or essential when evaluating devices. More telling is that 35% say they will not consider a device without one. That is a hard line, one driven by regulatory requirements and security realities alike.

SBOMs Are Now a Requirement

Organizations are also operationalizing what they receive by reviewing SBOMs during security evaluations, integrating them into asset management tooling, and sharing them across IT and clinical engineering. For device manufacturers still treating SBOM generation as a compliance checkbox, this is a significant misread of where buyers are.

Dealing with Legacy Devices that Cannot Be Replaced

Stronger procurement standards address the devices organizations are buying. They do not address the devices already in use, and that is where the exposure is most acute.

More than a quarter of organizations are operating devices past the manufacturer’s end-of-support date, and a substantial share of those acknowledge running devices with known, unpatched vulnerabilities. These devices are concentrated in exactly the environments where failure causes the most harm, including emergency departments, general inpatient wards, ICUs, and operating rooms.

Scale of legacy device problem

The reasons organizations cannot replace them are familiar to anyone who works in healthcare: no acceptable replacement yet available, budget constraints, regulatory hurdles, and the operational disruption that replacement would cause. These are real constraints that procurement policy cannot override. Buying new, secure devices does not fix the exposure created by devices that will remain in clinical use for years, regardless of the security standards they fail to meet.

Runtime Protection: The Compensating Control

This structural gap is likely driving a notable finding in this year’s data. Among organizations aware of runtime exploit protection, 82% have deployed it or are actively piloting it—29% widely across their device fleet, and 53% on at least some devices. Fewer than 1% of those aware of the technology have no plans to use it.

Organizations are seeking technologies to protect devices that cannot be patched, because the alternative is leaving known vulnerabilities unaddressed in their highest-risk settings.

It is a practical response to a problem that spending on new devices alone cannot solve, and a sign that the industry is treating device security as an operational discipline.

AI Is Tracing a Familiar Curve

The next version of the device security challenge is already taking shape. More than half of surveyed organizations are already using AI-enabled or AI-assisted medical devices, and 80% express at least moderate concern about the cybersecurity risks those devices introduce. The gap between those two numbers is the problem.

The industry has seen this pattern before with connected devices—rapid adoption outpacing security readiness. The attack surface AI devices create, including model manipulation, data poisoning, and adversarial inputs, demands procurement and monitoring frameworks that most organizations have not yet developed. The time to build those frameworks is now, before the installed base of AI devices reaches the scale at which the legacy device problem currently operates.

What Manufacturers Can Take Away

Throughout all of this, the market signal to manufacturers has been consistent and is growing louder. A strong majority of purchasing decision-makers are willing to pay a premium for devices with advanced cybersecurity protections, and more than a third will not evaluate devices without an SBOM. These figures do not describe an audience that needs to be convinced that security matters. The buyers shaping the market in 2026 are asking manufacturers for security that is designed in, documented transparently, and supported through the device lifecycle.

Overall, healthcare organizations have made real progress in evaluating and purchasing secure devices. The organizations experiencing the worst outcomes are largely confronting risks that procurement cannot reach: legacy devices that cannot be replaced, attack vectors that were not anticipated when systems were designed, and emerging technologies being adopted faster than security frameworks can keep pace. Closing that gap requires security built into devices before they reach clinical environments, and the ability to protect devices already in place that cannot be retired. That is where the work remains.

Download the full 2026 Medical Device Cybersecurity Index for complete survey findings and methodology.

Learn more about how RunSafe Security helps medical device manufacturers integrate security with our Protect code hardening solution and SBOM generation capabilities.

Guide to Creating and Utilizing SBOMs

Latest Blog Posts