“Hope is not a strategy.”
That warning captures the reality healthcare leaders now face. Hospitals, medical device makers, pharmacies, insurers, software vendors, and service providers operate as one connected digital ecosystem. When one part falls to a cyberattack, the consequences do not stay inside IT. It can delay prescriptions, stop payments, interrupt diagnostics, disrupt care delivery, and put patients at risk.
In the Exploited: The Cyber Truth podcast episode, “The Next Cyber Crisis Won’t Be One Hospital—It Could Be the Entire Health System,” Greg Garcia, Executive Director for Cybersecurity of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, examined why healthcare cybersecurity must be treated as patient safety, not simply technical risk. His message was that the next major cyber crisis may not be a single hospital outage, but a system-wide disruption across the infrastructure that keeps care moving.
Listen to the Full Episode:
Healthcare Is a Technology Ecosystem that Delivers Care
Modern hospitals are not just facilities that use technology to treat patients.
“The modern hospital is a technology organization that happens to do patient care,” Garcia said.
Technology now supports medical devices, payment systems, patient data, scheduling, diagnostics, imaging, refrigeration, HVAC, elevators, and the infrastructure that keeps clinical environments running. In other industries, a cyberattack may delay a transaction. In healthcare, downtime can delay medication, scans, procedures, or even a rural hospital’s ability to operate.
RunSafe Security’s 2026 Medical Device Cybersecurity Index found that 80% of organizations hit by a cyberattack or exploited vulnerability affecting a medical device reported a moderate or significant impact on patient care.
Garcia summed up the stakes simply: “Cyber safety is patient safety.”
That idea should define how healthcare leaders, manufacturers, suppliers, and policymakers think about risk. Medical device cybersecurity is not separate from clinical outcomes. It is part of the operating foundation that enables safe care.
The Hospital Attack Surface Extends Far Beyond the Hospital
Healthcare is often discussed as if each provider can secure itself alone. That view is outdated.
Every hospital depends on third-party technology and service providers. Some supply software. Others support reimbursement, prescription routing, imaging, medical device components, data exchange, communications, or operational systems. Many are not regulated like healthcare providers, even though their failure can disrupt care at national scale.
The 2024 Change Healthcare ransomware attack made that risk impossible to ignore. Change Healthcare handled critical prior authorization and reimbursement workflows across a major part of the U.S. healthcare system. When it went dark, the impact spread far beyond one company.
For some small rural hospitals, the consequences were severe. Expenses continued, but payments stopped flowing. The lesson is uncomfortable: a private vendor can become critical infrastructure when there are few alternatives.
“That essentially makes a private commercial company part of the critical infrastructure simply because there’s nobody to take over in an emergency,” Paul Ducklin observed.
Garcia’s answer was direct: “That’s right. Exactly.”
That is why supply chain visibility can no longer be optional. Healthcare organizations need to know not only who their vendors are, but which vendors are essential to clinical and operational workflows. If only a few companies can perform a critical function, that concentration becomes systemic risk.
Accountability Must Extend Across the Supply Chain
Healthcare providers are already heavily regulated with HIPAA and related security requirements placed on hospitals and health systems. But many of the technology and service providers they rely on do not face equivalent cybersecurity accountability.
“We have a healthcare industry that is heavily regulated, yet the technology that they must buy, the services that they must buy, is not regulated,” Garcia said. “Often that technology and those services are not adequately secured against cyber threats, yet they can continue to sell to us.”
That gap matters because many hospitals operate on thin or negative margins. Leaders face hard choices between hiring another nurse, upgrading an MRI machine, or investing in cybersecurity.
The answer cannot be to push all responsibility onto under-resourced providers. If technology vendors serve critical infrastructure, they should be expected to meet a higher cybersecurity standard.
Market pressure is starting to help. Joe Saunders cited RunSafe’s 2026 Medical Device Cybersecurity Index, noting that 46% of hospital systems declined to purchase a medical device because of cybersecurity concerns. That is encouraging, but it also means more than half did not.
“If we just left it to market forces, the other 54% wouldn’t care,” Saunders said.
The sector needs both pressure and partnership, including stronger procurement expectations, better governance, more transparent software supply chains, and security built into products from the start.
Faster Patches Won’t Be Enough
Medical devices sit at the intersection of software, safety, regulation, and patient care. They include open source software, third-party components, proprietary code, and supplier dependencies. Once deployed, they may remain in clinical environments for years.
That makes cybersecurity a lifecycle issue. Device makers need to know what is inside their products, share that information with healthcare providers, and continuously assess vulnerabilities after deployment.
But medical device updates are not like consumer app updates. Devices require testing, validation, and careful deployment. A reboot may mean taking equipment out of service. In some cases, that equipment may be attached to a patient.
AI-driven vulnerability discovery could make this harder. If AI systems identify vulnerabilities and generate exploits faster than humans can patch, healthcare organizations will face a flood of updates they cannot safely absorb.
“We cannot keep up with patches in a manual fashion, patch by patch at AI speed,” Saunders said.
Every patch needs to be tested, and every deployment introduces operational risk. Saunders expressed that vulnerabilities cannot be eliminated effectively playing catch-up with AI advancement.
That points to a different model: building resilience into software before deployment, reducing exploitability even when vulnerabilities exist, and protecting systems when a patch is not yet available.
Healthcare Cybersecurity Needs Collective Defense
The most important shift may be cultural. Healthcare is too interconnected for every hospital, supplier, manufacturer, and service provider to act as though its risk ends at its own firewall.
A successful attack on one entity can create cascading harm across the ecosystem. That means resilience has to be shared.
Garcia described the need for “a culture of mutual aid, mutual assistance,” especially among healthcare systems in the same region or state. The logic is practical: in an interconnected system, reducing risk for others reduces risk for everyone.
Garcia quoted former NSA Director Chris Inglis on this point: “In order to beat one of us, you have to beat all of us.”
That should be the north star for healthcare cybersecurity. The sector cannot afford endless finger-pointing between hospitals, vendors, device makers, regulators, and service providers. It needs shared accountability, shared visibility, and shared defense.
The next healthcare cyber crisis may not look like a single hospital outage. It may look like prescription networks failing, reimbursements stopping, imaging workflows stalling, rural providers losing cash flow, or patients being redirected across already strained systems.
To hear the full conversation with Greg Garcia, Joe Saunders, and Paul Ducklin, listen to the complete episode of Exploited: The Cyber Truth, “The Next Cyber Crisis Won’t Be One Hospital—It Could Be the Entire Health System.”
