RunSafe’s 2026 Medical Device Cybersecurity Index

Download RunSafe’s 2026 Medical Device Cybersecurity Index

This year’s findings reveal that cybersecurity has become a procurement gate for medical devices, with healthcare decision-makers embedding it into procurement decisions, budget cycles, and vendor relationships.

For the second consecutive year, RunSafe Security surveyed hundreds of healthcare professionals involved in device purchasing decisions to track how their organizations are approaching medical device security.

The data shows meaningful progress. More organizations are including detailed cybersecurity requirements in RFPs, SBOM expectations have become near-universal, and runtime protection adoption has grown. At the same time, cyberattacks on medical devices are more frequent than they were in 2025, the impact on patient care when incidents occur has worsened, and many organizations continue to operate end-of-support devices with known vulnerabilities that cannot be easily patched or replaced.

The 2026 Medical Device Cybersecurity Index draws on responses from 551 healthcare professionals across the US, UK, and Germany to document where the industry has made real progress, where structural gaps remain, and what both healthcare organizations and device manufacturers need to do next. It covers where organizations stand on procurement requirements, incident experience, legacy device risk, and the emerging security questions raised by AI-enabled devices.

Key Findings At-a-Glance

• 84% of organizations include cybersecurity requirements in vendor RFPs—43% with detailed specifications, up from 38% in 2025
• 56% have rejected a device due to cybersecurity concerns, up from 46% in 2025
• 81% rate a Software Bill of Materials (SBOM) as “important” or “essential”—35% won’t consider a device without one
• 24% of facilities have experienced a cyberattack on a medical device, up from 22% in 2025
• 80% of those attacked report moderate or significant patient care impact, up from 75% in 2025
• 28% of organizations operate devices past end-of-support. 44% acknowledge running end-of-support devices with known, unpatched vulnerabilities
• 57% currently use AI-enabled or AI-assisted medical devices, with 80% expressing at least moderate concern about the cybersecurity risks they introduce
• 82% of organizations have deployed or are actively piloting runtime exploit protection
• 77% increased cybersecurity resources in the past 12 months

What’s Inside the Report

• Cybersecurity as a procurement gate: How detailed vendor requirements and rising device rejection rates are reshaping what manufacturers must demonstrate to win deals.
• The SBOM tipping point: Why 35% of purchasing decision-makers will not consider a device without a Software Bill of Materials and how SBOMs are being operationalized once received.
• Regulatory impact: How FDA guidance and EU MDR requirements have influenced procurement processes at nearly 79% of organizations.
• Incident frequency and patient harm: What the growing share of organizations reporting cyberattacks reveals about attack vectors, recovery times, and downstream vendor trust.
• The legacy device gap: Why 28% of organizations are operating end-of-support devices and what compensating controls are being deployed when patching isn’t possible.
• Runtime protection as mainstream defense: Why defenses that protect devices in the field are becoming more sought-after.
• AI-enabled devices and emerging risk: Why AI adoption is outpacing security readiness, and what procurement frameworks need to catch up.

Download the report to access all the findings and recommendations.