Healthcare organizations are prioritizing cybersecurity in procurement, resulting in the acquisition of more secure medical devices. Despite this increased focus, attacks on medical devices and their impact on patient care have risen over the past year.
According to RunSafe Security’s 2026 Medical Device Cybersecurity Index, 24% of surveyed organizations reported that medical devices in their facilities were impacted by a cyberattack or exploited vulnerability. Of those that experienced incidents, 80% caused moderate or significant disruption to patient care. These figures have increased from 2025, when 22% of devices were affected, and 75% of incidents disrupted patient care.
The findings land against a backdrop of large-scale healthcare cyber incidents, including the Stryker attack in early 2026 and the Change Healthcare ransomware attack. Each incident disrupted care delivery and revenue. And while procurement is absolutely important for reducing the likelihood of a successful attack, other factors leave healthcare organizations at risk.
Healthcare Organizations Integrate Cybersecurity into Procurement
As risks to devices and regulatory requirements increase, healthcare organizations are changing how they evaluate and purchase medical devices. The overwhelming majority of healthcare organizations have integrated cybersecurity requirements into their vendor evaluation processes, with 84% including them in vendor RFPs.
Regulation is certainly a driving factor. Nearly 79% of respondents said FDA cybersecurity guidance or EU MDR requirements have meaningfully influenced their procurement processes, up from 73% in 2025. Additionally, nearly 81% of respondents rate a Software Bill of Materials (SBOM) as “important” or “essential” when evaluating devices.
The SBOM requirement reflects a shift in how buyers assess device risk. A device's clinical capabilities say nothing about its attack surface. Knowing which software components are inside a device and whether any carry known vulnerabilities has become an expectation in a way it simply wasn't a few years ago.
This demonstrates the security and regulatory mindset influencing healthcare purchasing decisions. For medical device manufacturers and suppliers, it is notable that 40% of organizations reported security incidents affected their trust in specific vendors, and 7% stopped purchasing from certain vendors entirely. This underscores the importance of building and maintaining trust.
For manufacturers, this represents both a revenue and reputational risk. Trust lost after a breach is difficult to restore, and healthcare organizations now have more alternatives than in the past.
The Weak Points
Although procurement standards are improving, medical devices remain vulnerable in three key areas: network security, AI and unpatched legacy devices. In the survey, 41% of respondents reported experiencing a network intrusion that required device isolation. Once attackers access IT systems or networks, they can quickly move laterally and take medical devices offline.
Defending healthcare network environments is particularly challenging. Clinical networks are complex, segmentation is difficult to maintain, and much of the supporting infrastructure predates networked threats. Strong security and software best practices are needed to protect devices from attacks.
Another significant cybersecurity risk is legacy devices that are difficult for organizations to patch or replace. The 2026 Index found that 28% of organizations operate devices past end-of-support and 44% acknowledge running end-of-support devices with known, unpatched vulnerabilities.
Healthcare organizations are not running these devices out of negligence. Replacing systems such as MRI machines or infusion pump fleets is not dictated by security timelines, and manufacturers may discontinue support before a clinical need for replacement arises. That gap between the security and clinical lifecycles is one of the defining problems in the field, and procurement improvements alone will not close it.
AI now plays a significant role in medical devices. Risks include vulnerabilities in AI-enabled or AI-assisted devices and the potential for AI models to develop exploits targeting healthcare organizations. Buyers and manufacturers must address both the rapid development of AI-driven exploits and attacks on AI-enabled devices. Currently, there are no established frameworks specifically for AI in clinical environments, and this gap must be addressed more quickly.
Where to Go from Here?
Healthcare organizations are prioritizing medical device security. To address remaining risks, efforts should focus on closing the legacy device gap with compensating controls and developing AI-specific cybersecurity frameworks.
For organizations managing legacy exposure today, network segmentation, behavioral monitoring and strict access controls can reduce risk even for devices that cannot be patched. These measures do not eliminate the exposure, but they limit the damage when an attacker finds a way in. Medical device manufacturers also have a role to play and can build trust in device security by integrating security into device architectures and engaging IT and cybersecurity stakeholders directly in their efforts to make devices more resilient.
Healthcare organizations have demonstrated they can raise the bar on what they buy. The harder work now is securing what they already have.
