Cybersecurity report says AI-enabled medtech introduces new risks

https://www.medicaldesignandoutsourcing.com/runsafe-cybersecurity-report-2026-ai-risks/

Publish Date: 2026-04-29 12:35:00

Source Domain: www.medicaldesignandoutsourcing.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. Cyber incidents caused extended hospital stays and manual workarounds affected nearly half of the impacted organizations, RunSafe said. [Illustration by Stockye Studio via Stock.Adobe.com]Nearly 60% of healthcare organizations’ professionals are “extremely” or “very” concerned about cybersecurity attacks impacting medical devices and some organizations have already experienced attacks that impact patient care, according to a survey commissioned by RunSafe Security.
RunSafe said it surveyed 551 healthcare professionals in the U.S., U.K. and Germany who are involved in device purchasing decisions and familiar with their organizations’ cybersecurity practices.
The cybersecurity software vendor asked those decision-makers about cybersecurity incidents involving medical devices and how cybersecurity factors into their device purchases.
“The findings land against a backdrop of large-scale healthcare cyber incidents that have disrupted care delivery and revenue flows, underscoring how quickly attacks on device-adjacent systems can translate into patient harm,” RunSafe Security founder and CEO Joe Saunders said in a news release.
MDO Webinar: Join us and RunSafe CEO Joseph Saunders to learn more about security for medical devices on May 12.
The survey found 24% of healthcare facilities reported cyberattacks affecting medical devices, up from 22% the year before. The majority (80%) of those affected reported moderate or significant impact on patient care.
Cyber incidents caused extended hospital stays and manual workarounds affected nearly half of the impacted organizations, RunSafe said, and recovery times are growing longer as a result. Almost two-fifths (39%) of the impacted facilities reported 5 to 12 hours of downtime, with 37% reporting 1 to 4 hours of disruption.
RunSafe Security founder and CEO Joe Saunders [Photo courtesy of RunSafe Security]“Cyberattacks are becoming more frequent, the impact on patient care is worsening, and legacy device exposure persists in critical environments,” the report said.
The most common medtech affected by those incidents were electronic health records systems (35%), patient monitoring devices (23%), laboratory and diagnostic equipment (18%), networked surgical equipment (10%) and imaging systems (8%).
Last year, malware infections and network intrusions were the most dominant forms of reported cyberattacks. In 2026, malware infections (48%) and network intrusions (41%) still make up the majority of attacks, but remote access exploitation has emerged as a major threat at 38%.
RunSafe said the emergence of remote access exploitation signals that “attackers are adapting to the growing remote access footprint of connected devices.”
“Devices that were once air-gapped are now networked, and that expanded attack surface is being exploited,” the report said. “Organizations that have not implemented network segmentation, access controls, and runtime protections are exposed.”
AI-enabled devices are introducing new risks that organizations aren’t fully equipped to manage, the report said.
Over half (57%) of the organizations surveyed currently use AI-enabled or AI-assisted medical devices or clinical systems. But rapid AI adoption is outpacing confidence in understanding the associated cybersecurity risks with the technology.
Related: What Stryker’s recent cyberattack could mean for medtech, healthcare
“As AI-driven diagnostics and decision support become standard, the attack surface they create — including model manipulation, data poisoning, and adversarial inputs — will demand specific procurement and monitoring frameworks that most organizations have not yet developed,” the report said.
“While investment and security maturity are increasing, new technologies such as AI are expanding the attack surface faster than organizations can secure it. Without dedicated frameworks, this gap is likely to widen,” the report continued.
Despite concerns, confidence in detection and containment of cyber threats improved this year, with 22% of respondents claiming they feel “extremely confident” with their organization’s cybersecurity resources compared to just 17% last year.
This year’s data shows organizations reinforcing their cybersecurity efforts with sustained investment with medical device and operational technology (OT) security treated as ongoing strategic priorities rather than one-time initiatives.
In 2026, 77% of surveyed organizations increased their medical device and OT security budgets, with 21% reporting a significant increase. Less than 1% reported a reduced investment.
What medical device buyers want from vendors
In 2026, 40% of organizations surveyed reported that cybersecurity incidents had affected their trust in specific vendors, with 7% reporting they have stopped purchasing from specific vendors entirely.
“More organizations are requiring cybersecurity in request-for-proposals (RFPs), more are demanding detailed requirements, and more are walking away from devices that don’t pass muster,” the report said.
RunSafe’s survey found 84% of healthcare organizations include cybersecurity requirements in their vendor request-for-proposals, with 43% including detailed security requirements, up from 38% in 2025. More than half (56%) have declined to purchase a device due to cybersecurity concerns.
The most cited grounds for sales rejection were: known vulnerabilities (48%), lack of security patching support (47%), weak authentication or access controls (46%), poor overall vendor security practices (42%), lack of software bill of materials (SBOMs) or software transparency (34%), and unsupported or legacy operating systems (31%).
Related: Medtronic discloses cybersecurity breach in certain IT systems
Nearly 79% of survey respondents said FDA cybersecurity guidance and EU MDR requirements have influenced their procurement processes, up from 73% last year. Fewer than 3% of respondents reported that relations have had no impact on their procurement processes.
RunSafe says the regulatory impact data “reflects a healthcare sector that is actively monitoring evolving regulatory frameworks and adjusting its vendor expectations accordingly.”
“One of the clearest manifestations of this regulatory influence is the widespread adoption of SBOMs, which have quickly become a standard requirement in device evaluation,” the report said.
The majority of surveyors (81%) said SBOMs for software component transparency are “essential” or “important” when evaluating devices, with 35% of respondents saying they won’t consider a device without an SBOM.
“An organization that rates SBOMs as ‘essential’ will not evaluate devices lacking one,” the report said. “With 35% of healthcare purchasers holding this position, vendors without SBOM capabilities are disqualifying themselves from a substantial portion of the market.”
The report says 79% of respondents said they would pay a premium for devices with advanced cybersecurity, with nearly half (49%) willing to pay 5% or more.
When organizations were asked about specific cybersecurity requirements that influence their purchasing decisions, they requested capabilities such as, secure software update mechanisms (62%), secure authentication and access controls (61%), third-party security testing or certification (48%), runtime or exploit protection technologies (37%) vendor vulnerability disclosure programs (36%), SBOMs (31%) and post-market patching commitments (25%).
RunSafe said one of the most difficult cybersecurity challenges facing healthcare organizations is devices that facilities can’t replace. Nearly three in ten organizations (28%) operate medical devices that are past the manufacturer’s end-of-support, the report said, and a significant portion of those devices carry known, unpatched vulnerabilities.
“The inability to patch, combined with continued clinical reliance on vulnerable devices, creates a structural security gap that cannot be closed solely through procurement alone,” the report said. “This gap is almost certainly a key driver behind the rise in runtime protection adoption seen in 2026.”
Over 82% of healthcare organizations are reported to have deployed or are actively piloting advanced cybersecurity technology, such as runtime exploit protection technology that defends devices when patches can’t be applied.
Related: Build, Borrow, or Risk It? AI, Open Source, and Software Security for Medical Devices
Less than 1% of survey respondents who are aware of runtime protection said they have no plan to use the technology. Among those unfamiliar with the protection technology, 16% have heard of it but don’t fully understand it. RunSafe said this data represents an “education opportunity for vendors and security teams.”
“Survey data shows that the overwhelming majority of healthcare organizations have integrated cybersecurity requirements into their vendor evaluation processes and that these requirements are having a measurable impact on purchasing outcomes,” the report said.
Only 2.4% of respondents said cybersecurity is absent from their RFP process and nearly 8% plan to add it, meaning fewer than one in 10 organizations are not yet including security criteria in vendor evaluations.
“What the data reveals is an industry that has internalized the threat and is responding with greater urgency, more specific procurement requirements, and growing investment,” the report said. “But it also reveals persistent structural gaps in confidence, in legacy device management, and in the emerging security challenges posed by AI-enabled devices that spending alone has not closed.”
You can download the full report at RunSafe Security’s website.