Healthcare organizations are increasingly concerned about medical device security and for good reason – attacks targeting or impacting medical devices are increasing, and those attacks are negatively impacting patient care. Adoption of AI-enabled and AI-assisted medical devices is increasing, despite serious concerns about the cybersecurity risks associated with the devices, and legacy devices continue to be used past end-of-support, despite those devices containing known and unpatched vulnerabilities.
According to a recent survey by RunSafe Security, conducted on 551 healthcare professionals involved in device purchasing decisions in the U.S., UK, and Germany, healthcare organizations are getting better at reducing medical device security risks, although the underlying risks remain significant, and in many cases are increasing in severity and impact. When questioned about medical device cybersecurity, 59% of respondents said they are extremely or very concerned about a cybersecurity incident impacting medical devices, with almost one-quarter reporting that such an attack has already occurred. 80% of respondents who experienced a cyberattack reported that it had a moderate or significant impact on patient care, up from 75% last year.
Hackers may not specifically target medical devices, but they are often impacted by a cyberattack, and the downtime is often significant. Most commonly, an attack results in between 5 and 12 hours of downtime (39% of respondents), with 37% reporting downtime of between 1 and 4 hours. Downtime can be significantly longer, however, with 11% of respondents reporting downtime of between 13 and 24 hours, and 5% reported downtime of more than 3 days.
The most commonly affected systems were electronic medical records (35% of organizations), patient monitoring devices (23%), lab and diagnostic equipment (1%), networked surgical equipment (10%), and medical imaging systems (8%). The survey revealed threat actors are increasingly adapting to the remote access footprint to connected devices, with 38% of respondents reporting incidents involving remote access exploitation. RunSafe Security warns that organizations that have not implemented network segmentation, access controls, or runtime protections are particularly exposed.
Healthcare organizations continue to use legacy devices that cannot easily be replaced and cannot be patched. 28% of respondents said they operate legacy medical devices that are past the end-of-support, and 44% of respondents admitted running end-of-support devices with known, unpatched vulnerabilities. 38% of respondents said they have devices that they are occasionally or frequently unable to patch, and 42% of legacy device users said between 10% and 25% of those devices are running on an unsupported operating system. Those devices are spread throughout critical care environments, including general inpatient wards, emergency departments, outpatient and ambulatory settings, intensive care settings, and operating rooms and procedure suites. The most common reasons for their continued use were no acceptable replacements (38%), budget constraints (36%), regulatory or approval constraints (34%), a lack of vendor upgrade path (24%), or the risk of continued use having not been formally accepted by leadership (17%).
Adoption of AI-enabled and AI-assisted medical devices is growing fast, with 57% of respondents currently using those devices, although 80% of respondents expressed at least a moderate concern about the cybersecurity risks that they introduce, such as model manipulation, data poisoning, and adversarial inputs. According to RunSafe Security, adoption of AI-enabled and AI-assisted medical devices and systems is outpacing confidence in the ability to mitigate cybersecurity risks associated with the devices.
The survey has identified some positives. Healthcare organizations are taking medical device security seriously, with 85% of respondents including basic or detailed cybersecurity requirements in their RFPs, up from 83% last year, and 56% of respondents have rejected a device due to cybersecurity concerns. Almost all respondents understand the importance of an SBOM, with 81% of respondents rating SBOMs as either important or essential for medical devices. Regulation is also increasingly important, as 79% of respondents said FDA cybersecurity guidance or EU MDR requirements have had a meaningful influence on their procurement processes, up from 73% last year. To address the problem of medical devices that have reached end-of-support and cannot be replaced, runtime protection serves as a critical compensating control, with 82% of respondents saying they have widely deployed or are piloting runtime exploit protection.
While genuine progress has been made in improving medical device security, attacks on medical devices are more frequent than they were twelve months ago, and the impact on patient care when incidents occur has worsened. “The lesson of the past year is not that investment and attention are failing but that the risk is moving at least as fast as the response. Closing that gap will require more than procurement rigor and budget growth. It will require security built into devices before they reach clinical environments, as well as the ability to protect devices already in place that cannot be replaced. That is where the industry’s work remains,” wrote RunSafe Security in the report.
The post Frequency and Severity of Hacks of Medical Devices Increasing appeared first on The HIPAA Journal.
Data breaches have recently been announced by Green Imaging, Good Samaritan Health Center, Wonderland Child & Family Services, and L.A. Care Health Plan.
Good Samaritan Health Center in Atlanta, Georgia, has notified 10,000 individuals about a February 9, 2026, ransomware attack on one of its internal servers. The attack was identified on February 9, 2026, and the server was isolated to contain the attack. The server was restored from backups on the same day. Good Samaritan Health Center said it has found no evidence to suggest that there has been any misuse of data stored on the server, nor was evidence found of any public disclosure of patient data after the attack; however, Good Samaritan Health Center could not rule out the possibility that data had been accessed or stolen.
Data on the server was reviewed, and the files were found to contain names, dates of birth, zip codes, and limited clinical information. Social Security numbers and financial information were not compromised as they were not stored on the server. Good Samaritan Health Center said it has taken steps to strengthen security, including resetting all passwords, enhancing its monitoring systems to detect malware, and providing ongoing security and privacy training to its workforce. The affected individuals have been advised to review the statements they receive from their healthcare providers and insurers, and should report any services or charges for services that were not received.
Wonderland Child & Family Services has notified 1,283 individuals about an insider data breach. On or around January 26, 2026, Wonderland Child & Family Services identified unusual activity relating to one of its former employees. An investigation was launched to determine the scope and nature of the activity, and legal counsel was retained to investigate further.
The investigation determined that the protected health information of certain individuals may have been viewed or copied by the employee in an unauthorized manner on May 31, 2023. A review was conducted, and the information impermissibly accessed included names, dates of birth, and medical information. Wonderland Child & Family Services said it is reviewing and enhancing its policies and procedures to reduce the likelihood of similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
L.A. Care Health Plan has identified an error with a mailing that resulted in letters intended for one individual being sent to an incorrect health plan member on January 30, 2026. The error was due to a mistake that matched 2,885 member identification numbers with the wrong names when sending annual Health Risk Assessment (HRA) forms to L.A. Care Medi-Cal members. The information in the mailing was limited to member name, health plan name, and program name. No highly sensitive information was included in the mailing. L.A. Care Plan has updated its processes to prevent similar incidents in the future.
The post Ransomware Attack on Good Samaritan Health Center Affects 10,000 Individuals appeared first on The HIPAA Journal.