Medical devices connected to a healthcare organization's network often use weak, old security that can give a hacker access to the organization’s entire system. Vulnerabilities in medical devices can have serious consequences for healthcare providers, patients, and their protected health information (PHI).
Related: HIPAA compliant email: The definitive guide (2026 update)
Healthcare: the most targeted sector
According to the FBI in its 2025 IC3 Annual Report, the healthcare industry ranked as the top targeted sector for cyber threats in 2025, with 460 known ransomware attacks and 182 data breaches. Cybercriminals target healthcare because patients’ PHI is central to proper patient care. A single compromise can cause a long list of issues for a healthcare organization, and unfortunately, the healthcare industry has numerous threat vectors prime for an attack, such as medical devices.
Hackers know that disabling a health network can make it difficult for healthcare organizations to properly treat patients. That’s why it's not unheard of for a covered entity to pay a ransom to have its systems restored, even though there are signs that organizations making ransom payments is changing.
Financial gain remains the primary motivation behind healthcare data theft because of the opportunity for multiple forms of fraud. Criminal marketplace pricing clearly demonstrates the demand: a driver’s license reportedly sells for about $20, while a complete identity package can sell for $1,000. Stolen PHI can be used for identity theft and to impersonate patients needing medical services.
Medical devices used in healthcare
The healthcare industry relies on medical devices to improve patient health, care, and outcomes. Here are a few examples:
- Insulin pumps
- MRI scanners and other imaging systems
- Implantable cardiac devices (e.g., pacemakers, defibrillators)
- Radiological equipment
- Intensive care equipment
- Blood pressure monitors
- Wearable medical devices
- Smart hospital beds
- Networked surgical equipment
- Infusion pump
- Electronic health records
- Telemedicine platforms
Medical devices are an integral part of the ever-expanding Internet of Medical Things (IoMT), a collection of health system devices connected through a network. Such devices and software applications communicate with each other over the internet (or intranet) to provide patient care. If any one of these devices is breached, the entire system could be infiltrated or taken down.
How do cybercriminals attack medical devices?
Medical devices are an attractive entry point for threat actors who want to access and/or steal PHI. In 2022, the FBI issued a report confirming that 53% of medical devices had a known vulnerability at that time. Unfortunately, many healthcare organizations do not prioritize medical device security, whether due to ability or costs.
Medjacks, or medical device hijackings, are often unseen threats in the healthcare industry. Attackers exploit device weaknesses to access the devices themselves and/or an organization’s network to disrupt operations. Once in a system, a hacker can hunt for a wide range of sensitive information, starting with medical records that contain patient information, health histories, diagnoses, treatments, and medications.
Medical device vulnerabilities occur because of the interconnected nature of these devices through an IoMT, which relies on networks for diagnostics, monitoring, treatment, and communication. Moreover, several medical devices still in use today are legacy risks that, due to age, do not have appropriate security and cannot be patched properly. Patch management is the process by which organizations protect themselves from vulnerabilities by installing up-to-date software, drivers, and firmware.
What is new about medical device attacks?
The rapid adoption of wireless and remote technologies, and the continued use of legacy devices, have expanded the healthcare attack surface of medical devices. Early in 2026, 22% of healthcare organizations had already faced at least one cyberattack on a medical device. Increased attack surfaces provide more opportunities for hackers to infiltrate systems and enable them to use even more vicious attack methods.
For example, medical device manufacturers (i.e., healthcare business associates or vendors) are also finding themselves under frequent attacks this year. Medtronic, headquartered in Ireland, recently disclosed that an unauthorized party accessed certain parts of its internal systems. The cyber group that claimed responsibility, ShinyHunters, says it exfiltrated over nine million records.
Unfortunately, such attacks against manufacturers and designers have dominated headlines in 2026, while we also read stories of continued attacks against devices themselves within healthcare facilities. A recent survey by a U.S. cybersecurity company found that one-in-four (out of 551) healthcare organizations experienced a medical device attack in the past year, disrupting patient care.
With the shifting cyber threat landscape, attackers aren’t simply decrypting information anymore. They often steal and then extort, threatening to make the data public if not paid.
The impact of medical device attacks
In 2022, the FBI warned that unsecured medical devices “could impact healthcare facilities’ operations, patient safety, and the confidentiality and integrity of medical information,” creating a major security issue. The impact of medical device vulnerabilities on the healthcare industry can be devastating, from loss of data to loss of patients.
The damage can go beyond monetary costs (e.g., loss from a ransom or cyberattack recovery), with other costs including:
- Hacked, changed, and unusable devices
- Loss of confidence from patients and stakeholders
- Compromised healthcare data
- Patients targeted with changes to their medical devices
- Patients hit by identity theft or blackmail themselves
- Disruption of services
Devices designed to save lives may also expose a hospital network to a cyberattack. The consequences of a successful breach can be severe, even leading to business and financial losses. For healthcare organizations, a data breach can also lead to compromised patient information and even patient death.
Cybersecurity strategies for HIPAA compliance
Preventing medical device attacks requires a comprehensive cybersecurity approach. There are several tactics that could be used effectively by healthcare organizations when creating a layered, consolidated security system.
- Establishing up-to-date policies and procedures
- Keeping systems, software, and security features aligned with advanced technologies
- Using business associate agreements (BAAs) when working with third parties
- Creating a program to identify and install needed updates and patches
- Using continuous employee awareness training, including on medical device use
- Ensuring proper technological safeguards, such as data encryption
- Employing extra firewalls and endpoint security
- Utilizing strong access controls
- Keeping devices (physically) in secure, controlled locations
- Connecting devices only to private and encrypted networks
- Creating data backup and disaster recovery plans in case of an incident, especially possible double or triple extortion
- Regularly auditing and monitoring systems
- Having an incident response plan ready in case it is needed
HIPAA compliance regulations aim to protect health information. Adhering to HIPAA standards with a defensive approach helps providers protect privacy, leading to stronger systems and better patient outcomes.
Further info:
Leveraging advanced cybersecurity strategies
Advanced technologies, such as AI and machine learning (ML), can play a significant role in enhancing cybersecurity defenses while also contributing to their vulnerabilities. Generative AI is a machine learning model that can create new outputs based on patterns learned from existing data. While criminals can exploit weaknesses with advanced technology, healthcare organizations can invest in solutions that provide real-time threat detection and response capabilities.
In healthcare, generative AI allows advanced data analysis, predictive modeling, and automation. Implementing tools like generative AI can help healthcare organizations use the benefits of advanced technologies without compromising patient privacy.
FAQs
What is a medical device?
A medical device is any instrument, apparatus, machine, or implant used to diagnose, prevent, or treat medical conditions.
What types of medical devices are covered under HIPAA?
All medical devices that collect, store, or transmit electronic PHI, such as wearable health monitors, imaging equipment, and connected devices, fall under HIPAA regulations.
Do medical device manufacturers need to comply with both HIPAA and FDA regulations?
Yes, medical device manufacturers are required to comply with both HIPAA and FDA regulations. They must ensure that their devices meet FDA safety and effectiveness standards and adhere to HIPAA’s privacy and security rules when handling protected health information.
What is the role of medical device manufacturers in cybersecurity?
Manufacturers must integrate security features during design, but many legacy devices lack this protection.
Are third-party applications used with medical devices subject to HIPAA?
Yes, third-party applications that process electronic PHI from medical devices are also subject to HIPAA regulations and must implement appropriate safeguards to protect patient information.
What should healthcare providers and covered entities consider when using medical devices in terms of HIPAA compliance?
Healthcare providers and covered entities should ensure that the use of medical devices complies with HIPAA regulations, especially when these devices involve the collection, storage, or transmission of protected health information. They must also consider the security and privacy implications of integrating medical devices into their health IT systems.
Can patients request to see how their data is used by medical devices?
Under HIPAA, patients have the right to request information about how their electronic PHI is used and disclosed by healthcare providers and medical devices, promoting transparency in their healthcare.
