How to Secure Medical Devices: SBOMs, Patching & Ransomware

In an era of rapidly evolving healthcare technology and pervasive cyber threats, securing medical devices has shifted from a technical challenge to a business-critical priority. Healthcare delivery organizations (HDOs), device manufacturers, and their vendor networks face mounting pressure to protect not only patient data but also the very systems that ensure safe and efficient care delivery. This transformation is driven by increasing interconnectivity, regulatory demands, and the rising sophistication of cyberattacks.

This article delves into the intricate landscape of medical device cybersecurity, offering insights from leading industry experts on threat management, compliance drivers, and strategies for aligning product security with business objectives.

The Growing Stakes: Why Cybersecurity Is Now a Business Imperative

From Technical Concern to Boardroom Priority

The healthcare sector is undergoing a critical shift. Cybersecurity is no longer just an IT challenge - it is now a central business issue, directly impacting patient safety, operational continuity, reputation, and revenue. According to Shane Fry, Chief Technology Officer at RunSafe Security, recent years have seen an uptick in ransomware attacks targeting both medical devices and the broader IT ecosystems of hospitals. These disruptions threaten not only financial stability but also critical healthcare operations, such as diagnostic imaging and robotic surgeries.

Key drivers of this shift include:

• Regulatory pressure: Organizations are under increasing scrutiny from bodies such as the FDA and the EU Cyber Resilience Act (CRA).
• Expanding attack surfaces: The growing interconnectivity of devices - ranging from pacemakers to MRI machines - has created more entry points for cyberattacks.
• Patient safety: Cyber incidents, such as ransomware attacks, can lead to delayed care, adverse health outcomes, and long-term degradation of healthcare quality.

A Widening Threat Landscape

Phil Philer, VP of Medical Device Security at Health ISAC, highlights how the network expansion of healthcare technology has compounded risks. With high-acuity care moving to ancillary centers and even home environments, the complexity of managing cybersecurity has grown exponentially.

"Every interconnected device in a hospital or remote care setting creates additional vulnerabilities", says Philer.

sbb-itb-535baee

Common Threats: Vulnerabilities and Exploitation

Legacy Code and Technical Debt

A significant portion of medical devices runs on outdated software or legacy code, according to Patrick Arity, Security Researcher at Volcheek. These systems, often used for decades, are challenging to secure due to limitations in patching and updates.

"Many device manufacturers build for functionality, not longevity or security", Arity notes. This lack of foresight results in technical debt that accumulates over time, leaving systems vulnerable to exploitation.

Open-Source Software Risks

Open-source components, while cost-effective, introduce security vulnerabilities if not rigorously managed. Threat actors frequently exploit known vulnerabilities in widely used tools like Log4j, underscoring the importance of maintaining a detailed software bill of materials (SBOM).

Ransomware: A Persistent Danger

Ransomware attacks remain a top concern, not just for their immediate operational impact but for their long-term consequences on patient care. Arity references the case of BlackBasta ransomware, which crippled healthcare networks and forced hospitals to revert to paper-based systems. Studies have shown that the fallout from such attacks can degrade patient outcomes for up to 18 months.

Regulatory and Compliance Challenges

Navigating Complex Requirements

Global regulatory bodies, including the FDA, have rolled out stricter cybersecurity frameworks. While these measures are intended to enhance resilience, they also present challenges:

• Vulnerability management and patching: Updating devices without compromising functionality or safety is complex, especially with older systems.
• Resource constraints: Many organizations lack the time, budget, and skilled personnel to meet new compliance standards.
• Ambiguity in guidelines: Manufacturers often struggle to determine what constitutes "good enough" security.

EU vs. FDA Approaches

The EU Cyber Resilience Act takes a proactive approach by holding all stakeholders in the supply chain accountable, from device manufacturers to cloud service providers. In contrast, the FDA focuses more on ensuring devices meet security standards pre-market. While both frameworks aim to improve resilience, their divergent approaches complicate compliance for global organizations.

Bridging Product Security and Business Strategy

Aligning Cybersecurity as a Business Enabler

For manufacturers and healthcare providers, cybersecurity is no longer optional - it directly influences market access, customer trust, and revenue. To align product security with business goals, organizations must:

1. Embed security from the start: Building cybersecurity into product design reduces long-term technical debt and enhances resilience.
2. Leverage SBOMs: Accurate SBOMs enable manufacturers and providers to track vulnerabilities and enforce accountability across supply chains.
3. Prioritize patient safety: Every cybersecurity decision should ultimately focus on safeguarding the patient experience, from diagnosis to treatment.

Moving Beyond Compliance to Resilience

Regulatory compliance is a baseline, but true resilience requires a holistic approach:

• Automation and transparency: Implementing automated patch management and vulnerability scanning helps address risks at scale.
• Collaboration across stakeholders: Device manufacturers and healthcare providers must work together to define and meet shared security goals.
• Continuous monitoring: Ongoing vigilance is essential to stay ahead of emerging threats and ensure operational continuity.

The Path Forward: Accountability and Innovation

Cybersecurity in healthcare is a shared responsibility that spans manufacturers, providers, and regulators. As regulatory frameworks solidify and threats continue to evolve, organizations must embrace a proactive and collaborative approach. By prioritizing resilience and integrating cybersecurity into every facet of healthcare delivery, the industry can ensure safer, more reliable care for all.

Key Takeaways

• Cybersecurity is now a business-critical issue in healthcare, directly impacting patient safety, operational continuity, and revenue.
• Ransomware attacks remain a top threat, with long-term impacts on patient care and hospital operations.
• Legacy code and open-source components are significant vulnerabilities that require active monitoring and management.
• Regulatory pressure is intensifying: The FDA and EU Cyber Resilience Act set new expectations for medical device security.
• Accurate SBOMs are essential for tracking vulnerabilities and holding suppliers accountable.
• Automation and transparency are key to managing cybersecurity at scale.
• Holistic resilience goes beyond compliance, requiring collaboration across all stakeholders in the healthcare ecosystem.
• Manufacturers must design cybersecurity into devices from the start and ensure they can be updated over their lifecycle.
• Patient safety should remain the guiding principle for all cybersecurity efforts.

By fostering a culture of cybersecurity awareness and investment, healthcare organizations can protect their patients, secure their networks, and thrive in an increasingly connected world.

Source: "Medical Device Cybersecurity: From Ransomware to Regulation [Webinar]" - RunSafe Security Inc., YouTube, Dec 16, 2025 - https://www.youtube.com/watch?v=O0_T3sJhfy8

Related Blog Posts

• 7 Critical Medical Device Security Risks in Healthcare
• Medical Device Patching: Challenges and Solutions
• Study: 162 New Medical Device Vulnerabilities Found
• Why Patch Validation Matters for Medical Devices