The healthcare industry is second only to finance in the volume of sensitive data held.
Therefore, the onus is on medical device manufacturers, their associated healthcare systems and related partners to understand the effectiveness of their cyber risk posture and adapt as necessary.
Go deeper with GlobalData
The safeguards third party providers have in place are a further cybersecurity consideration, a matter starkly evidenced following last year’s cyberattack on the UK National Health Service’s third party pathology provider Synnovis.
Phishing emails and a failure to use multi-factor authentication also remain frailties ripe for exploitation, as evidenced by last year’s cyberattack on UnitedHealth Group subsidiary Change Healthcare. Although UnitedHealth is the largest health insurer in the US, holding the personal data of around 190 million Americans, it was still breached as a portal in its environment lacked MFA.
According to Deloitte research, 68% of medical devices in 2025 will be connected. Many of these devices like smartwatches and wearable sensors are beneficial for streamlining workflows and improving patient outcomes.
However, the connectedness of these innovations also extrapolates the security risks around patient data due to factors including their reliance on wireless communication and cloud-based data storage platforms.
Add in a slew of incoming cybersecurity regulation globally, and the impending threat of data encryption security protocols being broken by cyberattacks conducted by quantum computers, and cybersecurity in the medical device and broader healthcare space can feel like an unending pursuit, one that demands organisations’ security posture and cybersecurity awareness be frequently monitored and reassessed.
Current cybersecurity rationale for medical devices
According to Mohammad Waqas, chief technology officer for healthcare at the cyber exposure management & security company Armis, the current trend in cybersecurity for medical devices surrounds action prioritisation and actionability.
Medical device companies are beginning to think about the implications of other elements of their attack surface, such as their third-party risk or the risk of the ecosystems they operate within.
“While medical devices are going a little bit more into the actionability remediation phases, the other attack vectors are coming into scope for organisations as well,” explains Waqas.
“Medical device companies are acknowledging the need for a much more holistic approach beyond medical devices.”
A lot of the conversations around medical device security are ‘shifting left’, Waqas says, in that, from a healthcare delivery organisation and provider perspective, there is a growing desire for these entities to want to understand the security of a medical device before they connect them to their network, and even before a device is purchased.
According to Waqas, this shift has been influenced by regulation such as the European Union’s Artificial Intelligence Act, which is intended in part to foster a trustworthy ecosystem for modern medical devices. As a result, such regulation is leading device manufacturers to think about cybersecurity from the outset and to build and design their devices accordingly.
Regulation’s impact on cybersecurity protocols
Global medical device regulations that have appeared in recent years, such as the European Union’s Medical Device Regulation are providing some actionable, hardening recommendations for medical devices, and not only building in support for security controls but the mandate to be able to patch these devices.
Waqas comments: “What I love about the regulations we’re seeing come up, is that they don’t only consider security requirements when the device is entering the market; they also have mandates if there’s a vulnerability that gets released afterwards.
“For example, there appears to be a move now by the regulation to say, if there is an incident, then we need the vendors to step up and be much more involved and have a process on how they’re going to help maintain the security posture of their medical devices.”
On the regulatory front, there is also a wave of digital regulation from the EU to which medtech companies are in scope.
Christopher Jeffery, partner and data protection specialist at law firm Taylor Wessing, notes that one of the key requirements of the Data Act, which is effective from September 2025, is that users must have access to data uploaded to and generated by connected devices, and that manufacturers must get consent to use data uploaded or generated for their own use around areas like product improvement or in training AI models.
However, Jeffery notes that while some companies are aware of the Data Act, it generally seems to be flying below the radar compared to the noise around AI regulation.
Regarding other regulation that factors in cybersecurity for medical devices, the NIS2 Directive is already in force, albeit with somewhat patchy national implementations across the EU.
Jeffery explains: “It imposes general cybersecurity requirements including supply chain resilience and reporting of security incidents for “essential and important sectors” which include medical devices, in vitro diagnostic devices and medical devices which are critical in public emergencies.”
Threat mitigation for cloud-based data in healthcare
Autolomous, the developer of Autolomate, a cloud-based platform that supports cell and gene therapy workflows, built a range of security resiliencies into its technology from the outset.
Compliant with the ISO27001 standards, the company undertakes regular checkups for all sorts of security threats and has a range of its own procedures for threat mitigation, says Autolomous CEO and co-founder Alexander Seyf.
Key out of these is in the company’s ethos to ideally deploy its platform with single sign-on so clients can manage their own access. Making all its platform environments single tenant, meaning only the organisation would ever have access, adds a further layer of security.
These factors mean that clients can do very ground-rules permissions around who has data access, says Alexa Crăciunescu, head of product management at Autolomous, and make sure that they have a good segregation of duties around the platform data.
In addition to these platform design principles, Autolomous uses distributed ledger technology (DLT), meaning that everything performed within the system is immutable.
“Everything is auditable, from the platform access to any changes on permissions,” says Crăciunescu.
“Every time something is recorded, we trace who was done by at what time, and everything is also forever available in terms of the data.”
Autolomous also conducts disaster recovery exercises every six months, which evidence that the company can restore systems to the point they have been recovered at.
“We do backups ourselves. We have the backups from our suppliers, and clients can choose the frequency at which they want their data to be backed up,” says Crăciunescu.
Is healthcare preparing for the future threat of ‘Q-Day‘?
Quantum computers have computational power far beyond what high-performance classical computers can achieve. And ever more powerful quantum processors continue to emerge. Released in November 2024, IBM’s Quantum Heron, for example, is touted as having a 50-fold speed improvement over its predecessor, which was already more powerful than a classical computer by orders of magnitude.
It is theorised that quantum computers could one day be used to break the current commonly used RSA algorithm and elliptic curve cryptography encryption methods which protect data.
In preparation for ‘Q-day’, as it is commonly referred to as by those involved in the cybersecurity field, the US National Institute of Standards and Technology (NIST) has created the post-quantum computing (PQC) standards, comprising three quantum-proof encryption algorithms designed to withstand attacks from a quantum computer. The current cryptographic standards will be phased out in ten years time by NIST and replaced with the PQC standards.
Currently the businesses most actively thinking about PQC are those that sell to the US government, but Ben Packman, chief strategy officer at PQShield, which co-authored NIST’s standards over an eight-year period, expects that rules around PQC will soon begin filtering through healthcare industry bodies.
Yet while it may be the case that health systems, and medical device manufacturers are waiting to be told by these regulators before creating their PQC roadmap, PQShield’s view is that since the standards already exist, those in the space needn’t wait to be told.
“Now is the time for medical device manufacturers to plot a roadmap towards implementing the PQC standards,” says Packman, “especially by those who manufacture embedded, connected medical devices designed to have a long shelf life of five to ten years or more.
“Medical data has some of the longest protection timelines in the world which means, as potential custodians of this data, medical device manufacturers should consider updating to quantum-proof cybersecurity a critical priority over the next few years.”
Packman also highlights that adopting PQC encryption is not a ‘like-for-like’ swap. The switchover will take time, and necessitate different memory and power requirements, meaning design teams will need to reassess their hardware to accommodate PQC and that new products currently in the development cycle which are likely to be in the field after 2030 should be designed with PQC in mind.
According to Packman, one of the big issues that health systems will face is reconciling the need to update to PQC with the broader cybersecurity vulnerabilities they are well-known to have.
“Fractured, legacy IT systems mean that healthcare is a frequent target of attacks, and poorly secured medical devices only compound this,” says Packman.
“While medical device manufacturers look to adopt PQC, this is also an opportunity for health systems at large to update legacy systems and patch the broader vulnerabilities that make data vulnerable to attack. Therefore, migrating to PQC now gives a clear competitive advantage over those without a transition plan.”
Repeating the same mistakes in cybersecurity appears to be a recurrent issue in an age where greater technologisation of medical devices is continuing at pace.
James Rawlinson, director of health informatics at the Rotherham NHS Foundation Trust, recently raised security concerns around organisations being unprepared to migrate to Windows 11 when the free support for Windows 10 ends in October 2025 due to a large provision of outdated hardware.
ThreatAware CEO Jon Abbott notes that once free support ends, devices running Windows 10 will no longer receive automatic security updates, making them more vulnerable to cyber threats.
Armis’s Waqas calls for a “back to basics” approach to cybersecurity in shoring up the basic principles of defence like having MFA in place on all potentially vulnerable systems and applications.
Most organisations are indeed taking proactive steps to mitigate against cyber threats and keeping data secure, by closely observing their threat posture so adjustments can be made as necessary. There also appears to be a move by device manufacturers to bear in mind the broader risks presented by the systems their devices may be a part of.
But at a time where headlines are made over companies being breached by phishing attacks, which have been around since the mid-90s, it seems reasonable to ask: how can the healthcare industry and those that operate within it, defend against more sophisticated cyber threats of the future, when large organisations are evidently still failing to get the basics right?
