After decades of accepting cybersecurity as someone else’s problem, healthcare buyers have reached a turning point. Where cost and functionality once dominated purchasing decisions, cybersecurity requirements now serve as mandatory gatekeepers that can eliminate vendors from consideration entirely.
Recent regulatory actions underscore this shift. In early 2025, the FDA and CISA issued warnings about critical cybersecurity flaws in Contec and Epsimed patient monitors — weaknesses that threatened both device integrity and patient safety. The monitors were found to contain a hidden firmware backdoor, allowing unauthorized remote access and potential manipulation of patient data. While no injuries were reported, the message from regulators was clear: medical devices without secure-by-design protections are no longer acceptable in clinical environments.
Healthcare buyers are making their voices heard. Recent research found nearly half now decline medical device purchases due to cybersecurity concerns. In other words, device security has evolved from a “nice-to-have” into a non-negotiable procurement requirement.
The Top Appointment Scheduling Software for Wellness Clinics
Scheduling software is helpful for wellness business owners in numerous ways. They get everything they need to create appointments, reschedule clients and track cancellations in one platform.
The accountability awakening
Healthcare providers have learned hard lessons from years of escalating cyberattacks. Hospital IT breaches have increasingly spilled over into medical devices and operational technology environments. A 2017 WannaCry ransomware attack infected 1,200 diagnostic devices globally and forced five UK hospital emergency departments to close and divert patient care. Buyers now understand that devices cannot be treated as isolated systems; they must be secure within complex, interconnected care networks.
For device manufacturers, this means the bar has risen dramatically. Customers are no longer willing to accept vague assurances about security. Instead, they expect evidence of secure design, documented vulnerability management processes, and transparency about software components.
The premium for genuine security
Immune Support on Demand: Ranking the Top Mobile IV Therapy Companies
Explore the top mobile IV therapy companies boosting immune health on demand, with standout services, expert care and innovative delivery across the U.S.
Perhaps most tellingly, healthcare organizations are backing up their security requirements with real money. Many buyers are now willing to pay a premium for devices equipped with advanced exploit prevention and runtime protections. This willingness reflects an understanding that sophisticated defenses require ongoing investment in R&D, maintenance, and patching.
The calculus is simple: the cost of prevention is far less than the cost of compromise. The aforementioned WannaCry attack cost the NHS £92 million – or roughly $124 million today. Healthcare organizations have experienced firsthand the financial and clinical fallout of weak cybersecurity–and each incident underscores that device vulnerabilities are a patient safety issue with multimillion-dollar consequences.
Shift toward security by design
There are urgent calls for medical devices to be secure from the very start. Healthcare buyers are no longer willing to accept add-on fixes after deployment. This shift reflects a hard truth: many healthcare environments rely on legacy systems that are difficult to patch and must remain operational around the clock. When security is an afterthought, the burden falls on providers, often with limited tools to mitigate risk.
Now, government regulators are reinforcing this expectation. This past June, the FDA updated its guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” Among other things, it recommends that manufacturers demonstrate threat modeling, provide Software Bill of Materials (SBOMs), and integrate cybersecurity throughout the entire product lifecycle — a clear call for secure-by-design practices.
At the same time, it’s urging manufacturers to adhere to a Secure Product Development Framework (SPDF) — in essence, embedding cybersecurity elements like threat modeling and patch management into their internal quality systems, aligned with 21 CFR Part 820.
Meanwhile, the Department of Homeland Security’s CISA has launched its own “Secure by Design” initiative. It encourages technology providers, including medical device makers, to shift responsibility upstream — prioritizing core safeguards like multi-factor authentication, logging, and secure defaults as part of design, not as optional extras.
Together, these regulatory and policy developments are reshaping expectations across the supply chain. Now, device makers are under growing pressure to show they’ve baked security in — before products leave the factory.
Medical device security as a shared responsibility
These shifts are reshaping the competitive landscape. Security is no longer something manufacturers can treat as a compliance checkbox — it’s becoming a core expectation from regulators, hospital systems, and patients alike.
Healthcare organizations are also beginning to recognize their role in this equation. By prioritizing security in procurement and budgeting decisions, they help create the demand signal that drives stronger protections across the supply chain.
Ultimately, cybersecurity in healthcare is no longer a one-sided responsibility. Progress will depend on buyers and vendors moving in tandem — integrating security from design through deployment, and treating resilience as central to patient safety.
Photo: marchmeena29, Getty Images
Joe Saundersis the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.