Cyberattacks on medical devices are a growing threat to healthcare. The FBI warns that outdated, unpatched devices expose hospitals to risks like data breaches, operational disruptions, and even threats to patient safety. Many devices run on unsupported software, lack security updates, and use weak credentials, leaving them vulnerable to exploitation.
Key takeaways from the FBI's report:
- 53% of networked medical devices have critical vulnerabilities.
- 14% of devices run unsupported operating systems.
- Cybercriminals can manipulate devices to harm patients or disrupt care.
- Hospitals face challenges in patching devices due to outdated designs, budget constraints, and fragmented processes.
The FBI recommends steps like network segmentation, strong access controls, maintaining an up-to-date device inventory, and prioritizing patching based on risk. Addressing these vulnerabilities is critical to safeguarding patient care and healthcare operations.
FBI Warning: Unpatched Medical Device Cyber Risks by the Numbers
Risks Posed by Unpatched and Legacy Medical Devices
Technical Vulnerabilities in Legacy Devices
Legacy medical devices face unique challenges because their hardware often outlasts the software support provided by vendors. While the hardware can remain functional for 10 to 30 years, software support typically ends within 3 to 5 years [2][5]. This mismatch leaves hospitals relying on devices with known vulnerabilities long after security patches are no longer available.
"One challenge with these devices is that the hardware can last 10 to 30 years, but the software becomes obsolete much sooner." - Hon. Gary J. Palmer, Chairman of the Subcommittee on Oversight and Investigations [5]
Many of these devices operate on outdated systems like Windows XP or Windows 7, which no longer receive security updates. This makes them easy targets for ransomware attacks. Implementing ransomware prevention strategies is essential for protecting these vulnerable systems. Additionally, 21% of connected medical devices use weak or default credentials [2], lack encryption due to limited processing power, or depend on insecure communication protocols originally designed for isolated, air-gapped environments. A stark example of this risk is the FDA and CISA alert regarding Contec CMS8000 patient monitors. These devices, available in the U.S. since 2011, were found to have a critical backdoor linked to an IP address in Beijing, allowing remote actors to execute unverified files [2][5].
Currently, 14% of medical devices in U.S. hospitals are running unsupported or end-of-life operating systems while remaining connected to clinical networks [2]. The FBI has warned that leaving such vulnerabilities unaddressed only magnifies the risk over time.
Clinical and Operational Consequences of Cyberattacks
The medical device security risks can lead to severe clinical and operational consequences. Cybercriminals exploiting these vulnerabilities can manipulate device functions, such as altering patient monitor readings or changing settings on implanted devices like pacemakers.
"There have been cases where insulin pumps have been hacked, and this security flaw meant that hackers could raise dose limits without the patient's knowledge or consent." - Hon. Brett Guthrie, Chairman of the Committee on Energy and Commerce [5]
Operationally, compromised devices often force healthcare staff to rely on manual backup procedures, which not only slow down care but also increase the risk of human error. A 2026 report by RunSafe Security revealed that 80% of organizations impacted by medical device attacks reported moderate or significant effects on patient care, up from 75% the previous year [3]. Downtime is another major issue: 43% of affected organizations reported outages lasting one to four hours, while 7% experienced disruptions exceeding three days [2].
These risks are especially concerning in critical areas like Emergency Departments, ICUs, and Operating Rooms, where even brief interruptions can endanger lives [3]. The FBI has emphasized the need for immediate action to address these vulnerabilities before they result in preventable harm.
Why Patch Management Is Hard to Execute
Despite the clear need, patching legacy devices is notoriously difficult. Several factors make this process challenging, including the sheer scale of devices, budget limitations, and fragmented organizational structures.
Hospitals in the U.S. average 10 to 15 connected devices per patient bed, spread across more than 6,000 facilities nationwide [5]. Manually tracking and updating these devices is a logistical nightmare. Replacing outdated equipment is even harder - especially for underfunded hospitals, including those in rural areas, where retiring legacy devices quickly is often not feasible. Furthermore, modern security patches are often incompatible with older hardware, leaving IT teams without viable fixes.
Another major hurdle is organizational fragmentation. Clinical engineering teams handle device maintenance, while IT security teams focus on network defenses. These groups often operate in silos, failing to coordinate effectively. Without a unified approach or a comprehensive inventory of devices - including details like type, operating system version, and end-of-support dates - prioritizing and addressing risks becomes nearly impossible.
"Every day a device stays on your network after end-of-support, the exposure window grows. Attackers actively scan for these devices." - Christian Espinosa, CEO, Blue Goat Cyber [2]
sbb-itb-535baee
Medical Devices Can Be Hacked, And Patients Pay the Price | Christian Espinosa
FBI-Recommended Controls for Medical Device Security
The FBI's recommendations go beyond identifying vulnerabilities - they provide practical steps to strengthen defenses. These include technical safeguards, access policies, inventory management, and staff education.
Endpoint Protection and Network Security Measures
One of the most effective strategies is network segmentation. By isolating medical devices on their own network segments, hospitals can limit an attacker's ability to move laterally if a device is compromised. Devices that cannot be patched should be placed behind firewalls with strict inbound and outbound traffic rules.
Where possible, deploy tools like EDR (Endpoint Detection and Response) and antivirus software. Encrypting data in transit between devices and clinical systems minimizes the risk of interception. For older devices that lack the capability to run modern security software, network-level controls become essential to compensate.
Under the FDA's current guidelines, manufacturers of "cyber devices" must submit plans to monitor and address vulnerabilities postmarket. They are also required to provide Software Bill of Materials (SBOM), which healthcare organizations should obtain from vendors. These SBOMs allow organizations to pinpoint vulnerabilities linked to specific software components [1].
Strong access controls are another critical layer of defense.
Identity and Access Management Controls
One of the simplest but often overlooked steps is changing default credentials immediately. This is a basic security measure that can make a big difference but is sometimes skipped due to operational pressures.
Beyond this, implement strict least-privilege access, ensuring that users and systems only have access to what they truly need. Enforce account lockout policies to limit failed login attempts, making brute-force attacks much harder. For high-risk devices, enable multi-factor authentication whenever supported.
Building and Maintaining a Device Asset Inventory
A reliable, up-to-date inventory is the foundation of effective security. Without it, security teams can’t identify devices running outdated operating systems, those that haven’t been patched, or those added to the network without IT approval.
A robust inventory should include more than just a list of devices. Each entry should detail the manufacturer, model, serial number, MAC and IP address, operating system version, patch level, and manufacturer support status. Here's why these fields matter for legacy devices:
| Inventory Field | Why It Matters for Legacy Devices |
|---|---|
| OS Version | Highlights devices running outdated systems (e.g., Windows XP/7) that can’t be patched |
| Manufacturer Support Status | Identifies devices that no longer receive updates (End-of-Life) |
| Network Location | Helps isolate vulnerable devices through segmentation |
| Software Bill of Materials (SBOM) | Reveals whether a device uses vulnerable third-party software |
| Last Patch Date | Tracks compliance with security policies and vendor recommendations |
Instead of active scanning, which can crash sensitive medical devices, organizations should adopt passive network monitoring for device discovery. Linking the inventory to systems like CMMS (Computerized Maintenance Management System) and SIEM (Security Information and Event Management) ensures a unified and real-time view of risks.
Once inventory management is in place, focus shifts to routine vulnerability assessments and staff awareness.
Vulnerability Assessments and Staff Training
Regular vulnerability scans, mapped to CVEs (Common Vulnerabilities and Exposures), are essential for identifying high-risk devices. These scans should be done at least quarterly and after any major network changes. When vulnerabilities are found, organizations should work closely with device manufacturers to apply fixes or implement temporary solutions for devices awaiting patches.
Equally important is staff training. Both clinical and IT teams should be able to identify phishing attempts, understand the risks of connecting unauthorized devices to clinical networks, and know how to report suspicious activity. Training can also address Shadow IoT - unauthorized devices added to the network without security approval. Educating staff is one of the most cost-effective ways to enhance security, forming a vital part of the layered approach recommended by the FBI.
Building a Risk-Based Patch and Update Strategy
Taking a risk-based approach to patching ensures that decisions are aligned with both patient safety and the need for operational continuity. Once you have controls in place and an updated inventory of devices, the next step is determining which vulnerabilities to address first and how to do so without compromising safety. Since not all vulnerabilities are created equal, prioritization should focus on factors like exploitability, exposure, and clinical impact.
How to Prioritize Devices for Patching
Start by using the CVSS v4.0 base score as a foundation, but don't stop there. Consider additional factors like known exploitability, network exposure, and clinical criticality. For example, a critical vulnerability on a low-traffic, isolated device is far less urgent than the same vulnerability on a networked infusion pump in the ICU.
Here are three critical dimensions to guide prioritization:
- Known exploitability: Check if the vulnerability is listed in resources like CISA's Known Exploited Vulnerabilities catalog.
- Network exposure: Determine if the device is internet-accessible or if it’s already segmented within your network.
- Clinical criticality: Assess the potential impact on patient care if the device were compromised.
To put this into perspective, the National Vulnerability Database logged nearly 50,000 new CVEs in 2025. A typical connected medical device, such as an infusion pump or imaging system, may include 50 to 200 third-party open-source components [4]. Managing this volume manually is nearly impossible without a clear scoring system. The table below outlines how CVSS scores can be mapped to patch timelines:
| CVSS Score Range | Clinical Risk Level | Expected Patch Timeline |
|---|---|---|
| 9.0 – 10.0 (Critical) | Immediate patient safety risk | 24–72 hours (mitigation); 30 days (patch) |
| 7.0 – 8.9 (High) | Significant safety concern | 30–90 days |
| 4.0 – 6.9 (Medium) | Moderate concern | 90–180 days |
| 0.1 – 3.9 (Low) | Theoretical concern | Next scheduled release |
Once you've established priorities, it’s essential to integrate these findings into a broader set of security practices that span the entire device lifecycle.
Security Practices Across the Device Lifecycle
Decisions made during the procurement phase can have long-term implications for device security. For instance, asking for a Software Bill of Materials (SBOM) as part of your vendor risk assessment process before purchasing a device - and keeping it updated - provides visibility into the third-party components embedded in the device. This allows for ongoing monitoring and identification of vulnerabilities [4].
Before deploying patches, test them in a controlled environment to ensure they won’t disrupt clinical operations. Schedule updates during periods of low patient activity to minimize any impact. Each patch should be fully documented within your Quality Management System, linking the CVE ID to the associated risk analysis, change control record, and verification results [4].
For devices that cannot be patched, alternative security measures must be implemented.
Compensating Controls for Devices That Cannot Be Patched
Some devices cannot be updated due to vendor restrictions, regulatory requirements, or the risk of disrupting critical clinical functions. In these cases, compensating controls become the primary defense.
Refer to FDA safety communications for guidance on mitigation strategies. Many hospital devices remain connected to clinical networks despite running on outdated or unsupported operating systems. For these devices, consider measures such as:
- Network segmentation: Isolate devices using dedicated VLANs.
- Virtual patching: Use protocol proxies or web application firewalls.
- Passive monitoring: Employ IoMT tools to detect unusual behavior.
- Credential management: Regularly rotate access credentials.
"Every day a device stays on your network after end-of-support, the exposure window grows. Attackers actively scan for these devices." - Christian Espinosa, CEO, Blue Goat Cyber [2]
Cross-Department Governance for Patch Management
Effective patch management requires collaboration across multiple departments. Clinical engineering, IT security, compliance, and clinical leadership must all work together to ensure timely remediation. Without shared accountability, patch deployment can be delayed because no single team has full visibility into the risks.
Establishing a dedicated medical device security committee helps bridge these gaps. This committee should oversee the patch prioritization framework, approve compensating controls for unpatched devices, and define clear escalation paths for critical vulnerabilities. Collaborating with Notified Bodies to implement pre-approved protocols for "like-for-like" patches can also help eliminate the delays - ranging from 4 to 12 weeks - that often hinder remediation efforts [4].
Strong governance ensures consistent, defensible decisions at scale, aligning with the broader objective of reducing cyber risk as highlighted in the FBI's warnings.
Putting FBI Guidance into Practice with Risk Management Tools
To move from high-level recommendations to actionable steps, it's essential to integrate security controls into everyday workflows. This approach ensures that governance and patch strategies are not just theoretical but actively practiced.
Formalizing Security Controls in Policies and Workflows
The FBI's guidance aligns closely with regulatory requirements. For example, FDA Section 524B requires organizations to demonstrate they are secure by design. Naomi Schwartz, VP of Regulatory Strategy at Medcrypt, highlights this shift:
"The rules of the game have changed. The landscape now is to design controls in, period. The FDA's cybersecurity authority is no longer based solely on risk assessments. It's based on statute." [6]
To meet these expectations, document critical processes like patch management, device monitoring, and access controls within your Quality Management System (QMS). Assign specific owners and establish regular review cycles. The FDA's updated Quality Management System Regulation (QMSR), which aligns with ISO 13485, will take effect on February 2, 2026, making cybersecurity a core part of quality systems [6][7].
Additionally, setting up a Product Security Incident Response Team (PSIRT) with defined Service Level Agreements (SLAs) is key. For example, aim to acknowledge vulnerabilities within 48 hours and complete triage within 5 business days [7]. By embedding these controls into a centralized system, organizations can improve both oversight and responsiveness.
Using Censinet RiskOps™ to Manage Medical Device Risk
Managing medical device risk at scale demands more than spreadsheets and manual tracking. Censinet RiskOps™ offers a centralized solution that consolidates device risk data, enabling structured assessments, automated workflows, and a unified view of risk posture. For healthcare delivery organizations (HDOs), this means connecting device inventory, vendor assessments, and remediation tracking into a single platform - eliminating the inefficiencies of disconnected systems.
Censinet RiskOps™ also facilitates collaborative risk management, as recommended by the FBI. It brings together clinical engineering, IT security, and compliance teams into a shared workflow. The platform’s AI-powered tool, Censinet AI™, enhances efficiency by summarizing vendor evidence, identifying third and fourth-party risks, and generating risk summary reports. This reduces the time needed to pinpoint high-risk devices and determine necessary actions, all while keeping critical decisions under human supervision.
Once formal policies and a centralized system are in place, tracking progress becomes the next priority.
Tracking Progress and Measuring Risk Reduction
Regularly measuring your risk posture is crucial for driving improvements. For context, 44% of healthcare organizations currently operate devices with known, unpatched vulnerabilities, while 28% use devices past their end-of-support date [7]. To address these issues, establish clear Key Performance Indicators (KPIs) and monitor them through a dedicated medical device security committee.
| Metric Category | Key Performance Indicator | Target |
|---|---|---|
| Response Speed | Vulnerability acknowledgment SLA | Within 48 hours [7] |
| Response Speed | Initial triage and classification | Within 5 business days [7] |
| Remediation | Critical risk patch deployment | 24–72 hours (mitigation); 30 days (full patch) [4] |
| Remediation | High risk patch deployment | 30–90 days [4] |
| Coverage | Deployment coverage rate | % of fielded devices successfully updated [4] |
| Visibility | SBOM accuracy | 100% mapping of components to device versions [4] |
Conclusion: Reducing Medical Device Cyber Risk with a Structured Approach
The FBI has made it clear: unpatched medical devices are an urgent threat. With the National Vulnerability Database recording nearly 50,000 new CVEs in 2025 [4], relying on a reactive strategy is no longer practical.
A structured, risk-based approach is essential. This means using a living SBOM, prioritizing vulnerabilities with CVSS scores, and setting clear patch timelines. For devices that can’t be patched, organizations should implement compensating controls to minimize risk. Such a strategy not only simplifies the process but also fosters effective collaboration across departments.
Phil Englert, Director of Medical Device Security at Health-ISAC, highlights this well:
"The key to solving the legacy problem is understanding where the risks reside and incorporating cybersecurity into replacement planning." [8]
By creating a foundation of teamwork among clinical engineering, IT security, and compliance teams, patch management evolves from a chaotic process to a well-organized discipline. Tools like Censinet RiskOps™ play a vital role in this transformation by centralizing device inventory, vendor assessments, and remediation tracking. This gives healthcare organizations the ability to align with the FBI's recommendations on a broader scale.
Christian Espinosa, Founder & CEO of Blue Goat Cyber, offers an important reminder:
"FDA clearance is the beginning of your cybersecurity obligations, not the finish line." [9]
Incorporating continuous risk assessments, clear governance, and support from platforms like Censinet RiskOps™ strengthens this structured approach. Organizations that adopt proactive measures like these are better equipped to safeguard both patient safety and operational stability.
FAQs
How can hospitals find unpatched medical devices without risking downtime?
Hospitals can pinpoint unpatched medical devices without interrupting operations by leveraging agentless scanners and network segmentation. These tools help identify older devices and systems without requiring manual intervention. To prevent disruptions, updates should be scheduled during off-peak hours or within planned maintenance windows. For devices that are in constant use, phased deployments are a smart approach to ensure continuity.
Keeping an up-to-date asset inventory - linked to clinical departments - allows for proactive risk management while minimizing any potential impact on patient care. This organized approach ensures both safety and efficiency.
What should we do if a critical device can’t be patched or upgraded?
If a critical medical device can't be patched or upgraded, you can reduce risks by putting compensating controls in place. Here's how:
- Document these measures thoroughly in your security reports.
- Isolate vulnerable devices using network segmentation to limit exposure.
- Use passive monitoring tools to detect any unusual or suspicious activity.
- Apply stricter configuration controls to minimize potential vulnerabilities.
Additionally, keep an up-to-date inventory of all devices. For long-term risk management, plan ahead for the secure decommissioning or replacement of outdated equipment.
How do we prioritize medical device patches based on patient safety risk?
To manage medical device patches effectively, adopt a risk-based strategy that examines vulnerabilities based on their potential clinical impact and threat to patient safety. Pay particular attention to severe issues, such as flaws in life-support devices or vulnerabilities that allow remote code execution. Censinet RiskOps™ simplifies this process by consolidating asset data and aligning risk assessments with clinical priorities. This ensures that the most critical threats to patient care are addressed first.
