When Patient Safety and Cybersecurity Collide: The Medical Device Security Challenge

Healthcare organizations face an unprecedented cybersecurity challenge that sits at the intersection of patient safety and network security: securing biomedical devices. Unlike traditional IT infrastructure, these critical systems present unique constraints that require organizations to look beyond conventional cybersecurity approaches.  

The Medical Device Security Crisis  

It’s clear that medical device security is a gap in the industry. According to a 2025 report by Claroty, 86% of the 351 healthcare organizations examined use patient devices with known vulnerabilities that have been used in real-world attacks. Further, 70% have devices with known vulnerabilities related to ransomware and insecure internet connections. This isn’t just a theoretical risk, it’s a reality. The 2017 WannCry ransomware attack was one of the first attacks to widely target medical device vulnerabilities. The attack hit the UK’s National Health Service especially hard, affecting 1,200 devices and requiring several hospitals to close. In 2023, a vulnerability in a cardioverter defibrillator caused a data breach that affected more than 1 million people.  

Let’s explore why healthcare organizations struggle to secure medical devices, despite the clear risk to patient safety and operations.  

The Invisible Asset Problem  

The foundation of any effective cybersecurity program is asset visibility, yet healthcare organizations consistently struggle with basic biomedical device inventory. It can be difficult for healthcare CISOs to track medical devices throughout their facilities given the unpredictable movement of equipment, compounded by uncertainty about which devices are actively connected to patients.   

This visibility gap creates a series of security issues throughout healthcare networks. Medical devices—such as infusion pumps, monitors, and pacemakers—migrate throughout facilities as clinical needs change, connecting to different network segments without centralized oversight. Unlike servers in data centers or workstations at fixed locations, medical equipment moves with patients, shifts between departments, and operates across multiple network zones. Additionally, real-time inventory becomes nearly impossible when devices are actively supporting patient care and cannot be surveyed and cataloged by security teams.  

The Legacy Medical Equipment Dilemma  

Many critical devices were designed and manufactured in an era when network connectivity was an afterthought, not a critical security consideration. The harsh reality is that not all devices can simply be patched due to technical limitations, regulatory constraints, or patient safety considerations.  

This creates a fundamental tension between cybersecurity best practices and medical device integrity. FDA approvals and patient safety certifications often prevent or complicate security updates, leaving organizations with critical infrastructure that cannot be secured through traditional means. The risk of voiding medical device certifications or disrupting life-supporting functionality makes patching a complex clinical decision, not just a technical one.  

The risks posed by legacy medical devices have drawn increasing attention from U.S. government entities. In 2022, the FBI released a notification highlighting the cyberattack opportunities created by unpatched and outdated devices, along with recommendations to mitigate these risks. More recently in April 2025, a House subcommittee hearing focused on cybersecurity vulnerabilities in legacy medical devices, where multiple experts testified about the risks to patient safety and healthcare operations, and offered strategies to strengthen device security.  

The Patient Safety Constraint  

Perhaps the most challenging aspect of medical device security is the operational reality that these systems cannot be arbitrarily disconnected or isolated during security incidents. Healthcare security teams do not always know where certain equipment is located at a given time, but more importantly, whether it is hooked up to a patient.  

This constraint fundamentally changes incident response calculations. While IT teams can shut down servers, isolate workstations, or take entire network segments offline during cybersecurity events, any security action for biomedical devices connected to patients requires clinical input. The balance between cybersecurity containment and immediate patient care demands expertise that extends far beyond traditional IT security knowledge.  

The Regulatory Imperative 

Proposed HIPAA Update Targets Medical Devices  

The regulatory landscape for healthcare cybersecurity is shifting dramatically. In December 2024, the U.S. Department of Health and Human Services proposed an update to HIPPA’s Security Rule—last updated in 2013— to better align with modern cybersecurity best practices.  

Among other updates, the proposed rule specifically addresses medical device network security, requiring healthcare organizations to implement controls for network segmentation that are documented, reviewed, tested, and updated regularly. These regulations represent a fundamental shift from compliance documentation to demonstrable proof of medical device isolation capabilities. The timeline for these changes is aggressive, with implementation expected within 180 days after the rule is finalized (likely late 2025 or 2026). 

Healthcare Organizations Unprepared for Validation  

Real-world client experiences reveal the extent of healthcare organizations' preparation gaps. When discussing network segmentation validation with clients, a consistent pattern has emerged: uncertainty about validation requirements and methodologies.  

The question frequently asked by healthcare organizations—"Do we just tell the regulators that we have segmentation?"—reveals a misunderstanding of the new regulatory expectations. The answer is unequivocally no; regulators will demand proof that medical devices can be properly isolated and that segmentation controls function as designed. This shift from theoretical compliance to validated, tested controls represents new territory for many healthcare IT departments. 

The Medical Device Design vs. Reality Gap  

Network segmentation for medical devices often looks excellent in design documentation, but does not stand up to real-world applications. Once a large number of devices are connected and medical equipment starts communicating across unintended network areas, things can quickly get out of hand. 

This gap between theoretical design and operational reality creates additional vulnerabilities specific to healthcare environments. Medical devices can access parts of the network the security team isn’t always expecting, opening pathways that compromise the entire segmentation strategy. The challenge extends beyond initial design to ongoing network evolution. As healthcare networks grow and change, device configurations stray from intended architecture, creating security gaps that may remain undetected until validation testing reveals the discrepancies.  

Strategic Solutions for Medical Device Security  

Medical Device Network Segmentation Framework  

Effective medical device security requires moving beyond traditional IT approaches to specialized frameworks designed for critical infrastructure that cannot be easily modified or patched. The solution centers on network segmentation, recognizing that if devices become compromised, they must be isolated to protect the rest of the environment.  

Compensating controls become essential when medical device patching is impossible or impractical. Network segmentation serves as the primary control, but it must be designed specifically for healthcare environments that maintain clinical workflows while providing security isolation.  

Medical Device Isolation Validation  

The critical question for healthcare organizations is, "If a medical device becomes compromised, can you properly isolate it?" Organizations must prove their ability to keep these devices off the main network to prevent the threat from spreading to other areas. 

Validation methodology requires systematic testing of medical device isolation capabilities without impacting patient care. This means moving beyond assumptions about network segmentation effectiveness to evidence-based verification that controls work as intended.  

The validation process must address the healthcare-specific challenge of testing isolation capabilities while maintaining clinical operations. Traditional network testing approaches may not account for the clinical workflow requirements that govern medical device communications. Healthcare security teams can consider the following approaches, in close collaboration with clinical staff.  

• Structure penetration tests and vulnerability scans around clinical device workflows  (e.g., how an infusion pump communicates with monitoring systems or EHR) so testing does not disrupt patient care or safety-critical processes. 
• Employ passive testing and monitoring to observe real-world device behavior without generating active traffic that could interfere with clinical functions.  
• Capture baseline communication patterns for each device type to help identify potential anomalies later. 
• Build a digital twin of production clinical networks to safely test segmentation, firewall rules, and vulnerability mitigations. 

Continuous Medical Device Monitoring  

Medical device security cannot be a point-in-time implementation. The dynamic nature of healthcare environments, in which devices are constantly added, moved, and reconfigured, demands ongoing oversight.  

Medical device communication patterns are more complex than traditional IT equipment, so monitoring solutions must be able to distinguish between legitimate clinical communications and potential security threats. The challenge lies in understanding normal versus anomalous behavior for devices that may have irregular, but legitimate, network requirements based on patient care needs. 

For example, imaging systems may communicate with manufacturer cloud services for software updates, remote diagnostics, or usage telemetry reporting, which can resemble beaconing seen in malware. Devices like portable X-ray machines might communicate with multiple systems (radiology PACS, EMR, billing systems, etc.) which can appear as scanning or “probing” to non-clinical analysts, but it’s essential for integrated care workflows. It’s critical for security teams to vet these “irregular” communications with clinical staff and document them to help distinguish real threats from false positives. 

Medical Device Incident Response  

Traditional incident response procedures do not apply to patient-connected devices, requiring specialized response procedures for medical device compromises. Clinical expertise must be integrated into security decision-making processes, as teams cannot simply isolate medical equipment during active patient care if it becomes compromised.  

The incident response framework must account for the reality that medical devices supporting patients cannot always be immediately disconnected, even during confirmed security incidents. This requires pre-planned clinical decision trees, created with input from both clinical and security staff, that help teams evaluate patient safety risks against cybersecurity containment needs.  

Preparing for Medical Device Security Compliance  

Healthcare organizations must begin preparing now for HIPAA medical device segmentation validation requirements. While the implementation deadline still remains unclear, the complexity of validating medical device isolation across large healthcare networks requires significant planning and testing.  

Organizations struggling with validation methodologies have an opportunity to establish medical device security best practices before regulatory enforcement begins. Proactive preparation allows for systematic validation testing and remediation of identified gaps without the pressure of impending compliance deadlines.  

The key question for healthcare leaders is straightforward: “Can you prove your medical devices are properly segmented when regulators conduct audits?” The shift from documented policies to validated controls means that theoretical compliance is no longer sufficient.  

Key Actions for Healthcare Security Leaders 

With an ever-increasing number of cyberattacks on healthcare organizations and pending compliance requirements, medical device security can no longer be an afterthought. Healthcare CISOs and executives must take a proactive, strategic approach. Leaders should prioritize the following key actions leaders to improve medical device security and build cyber resilience. 

1. Create a comprehensive inventory of all medical devices. 
2. Conduct a risk assessment for each device type based on known vulnerabilities, exposure, ability to be patched, etc. 
3. Implement network segmentation. 
4. Build cross-disciplinary alignment between clinical, IT, and security operations. 
5. Develop and test incident response plans.  
6. Develop continuous monitoring and threat detection. 

The medical device security challenge demands immediate attention, specialized expertise, and an innovative approach that extends beyond traditional IT security practices. The approach must be founded in a deep understanding of clinical workflows and balance patient safety, operational continuity, and cybersecurity risk.