Between 2022 and 2027, leading data and analytics company forecasts show cybersecurity spending by healthcare providers will grow at a compound annual growth rate (CAGR) of 12.5% from $6.1bn to $10.9bn. This is fuelled by cybersecurity attacks in healthcare, which have historically been highly damaging to companies and health services.
Synnovis, which provides pathology services to the National Health Service (NHS) as a public-private partnership, was subject to a ransomware attack in June 2024. This resulted in estimated costs of £32.7m ($43.7m), seven times the previous year’s profit, while causing serious disruption to the NHS through data breaches and delayed and cancelled appointments.
Medical devices are often highly connected within hospitals, providing a secure network for criminals to tap into. Due to these life-saving devices’ storage of highly sensitive data, they create a target for cybercriminals to extort organisations trying to protect their hospitals and patients. Thus, medical device companies’ spending on cybersecurity will grow at a CAGR of 12.9% from $631.2m to $1.2bn to try to defend their devices from attacks. Cybersecurity threats to traditional medical devices include data breaches, malware, and ransomware attacks. As medical devices evolve and incorporate AI, additional cybersecurity concerns emerge. A survey revealed that 61% of respondents acknowledged cybersecurity was already impacting the medical device industry, in response to inquiries regarding the timelines for technological disruptions within their sector. The US Food and Drug Administration (FDA) has approved over 1,000 AI-enabled medical devices, encompassing technologies such as AI-enhanced imaging machines and AI-integrated stethoscopes. Subsequently, the FDA has made specific cybersecurity warnings about these devices throughout their product life cycle. The specific cybersecurity issues include:
- Data poisoning – Malicious or fake data can be injected to distort model outcomes, affecting areas such as medical diagnosis.
- Model inversion/stealing – Attackers may deduce model details or replicate them, risking intellectual property theft and model integrity.
- Model evasion – Inputs can be manipulated to fool AI models into making incorrect predictions, reducing their trustworthiness.
- Data leakage – Hackers might access sensitive training or inference data from AI systems.
- Overfitting – Threats can force models to overfit by training the system on data with outliers and noise, rather than representative patterns. This reduces the system’s ability to understand real-world data, making it less adaptable and more vulnerable to errors and adversarial manipulation.
- Model bias – Attackers can manipulate data to introduce or exploit bias, including embedding specific data patterns to later alter the AI’s behaviour (backdoors) or skewing specific data.
- Performance drift – Cyber threats can cause gradual changes in data, which can degrade model performance over time and increase susceptibility to attacks.
Despite increased investment in cybersecurity, concerns from stakeholders and healthcare professionals persist that recent budget and staff reductions at the Department of Health and Human Services may undermine the security of medical devices. This is due to the critical role the FDA plays in this area. As well as this, Eric Decker, vice-president and chief information security officer at Intermountain Health, has reported that hospitals have implemented only about 55% of the recommendations for medical device security outlined by the Health Industry Cybersecurity Practices.
One contributing factor to this shortfall may stem from the device manufacturers’ urgency in expediting medical devices to market. According to a 2024 report by Cybellum on medical device security, a staggering 93% of respondents admitted they would prioritise rapid market entry over device security, which only 14% chose as a priority. This prioritisation leaves healthcare institutions vulnerable to cyberattacks. Compounding the issue is the challenge of detecting when a device has been compromised, further complicating the landscape of medical device security. Robust cybersecurity measures must be implemented at each stage of the device’s life cycle, as well as within hospitals, to protect the critical industry from attack. This will ensure that medical devices can continue to save lives and improve care, rather than being a point of entry for cybercriminals. AI-enabled medical devices present additional risks that must be closely considered, especially when training the model.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData