Medical device insecurity still plagues hospitals in 2026

Hospital chief information security officers (CISOs) are heading into 2026 with a growing problem they cannot easily patch or buy their way out of: exposure across thousands of connected medical devices that remain poorly inventoried, inconsistently governed, and difficult to secure.

A new survey from Asimily, which polled dozens of North American hospital CISOs, highlights how the Internet of Medical Things (IoMT) has become a persistent source of cyber risk even as attacks against healthcare continue to rise. The findings suggest the central challenge is no longer detecting threats, but understanding what devices exist, who controls them, and which vulnerabilities meaningfully threaten patient care.

Engage with practical cybersecurity innovations and methodologies that are helping health systems detect, defend, and adapt in a high-risk environment at ViVE. Cybersecurity Zone @ViVE 2026

An attack surface defined by clinical scale

Hospitals now operate one of the most complex digital environments in critical infrastructure. Industry estimates show the average facility runs 10 to 15 connected medical devices per bed, translating to roughly 15,000 networked systems in a 1,000-bed hospital. Those devices include infusion pumps, imaging equipment, patient monitors, anesthesia machines, and diagnostic instruments, each representing a potential network access point.

These medical devices coexist with traditional IT systems, building controls, HVAC networks, and, increasingly, consumer electronics brought in by staff and patients. CISOs surveyed described an environment where weaknesses in one system class can create pathways into others, including systems directly involved in patient care.

That scale intersects with a threat environment that has grown more frequent and disruptive. Research from the Ponemon Institute and Proofpoint published in 2024 has found that more than 90 percent of healthcare organizations experienced at least one cyberattack in a 12-month period. Disruption to normal operations from system availability problems averaged $1.47 million per attack. Ransomware incidents affecting hospitals have been associated with emergency department diversions and canceled procedures, heightening concern among security and clinical leaders.

Visibility remains foundational but elusive

When asked which problem they would address first, 43 percent of surveyed CISOs pointed to complete device visibility. Without a unified view across IT, IoT, operational technology, and IoMT, respondents said security teams struggle to assess where attackers could gain entry or move laterally through hospital networks.

The challenge is compounded by how medical devices are acquired and managed. Unlike traditional IT assets that follow standardized procurement and deployment workflows, medical devices may be introduced through capital purchases, clinical trials, vendor consignment arrangements, or departmental budgets. Each pathway increases the likelihood that devices reach the network without passing through centralized asset management processes.

Survey responses indicate that visibility gaps are driven more by governance breakdowns than technical limitations. Medical devices may be deployed or serviced by clinical engineering, biomedical teams, or outside vendors without consistent notification to security staff. Clinicians may also connect personal or departmental equipment directly to hospital networks to support care delivery needs. Over time, unmanaged or unknown assets accumulate, creating blind spots that can persist for extended periods.

Budget constraints add pressure, as hospitals typically allocate only 4 to 7 percent of IT spending to cybersecurity, according to figures from CDW/ This limits investment in comprehensive discovery and monitoring across all device classes.

From standards adoption to real-world data flow strategies, deepen your interoperability insights with interactive demos and clinician stories at InteropNOW! @ViVE 2026.

Process failures outweigh tooling gaps

While visibility topped CISOs’ wish lists, the most frequently cited barrier to effective IoMT risk management was internal process breakdown. One third of respondents said unclear ownership, fragmented responsibility, and weak coordination between departments posed the greatest obstacle to securing connected medical devices.

In many organizations, no single team owns IoMT security end to end. Clinical engineering manages procurement and maintenance. Biomedical technicians handle repairs and vendor access. IT teams manage network connectivity. Security teams assess vulnerabilities. Survey responses suggest these groups often operate with different priorities and timelines, creating gaps where critical security activities fall between organizational boundaries.

Deployment, maintenance, and configuration changes may occur outside formal IT processes, while security teams become aware only after vulnerabilities are introduced. Respondents pointed to configuration drift and undocumented third-party servicing as recurring sources of exposure, particularly when vendor technicians make changes during service visits without corresponding security review.

These governance challenges are compounded by data overload. Large hospitals can have hundreds of thousands of connected systems generating continuous network traffic. CISOs described security teams inundated with alerts that lack sufficient clinical or operational context to assess urgency or impact.

Fifteen percent of CISOs cited tool limitations, noting that many IoMT-focused products do not integrate cleanly with traditional IT security platforms, leaving data siloed and complicating efforts to correlate network behavior with asset criticality or clinical function.

Vulnerabilities that resist traditional remediation

Even when vulnerabilities are identified, hospitals often face remediation constraints uncommon in traditional IT environments. Medical device manufacturers may limit patching to avoid triggering new validation requirements or require lengthy testing cycles that delay fixes. Some legacy devices no longer receive security updates, leaving organizations reliant on compensating controls rather than direct remediation.

The survey found no dominant approach to vulnerability prioritization. Roughly equal shares of CISOs rely on vendor alerts, CVSS scores, or assessments of device usage and criticality, while nearly one in five still depend on manual review processes. Fifteen percent reported having no defined prioritization framework.

Respondents noted that severity scores alone often fail to capture real-world risk. A high-severity vulnerability may have limited impact if a device is segmented or isolated, while a lower-scored flaw on a life-sustaining system could carry greater operational consequences.

CISOs who incorporate device usage patterns, clinical importance, and actual network exposure into prioritization efforts reported being able to narrow focus to a small subset of devices responsible for most practical exposure risk. This allows limited resources to be directed toward vulnerabilities most likely to affect patient care and hospital operations.

A broader shift toward exposure management

The findings align with a broader shift in healthcare cybersecurity toward exposure management rather than reactive threat response. Federal agencies have increasingly emphasized asset awareness, governance, and risk prioritization as foundational controls.

The Food and Drug Administration has urged manufacturers to adopt secure-by-design principles for medical devices, including software bills of materials and coordinated vulnerability disclosure. While these measures aim to improve future devices, they do little to address the large installed base of legacy equipment currently in use. HHS guidance under the Health Sector Cybersecurity Practices framework similarly highlights asset inventory and risk prioritization as baseline safeguards. Surveyed CISOs described these controls as prerequisites for more advanced security efforts.

For hospital CISOs, the challenge entering 2026 is less about recognizing the problem than executing change. Leadership support, cross-functional governance, and investment in foundational capabilities like asset management remain uneven across the sector.

Without clearer ownership structures, better visibility into connected devices, and risk models grounded in clinical operations rather than abstract severity scores, connected medical devices are likely to remain one of healthcare’s most persistent and consequential cybersecurity exposures.