In the crosshairs of hackers: Connected medical technology saves lives – and offers targets for attack

Every day in September 2025, an average of 228,000 new malware variants were created – a figure cited by the German Federal Office for Information Security (BSI) in its monthly report. Behind this statistical force lies a system: cyberattacks today are the work of professional organisations that operate in a collaborative, networked and highly specialised manner.

“They have their own HR managers who hire the best hackers, they have qualification and training departments, and they have marketing departments that advertise on the darknet. Attacks can be purchased as a service,” says Christian Rosenzweig from the Johner Institute in Konstanz. “With clear roles, responsibilities and profit models, cybercriminals are now just as well organised as our economy.”

High prices and vulnerable infrastructure attract attackers

And they have found a particularly lucrative target in the healthcare system. Cyberattacks on hospitals, laboratories and connected medical devices have increased dramatically in recent years. The explanation is obvious: sensitive and economically valuable data is processed here. “It is said that on the darknet, five US dollars are paid for standard data records such as credit card details, but 50 dollars for a patient data record. So the price is ten times higher – and that naturally encourages attackers to specialise in this area,” says Rosenzweig.

“On the darknet the price for a patient data record is ten times higher.” – Christian Rosenzweig, consultant for medical device manufacturers at the Johner Institute. Photo © Christian Rosenzweig

At the same time, attackers in the healthcare sector encounter conditions that make it unnecessarily easy for them to gain access. These are often human and organisational weaknesses: inadequate passwords, negligence in updating software, or a lack of security routines in everyday life. In addition, many medical devices remain in use for decades because their acquisition costs are enormous. CT or MRI machines often run for 10 or 15 years, while the IT landscape around them changes completely. This increases the vulnerability of the entire infrastructure.

Potentially fatal consequences

According to Rosenzweig's estimates, two-thirds of all hospitals in Germany have already fallen victim to a ransomware attack. The publicly known attacks on the Ameos clinics in 2023 and on the University Hospital of Düsseldorf three years earlier have shown the consequences of such attacks: IT systems are encrypted, treatments are delayed, and entire care structures come to a standstill. “When a hospital can no longer admit patients, it's not just an IT problem, it's a threat to patient safety,” comments the Johner expert, who has been advising medical technology manufacturers on security issues for seven years.

The attacks follow similar patterns: encryption Trojans, known as ransomware, infect systems via poorly secured networks or manipulated emails, block databases and demand ransom payments. The possible consequences: emergency rooms have to close, operations are cancelled, and in individual cases people can die because hospitals are no longer able to fulfil their duty to provide care. The manipulation of medical devices is not a theoretical scenario either. Connected systems can be compromised, parameters changed or signals falsified – with potentially fatal consequences for patients.

‘Security by design’ as an obligation

To prevent such security gaps, the Medical Devices Regulation (MDR) has required manufacturers since 2017 to consider the cybersecurity of their products from the outset. Annex I sets out the basic safety and performance requirements, including proof that software is developed in accordance with recognised principles of the software life cycle, risk management and information security. This has made the concept of ‘security by design’ mandatory: security must no longer be an add-on, but must be part of the development process – from the initial product idea to operation and beyond. This principle is also known in the industry as ‘shift left’: security aspects are incorporated as early as possible so that risks are not only identified at the end.

Another fundamental element is the international standard IEC 81001-5-1, which describes how safety must be planned, implemented and documented across all phases of the product life cycle. Rosenzweig sums it up succinctly: “The standard considers the entire life cycle of a product – from cradle to grave. This means that safety does not end with approval, but accompanies the product as long as it is in the field.”

While the Cyber Resilience Act excludes medical technology, as legal obligations regarding cybersecurity have already been imposed on it via MDR and IVDR, European regulations such as the NIS 2 Directive address the infrastructure side. In future, it will require companies that are considered ‘important entities’ to establish structured information security management. This affects not only hospital IT systems, but also cloud environments, in which the backend systems of many modern medical devices are operated. Rosenzweig: “Some products do not run at the operator's site, but in a cloud under the control of the medical device manufacturer. In this case, the manufacturer is obliged to secure this system within its infrastructure.”

Limited resources and established structures

And yet, there are still companies on the market that do not pay enough attention to cybersecurity. “In the medical device sector, we have many small and medium-sized companies. This is in contrast to the automotive or aircraft industry, where only large companies are active. These companies are under different pressures. IT security has not yet made it to the top of the priority list here, and that is why it sometimes falls by the wayside,” says Rosenzweig.

High regulatory requirements are met with limited resources and established structures. Rosenzweig: “Companies come to me when they have finished developing a product and realise that they still need to do something about IT security. Then they say: help me put together a file for this. I have to practically lift some manufacturers into the saddle, so to speak.”

The bar is being raised

In the past, notified bodies did not always scrutinise matters closely, either. Some of them have only recently acquired the necessary expertise to consistently check IT security requirements as part of their audits. A recent example shows how patchy the practice still is in some cases: “I recently had a manufacturer who said that the audit for IT security consisted of the auditor handing over a short list of questions. The manufacturer had to fill it in themselves – and that was the end of it.”

Such cases are exceptions, but there is still a great need for action, says Rosenzweig. “In general, the notified bodies are now trying to slowly build up the pressure. But they also realise that if they set the bar as high as it is in fact in the law, they would have to take some medical devices off the market.”

Known vulnerabilities are exploited

This is why vulnerabilities described in public databases continue to cause problems. Take SQL injection, for example, a classic form of attack: An attacker inserts control commands for the database into a seemingly harmless text field, such as one for entering a patient's name, and forces the system to delete data, output all data records or perform other manipulations. Such attack paths are often exploited via web interfaces to access patient data or modify software without being noticed.

SQL injection is a covert type of cyberattack in which hackers insert their own code into a website to bypass security measures and access protected data. Photo © Envato

“Many of these attack techniques have been known for years,” says Christian Rosenzweig. “The problem is that connected medical devices sometimes run on operating systems that no longer receive security updates.” The combination of long-known vulnerabilities and outdated systems makes the situation complex: it is not enough to secure new products alone – the installed base of old devices remains vulnerable to attack.

Rehearsed processes: Dräger example

The situation is different for large companies in the market than for many small medical technology manufacturers. They have their own security departments, clearly defined processes and a strategic anchoring of the topic in product development. Here, IT security is not an afterthought, but an integral part of the innovation culture.

The example of Dräger in Lübeck shows what such an approach can look like. At the company – globally known for its ventilators, anaesthesia and patient-monitoring systems, as well as its safety technology – security by design is firmly embedded in the development process. “Thinking about security is already an important issue in the concept phase. Every project employee helps to shape the security of a product, and there is at least one product security engineer for each product who manages these activities in the project,” reports Dr Dennis Sturm, Product Security Manager at Dräger. “Product security is therefore integrated into the development and further development of every product right from the start. A central department, the Product Security Office, supports the individual projects to ensure that regulatory requirements, among other things, can be met.”

“Thinking about security is already an important issue in the concept phase.” – Dr Dennis Sturm, Product Security Manager at Dräger. Photo © Drägerwerk AG & Co. KGaA

Hardened software and penetration testing

Dräger devices use hardened software, which offers less scope for attack and minimises security gaps through targeted measures. It is also regularly subjected to internal and external checks, such as penetration tests. “This allows us to test our products for current attack scenarios and protect them against them. Ultimately, it is the joint responsibility of medical device manufacturers and operators to protect our healthcare system and patients,” says Sturm.

Dräger also plays it safe with devices that have been in operation for years. Sturm: “In addition to regular safety tests during development and the product life cycle, we check our software and its components (software bill of materials, SBOM) for newly discovered vulnerabilities. These vulnerabilities are assessed in terms of their risk potential for a product and their criticality.” Dräger offers long support periods and software updates. “However, if a product is so old that it is no longer possible to update the software or hardware, this can even lead to a function having to be deactivated due to a newly discovered vulnerability,” explains the Security Manager.

External service providers

Small manufacturers often have no choice but to rely on external expertise to implement legal security requirements and keep track of current risks. The number of specialised service providers that analyse firmware, perform penetration tests and assist with compliance audits is growing. The Johner Institute, for example, takes on security-related monitoring for its customers, thereby pooling knowledge and processes that would be difficult for individual companies to build up efficiently.

Christian Rosenzweig gives these medical technology manufacturers the following advice: “Don't be afraid of IT security.” Often, it's a matter of easily implementable measures. “If you deal with it and integrate the appropriate activities into the development process at an early stage, then the costs are really reasonable – and common sense is a very important component in this.”

CYMEDSEC project

At EU level, too, intensive work is underway to find solutions that will strengthen cybersecurity in medical technology in the long term. The CYMEDSEC project, funded by the European Union as part of its Horizon Europe research initiative, is coordinated by the Else Kröner Fresenius Center (EKFZ) for Digital Health at TUD Dresden University of Technology. It focuses on the Internet of Medical Things (IoMT), i.e. wireless devices for remote home monitoring and the ‘Hospital at Home’ concept.

“Hospital at Home is a dream of patients and a much needed future modality of care that reduces costs and reduces environmental impact and it has obvious advantages for patients. Truly a win win, but also a new attack surface for cyberattacks,” says Prof. Dr. Stephen Gilbert, Professor of Medical Device Regulatory Science at the EKFZ in Dresden, explaining the significance of the research approach. At the same time, patients are particularly vulnerable at home: there is no doctor or nurse who can immediately replace a failed digital system. “The highly efficient digital systems are surprisingly brittle. We address robustness in the IoMT home monitoring and Hospital at Home, considering approaches for assessing the risks of networked connected home and wearable devices, monitoring these devices and safeguarding them through updates,” says the expert in medical device regulation who coordinates the project.

“The highly efficient digital systems are surprisingly brittle.” – Dr Stephen Gilbert, Professor of Medical Device Regulatory Science at EKFZ. He is working on the CYMEDSEC project on the robustness and security of wireless devices for remote home monitoring and the ‘Hospital at Home’ concept. Photo © EKFZ / A. Stübner

The aim is to develop new standards and provide a toolkit for risk-benefit analysis of cybersecurity measures. Project partners include universities, medtech and cybersecurity companies, as well as national standardisation institutes.

Improved guidelines and tools for risk assessment

The initial results of the project, which began at the end of 2023, concern the risk-based assessment of IoMT devices in relation to their clinical benefits, the overall risk assessment of complex hospital-at-home approaches, and structured comparisons and gap analyses of international regulatory frameworks. Stephen Gilbert: “This work has fed into policy exchanges with the Polish presidency of the Council of the European Union in early 2025 and with the medical device coordination group, who defines guidance for the securing of connected medical devices.”

In addition, demonstrators of a secure remote monitoring infrastructure developed by the technical project partners are in use. “In the second half of the project, we will deepen the system perspective and consistently put prototypes through practical clinical tests,” Gilbert announces. “At the same time, regulatory tools will be gradually released to make it easier for manufacturers to assess risks, new technical solutions will be developed at the hardware and software level, and standardisation will be driven forward.”

This is also urgently needed, as the threat situation will intensify in the coming years. Attackers are becoming more professional and their tools more powerful, with Johner consultant Rosenzweig even warning of ‘cyber wars’.

‘IT security is constantly changing’

The use of artificial intelligence adds a new dimension to the issue. Cybercriminals are already using generative models to write social engineering emails or systematically identify vulnerabilities. At the same time, AI also opens up new defence strategies, such as automated anomaly detection and adaptive access control. Christian Rosenzweig emphasises that companies must actively keep pace with these developments: “Properly understood, IT security is constantly changing. The goal shifts as soon as you reach it.”

AI is also an integral part of the work programme in the CYMEDSEC project. There, it is used to monitor connected systems, relieve regulatory processes and secure AI-based medical devices, for example against data poisoning and prompt engineering. “Our standardisation approaches consider IoMT and AI together, just as they will be used later on,” says project lead Gilbert.

Quantum computers: Threat and opportunity for cybersecurity

In the medium term, post-quantum cryptography will become the focus of all efforts to improve cybersecurity. Quantum computers differ fundamentally from classical computers: instead of bits, which can only take the values 0 or 1, they operate with qubits, which can represent several states at once. This allows complex arithmetic operations to be performed in parallel – an advantage that makes it possible to solve mathematical problems that conventional systems would fail at.

Rosenzweig's assessment is: “When quantum computers become market-ready one day, all the encryption algorithms currently in use will be obsolete. They can be broken in a short time. Many products are not prepared for this.”

For manufacturers, this means developing strategies today for converting encrypted communication channels, signatures and key management to quantum-resistant processes.

“Preparing devices for long operating and maintenance times is challenging in terms of planning, architecture and regulations,” says Dennis Sturm from Dräger. However, he emphasises the opportunities that new technologies offer to ensure cybersecurity: “Post-quantum cryptography, for example, is a safeguard against hypothetical attacks in the future and is already part of standards that will become mandatory during the operating phase of the current generation of devices.”

Balance of power – with sufficient financial resources

The techniques and tactics used by attackers are evolving very rapidly. Advances in AI and quantum computing could accelerate this development even further. Sturm: “When it comes to security measures in medical technology, we need to see at least the same level of technical development in order to achieve a balance of power. For the cybersecurity of medical devices, this means gradually supplementing or replacing old products that can no longer be protected by updates with new technology.” How well we adapt to changing challenges will ultimately be determined – inevitably – by the availability of budgets. “Healthcare providers should be equipped with sufficient financial and human resources to increase cybersecurity and reduce the attractiveness of the industry to cybercriminals,” says Sturm.

Research projects and standards committees are also working on this issue, of course. CYMEDSEC, for example, provides the scientific basis for this: “Although we have not yet reached ‘Q-day’, when traditional public-key cryptography can be broken easily by quantum computers, we are already living in a world in which we have to see Q-day as imminent,” summarises Stephen Gilbert. He and his team of experts are convinced that the challenge is less technological than organisational: “Healthcare IT, with its many outdated systems, will not be able to make the transition quickly and completely everywhere. CYMEDSEC is therefore working on viable migration paths and political guidelines.”

The expert finds it reassuring that the U.S. National Institute of Standards and Technology (NIST) has already defined a portfolio of usable post-quantum cryptography algorithms, the use of which is already recommended today due to the danger of ‘harvest now, decrypt later’. This term refers to a method used by cybercriminals to collect and store encrypted data today in order to decode it in the future when quantum computers are able to crack the algorithms.

Collaboration creates resilience

The growing complexity of the threat landscape shows that cybersecurity in medical technology cannot be tackled by individual manufacturers alone. It requires the interaction of many players – from developers and operators to notified bodies, authorities and research institutions. Stephen Gilbert comments: “Collaboration is critical across all domains of CYMEDSEC and is a true strength of the Horizon Europe program. We bring together lawyers, regulatory standardisation experts, cybersecurity experts, hardware ‘chip’ engineers, wireless system experts, social scientists, hospital remote monitoring implementation engineers and information security officers, scientific and communication experts. We are looking at problems with multiple heads, challenging each other from our unique standpoints, finding new ways of looking at problems and integrating solutions that work for all stakeholders – holistically and from a European perspective.”

Only when experiences, vulnerability analyses and security concepts are systematically shared can the resilience that the healthcare sector needs be achieved. This also includes joint platforms where incidents are evaluated and best practices developed. Regulation can set the framework for this – but it is crucial that it is supported by all stakeholders and implemented in practice.

Cybersecurity at MedtecLIVE 2026

The topic of cybersecurity shows how closely technological innovation and responsibility are linked today. “Security is not an end in itself,” says Silke Ludwig, Deputy Director of MedtecLIVE, the leading trade fair for medical technology. “It determines whether digital medical solutions inspire confidence among users, patients and partners. And it is an important benchmark for how sustainable the medical technology industry as a whole is for the future.”

“Security is not an end in itself. It determines whether digital medical solutions inspire confidence.” – Silke Ludwig, Deputy Director MedtecLIVE. Photo © NürnbergMesse

MedtecLIVE, which will take place in Stuttgart from 5 to 7 May 2026, showcases the solutions that the industry is already developing – and the questions that remain unanswered when it comes to making medical technology secure, connected and trustworthy.