Medtech Insight is part of Pharma Intelligence UK Limited

This site is operated by Pharma Intelligence UK Limited, a company registered in England and Wales with company number 13787459 whose registered office is 5 Howick Place, London SW1P 1WG. The Pharma Intelligence group is owned by Caerus Topco S.à r.l. and all copyright resides with the group.

This copy is for your personal, non-commercial use. For high-quality copies or electronic reprints for distribution to colleagues or customers, please call +44 (0) 20 3377 3183

Printed By


Vulnerabilities Up 59%: The State Of Healthcare Cybersecurity In 2023

Executive Summary

A report from the Health-ISAC, Finite State and Securin found a large increase in vulnerabilities in healthcare devices since 2022.

The 2023 State of Cybersecurity for Medical Devices and Healthcare Systems found that there was a 59% increase in vulnerabilities in healthcare devices since 2022.

Health-ISAC, Finite State and Securin Inc conducted a survey of 966 products from 117 medical device manufacturers and healthcare application venders. 993 vulnerabilities were found within the products.

Devices were put into four categories. Three were risk-based levels of class I, II or III. According to the report, class I devices, like bandages, have “minimum potential to cause patient harm” and least regulatory control; class II devices, like infusion pumps, are considered “moderate risk” and usually require special regulatory controls; class III devices, like implantable devices, are high-risk devices “intended to sustain or support life.”

The fourth category was Healthcare Information Technology, which included software and applications that support healthcare delivery operations. The category had 741 vulnerabilities, the highest number among the four.

The results aren’t too surprising, considering results from the Medical Device Innovation Consortium’s October 2022 Cybersecurity Maturity Industry Benchmark report.

“While cybersecurity maturity varies significantly between [medical device manufacturers], the industry as a whole has a low level of cybersecurity maturity,” the report concluded.  (Also see "MDIC Cybersecurity Benchmarking Maturity Report: An ‘Honest Reflection’ Of The Industry" - Medtech Insight, 24 Jan, 2023.)

In a recent example, HCA Healthcare was breached in a ransomware attack on 5 July. As many as 11 million patients may have been affected by the breach, in which an external server was accessed by an unauthorized party and 27 million rows of data were stolen. (Also see "HCA Healthcare Data Breach Crosses State Lines" - Medtech Insight, 14 Jul, 2023.)

SBOMs, Penetration Testing Among Recommendations

The report recommends regular penetration testing as a way to detect vulnerabilities in devices, especially in large healthcare settings. Penetration testing often includes hiring a third party to test a system’s vulnerabilities by trying to exploit the system as much as possible. After the tests are finished, the vulnerabilities are reported back to the organization for fixing.

Keeping up to date with updates, especially ones that patch high-risk vulnerabilities, is not only good practice but critical for keeping devices and IT safe.

Additionally, report authors recommend developing software bills of material (SBOMs) for any device with software. And SBOM is an itemized list of all software components in a system that can be critical when searching for vulnerabilities.

Congress recently gave the US Food and Drug Administration the authority to require SBOMs for all new medical device applications that contain software. (Also see "Expert: Cybersecurity Requirements In Omnibus Bill Will Provide Visibility For Industry" - Medtech Insight, 10 Jan, 2023.)

In April, the International Medical Device Regulation Forum published a guidance for SBOM use, the Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity. (Also see "Latest Cybersecurity Guidance From IMDRF Highlights Software Bills Of Materials" - Medtech Insight, 18 Apr, 2023.)

The report also urges companies to implement a security-by-design process when creating and manufacturing healthcare products which considers the total lifecycle of a product.

Related Content


Latest Headlines
See All



Ask The Analyst

Ask the Analyst is free for subscribers.  Submit your question and one of our analysts will be in touch.

Your question has been successfully sent to the email address below and we will get back as soon as possible. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts