From Hardware Isolation to Software Interconnectivity
Executive Summary
Since 2019 Medcrypt has analyzed medical device vulnerability trends based on manufacturer reporting via ICS-CERT. Traditionally, reported concerns were centered around vulnerabilities of the devices themselves (e.g., pacemakers or infusion pumps) but 2025 revealed a pivot towards the software and connectivity layer. This whitepaper analyzes the 2025 ICSM Advisories and identifies three dominant trends: the prevalence of implementation vulnerabilities in imaging and communications libraries, the expanding "blast radius" of supply chain vulnerabilities, and the pressing need to address legacy security debt.
Key Trend 1: The Prevalence of Imaging and Data Standards (DICOM)
There is a measurable shift from device-centric vulnerabilities to the software layer that handles medical data. Vulnerabilities are more frequently expanding past the traditional physical "device" and into the connectivity layer as well as "diagnostic workstations" thus significantly increasing the exposure of data and its susceptibility to compromise.
2025 Statistics: 48% of all 2025 medical advisories (11 out of 23) were specifically related to DICOM viewers, PACS (Picture Archiving and Communication Systems), or imaging software.
Historical Comparison (2019–2024): In the preceding six years, imaging-related software accounted for only ~18% of advisories.
The Delta: This represents a +166% increase in the frequency of imaging software advisories.
The impact of a single advisory has expanded due to the industry’s reliance on shared codebases and open-source libraries.
2025 Statistics: While only ~15% of advisories (such as the GDCM Library or MinKNOW Software) were "pure" supply chain advisories, these single entries impacted over 30+ downstream medical manufacturers.
Historical Comparison (2019–2024): Prior to 2024, medical advisories were almost exclusively Manufacturer-Specific (92%). Only 8% addressed third-party libraries.
The Delta: A nearly 2x increase in the focus on third-party components. One "Supply Chain" advisory now carries the weight of roughly 10 legacy advisories in terms of total devices affected.
The Force Multiplier:
Key Trend 3: Peaking Legacy Security Debt
The data indicates an industry-wide "cleanup" of low-hanging fruit vulnerabilities in devices designed before the FDA’s 2023 statutory "Cyber Authority."
2025 Statistics: 70% of 2025 vulnerabilities were classified as "Primary Security Debt"—specifically Hard-coded Credentials, Missing Authentication, or Cleartext Transmission.
Historical Comparison (2019–2024): These "Primary Security Debt" errors accounted for ~55% of advisories in the post-2018 era.
The Delta: A 15% upward trend in reporting basic flaws. This indicates that regulatory pressure is forcing manufacturers to disclose "Known-Knowns" that were previously left unaddressed (e.g., the WHILL Inc. Electric Wheelchair with a 9.8 CVSS score for Missing Authentication).
2025 Comparative Metrics Summary
Conclusion
The 2025 ICS-CERT vulnerability reporting data serves as a wake-up call for the healthcare industry. The transition from physical device security to communication software libraries security (DICOM/PACS) requires a rethinking of approach to secure design. Furthermore, as supply chain vulnerabilities like GDCM show, manufacturers can no longer secure their products in isolation; they must vet the entire ecosystem of third-party libraries that power modern healthcare.
