Medical device manufacturers (MDMs) are facing a growing push from both regulators and healthcare providers to strengthen the cybersecurity posture of their products. The RunSafe 2025 Medical Device Cybersecurity Index offers compelling data that underscores a shift in expectations across the industry - one that impacts procurement, market access, and patient care.
Now isn’t the time to panic - but it is the right time to take a closer look.
Dual Pressures Are Changing the Landscape
Regulatory agencies are formalizing their cybersecurity expectations. Hospitals are integrating cybersecurity requirements into procurement processes. The result is a changing environment in which security is no longer a feature - it’s part of the fundamental definition of product quality and readiness.
Highlights from the RunSafe report:
- 46% of healthcare organizations have declined to purchase a medical device due to cybersecurity concerns.
- 83% now include cybersecurity requirements in RFPs.
- 78% consider SBOMs essential or important in purchasing decisions.
- 79% are willing to pay more for devices with enhanced security.
The message is clear: security is becoming a deciding factor in the buying process and vendors need to provide cybersecurity features as a competitive differentiator.
Regulations Are Raising the Floor
Recent FDA guidance - particularly Section 524B of the FD&C Act and the final premarket cybersecurity guidance issued in June 2025 - makes cybersecurity documentation a requirement for many devices. Similarly, international regulations like the EU Cyber Resilience Act and NIS2 Directive are driving global alignment.
These mandates are moving the industry from optional best practices to required minimum standards, especially for network-capable devices.
Hospitals Are Becoming More Discerning Buyers
Procurement teams are now asking more detailed questions about embedded security features, SBOM generation methods, and how vulnerabilities are tracked and managed over the product lifecycle. According to the report, 60% of healthcare buyers now prioritize built-in cybersecurity when selecting vendors.
This shift doesn’t just reflect regulatory alignment - it reflects hospitals’ experience with real-world disruptions, including patient transfers and ER diversion, delayed procedures, and prolonged device downtime due to cyber incidents. Regrettably, recent cyber incidents have resulted in patient harm, including one death due to delays in care.
A Practical Window for Strategic Investment
The good news? Healthcare buyers understand that strong security comes with costs - and most are willing to invest in it. According to the RunSafe data:
- 41% are willing to pay up to 15% more for devices with stronger security
- 13% would be willing to pay over 15% more
- Only 12% expect advanced protections at no additional cost
This presents an opportunity for medical device manufacturers to prioritize cybersecurity without having to absorb all of the cost. More importantly, it provides a business case for aligning security with product development earlier in the process.
Moving Forward: Practical Steps for MDMs
Now is a good time to reassess your product security plans. Ask:
- Do our cybersecurity controls meet the FDA’s latest expectations?
- Are we managing security risk across the Total Product Lifecycle (TPLC)?
- Do we follow standards-based Secure Development Lifecycle (SDLC) processes?
- Are we providing SBOMs that are accurate and complete?
- Does our testing demonstrate the effectiveness of your security controls?
- Do we have a plan in place for incident response and postmarket vulnerability management?
- Is all of the above substantiated by documentation that sufficiently demonstrates your devices’ cyber posture?
At Medcrypt, we support manufacturers in strengthening their security posture while navigating regulatory complexity. From SBOM generation and crypto strategy to regulator strategy and FDA submission readiness, we’re here to help you take the next step.
Cybersecurity doesn’t need to be overwhelming. But it does need to be built in.
Let’s talk about how to make that happen.
.png)
.png)
.png)
.png)
