As Congress continues to hold hearings around cybersecurity accountability, a familiar question has reignited: When a breach happens, who is actually responsible? Whether it’s a flawed software update, a ransomware attack on healthcare institutions, or a supply‑chain compromise via a third party, responsibility is difficult to assign. As more industries embrace connected, cloud‑enabled technologies, the issue becomes essential, not just for resilience, but for risk ownership and the consequences that follow.
In healthcare, complexity is magnified because system failures can directly affect patient outcomes. In June last year, a ransomware attack against Synnovis, a pathology services provider for London’s NHS trusts, disrupted blood testing across hospitals and GP surgeries. The fallout, including more than 10,000 canceled appointments and patient harm in roughly 170 cases, plus one death where the cyber incident was a contributing factor, shows how attacks on healthcare infrastructure translate into patient harm and raise urgent questions about cybersecurity accountability.
At Medcrypt, we see this complexity firsthand. MDMs, HDOs, and service providers all share responsibility, but their tactics differ widely in execution and efficacy.
Why the “Shared Responsibility” Model Needs More Structure
In cybersecurity, the idea of "shared responsibility" is widely accepted: manufacturers, integrators, and end users each have a role in keeping systems secure. Yet when incidents occur, that responsibility feels less shared and more like a legal gray area. Without a clearly defined plan, the burden often falls on whoever acts first or has the stronger legal posture, not on the party best positioned to resolve the issue or most responsible for causing it.
Sometimes the answer is obvious. A manufacturer that ships a device with a known critical vulnerability is accountable. When a hospital keeps an end‑of‑support device on its network, responsibility shifts to the operator. But most real‑world situations lie between those extremes. Devices secure at launch may become vulnerable after missed patches or undocumented configuration changes.
The problem isn’t the concept of shared responsibility itself, but that it’s rarely backed by clear frameworks or contracts defining who owns which tasks. Without that clarity, it’s hard to put the principle into practice, especially in critical environments like healthcare.
The Legacy Device Dilemma
The FDA has been moving the healthcare community toward formal cybersecurity requirements. Premarket rules now incorporate Section 524B of the FD&C Act in the 2025 Cybersecurity Premarket Guidance. But these rules mostly cover new devices, not the legacy equipment many hospitals will keep in service for years.
Hospitals routinely run devices installed 15–20 years ago. They still perform their clinical function but are no longer supported and usually lack basic protections such as encryption or patch management. They remain in use because hospitals depend on them, and no formal mandates or funding programs exist to replace or secure them; the oft‑suggested “cash for clunkers” program in healthcare has never materialized.
This creates serious risk and raises questions. Should medical devices have expiration dates like drugs? Should reimbursement systems cover security upgrades? Until we tackle these issues, legacy devices will remain a liability.
New Business Models, New Risks
Business models are changing, too. More hospitals are leasing expensive medical equipment instead of buying it outright. This is common for complex devices like robotic surgical systems or AI-powered imaging tools, often supplemented by value-added cloud services provided by the manufacturer.
In these setups, manufacturers retain ownership, maintain remote access, and control software updates. That can improve service and efficiency but also introduces fresh cyber‑risks:
- Remote access ports can be exploited if not properly secured
- Software update mechanisms can be targeted to deliver malicious code
- Monitoring systems may expose sensitive operational or clinical data if not isolated effectively
Manufacturers must therefore take ongoing security responsibility, integrating cybersecurity throughout the product lifecycle, including update pipelines, telemetry, and support infrastructure. This requires coordination across R&D, IT, quality, and customer service.
Cross-Industry Lessons in Cybersecurity
Healthcare is a uniquely complex and heavily regulated industry, particularly when it comes to cybersecurity, yet other sectors adopting connected devices can still learn from its wins and failures.
Take the SamSam ransomware attacks, for example, which hit multiple healthcare organizations. Attackers gained access through remote access portals, often using stolen vendor credentials, then encrypted not only active systems but also corrupted backup data, leaving hospitals without a recovery path and forcing some to pay ransoms. The attacks exposed how unclear ownership of risk across vendors, IT providers, and operators can leave critical vulnerabilities unaddressed until it’s too late.
Industries like manufacturing, transportation, energy, and retail face similar risks as they rely more on third-party services and connected systems. From healthcare’s experience, these sectors can take away a few key lessons:
- Establish internal processes to review the security of connected products
- Proactively define roles and expectations in vendor-customer relationships
- Embed security expectations into service contracts and procurement criteria
- Evaluate how new risks are introduced by as-a-service delivery models
At the same time, healthcare can continue to look to other industries for models that can be adapted to its own unique constraints, especially in areas like risk ownership, third-party management, and modernization.
Steps Toward a More Accountable Ecosystem
A more secure future won’t come from better firewalls alone. It requires clearer rules, tighter contracts, smarter collaboration, and a “shift left” of security from the network to the device. Even if that raises upfront costs, it lowers lifetime risk and total security spend.
That starts with:
- Clarity on who owns risk, especially with complex distributed technologies and legacy tech.
- Tighter contracts that spell out security-related responsibilities.
- Shared maintenance standards for connected products.
From a business standpoint, proactive security pays off. Organizations that define accountability early can respond faster, cut downtime, and limit reputational damage.
Three things every security leader should do today:
- Map accountability across the product lifecycle, from design to decommission.
- Treat cybersecurity as a revenue protector, not just an IT function.
- Pressure-test vendor agreements to ensure they reflect shared realities.
In a connected world, resilience starts with responsibility. And if we don’t define it now, hackers will define it for us.
.png)
.png)
.png)
