Cybersecurity Due Diligence for Connected Medical Devices

What hospital CIOs and biomed teams need to evaluate before a connected device touches your network — and long after it does.

Why this matters

In May 2017, the WannaCry ransomware campaign swept through health systems across the globe without targeting a single one of them specifically. The UK's National Health Service bore the worst of it: roughly 19,000 appointments were cancelled, ambulances were diverted from affected facilities, and the total disruption cost the NHS an estimated £92 million. Many of the devices that went offline — imaging systems, diagnostic workstations, infusion pump management platforms — were running operating systems that their manufacturers had stopped patching years earlier. Hospital IT teams had no realistic remediation path beyond physically disconnecting them from the network.

That incident is now seven years old, but the structural conditions that made it possible haven't gone away. A typical large hospital network carries thousands of connected medical devices: infusion pumps, ventilators, patient monitors, PACS workstations, CT and MRI systems. Unlike enterprise laptops that get replaced on three- to four-year cycles, a diagnostic imaging system may sit on your network for twelve to fifteen years. Each year of that lifespan without active software maintenance is a year of accumulating, unaddressed vulnerabilities.

The regulatory landscape shifted materially in 2023. The Consolidated Appropriations Act of 2022 added Section 524B to the Federal Food, Drug, and Cosmetic Act, giving the FDA statutory authority to require manufacturers of newly submitted connected devices to provide a Software Bill of Materials (SBOM), a post-market vulnerability monitoring plan, and a documented patching process (S1). For procurement teams, this changes what you