CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesAboutContactGet The Guide
← Back to resources

The 5 Riskiest Medical Devices in 2026, According to New Research

March 24, 2026CyberMed

Forescout just published its 2026 Riskiest Devices report, and for anyone working in medical device security, the IoMT section is worth reading carefully.

The 5 Riskiest Medical Devices in 2026, According to New Research

Forescout just published its 2026 Riskiest Devices report, and for anyone working in medical device security, the IoMT section is worth reading carefully.

The report maps risk across IT, IoT, OT, and IoMT environments. This year, 11 new asset types entered the riskiest list (the second-largest year-over-year increase on record). In the IoMT category, the top five riskiest device types for 2026 are:

  1. Medication dispensing systems
  2. Medical image printers
  3. DICOM gateways
  4. MRI scanners
  5. Healthcare workstations

These aren't obscure edge cases. They're the equipment in virtually every hospital and clinical environment. And most of them share the same core problem: they connect to hospital networks, they run software that doesn't get updated regularly, and they weren't designed with modern threat models in mind.

What "Riskiest" Actually Means

Forescout's risk scoring combines vulnerability exposure, exploitability, and the criticality of the asset. A device ranked high has vulnerabilities that are actively exploited, hard to patch, and that, if compromised, would have serious downstream consequences.

For medication dispensing systems, that consequence is direct patient harm. For DICOM gateways, it's exposure of imaging data and potential manipulation of diagnostic workflows. For MRI scanners, it's both.

This matters for two reasons. First, many manufacturers of these devices are still building FDA cybersecurity documentation to the premarket submission standard, which is about proving the device is secure before it ships. That's necessary. It's also not the whole picture.

Second, FDA's updated 2026 cybersecurity guidance now expects lifecycle risk management, going beyond point-in-time submission readiness. The requirement for post-market vulnerability monitoring and patching plans is no longer theoretical. The Forescout data is exactly the kind of threat intelligence those plans need to account for.

The Stryker Attack Made the Same Point

Last week, Stryker confirmed it had contained a cyberattack that shut down order processing, manufacturing, and shipping for nearly two weeks. The attack came from an Iran-linked group that abused Microsoft Intune (endpoint management) to push a wiper to enrolled devices. The attack vector was infrastructure, not the devices themselves.

The Forescout data and the Stryker attack are pointing at the same gap: device manufacturers are getting better at submission-level cybersecurity documentation. What's lagging is operational resilience: the security posture of the systems, networks, and infrastructure around the devices.

FDA's 524B requirements cover the product. The environment the product operates in is a separate question, and that's where real-world attacks are landing.

What Manufacturers Should Be Asking

If you make any of the device types in Forescout's top five, or if your products connect to hospital networks that include them, a few questions worth pressure-testing:

  • Does your threat model include the network environment your device operates in, beyond the device itself?
  • Do you have a post-market vulnerability monitoring process that accounts for third-party components alongside your own code?
  • Is your SBOM complete enough to know which of Forescout's known CVEs apply to your bill of materials?
  • Does your cybersecurity documentation address wiper-attack threat scenarios alongside ransomware?

The FDA's updated guidance requires a Security Risk Management Report and detailed architecture views specifically to support exploitability assessment. The Forescout data is, in effect, exactly the kind of threat intelligence that report should be built from.

The Practical Step

If your cybersecurity program was built around the 2023 version of FDA's guidance, it's worth an honest gap assessment against the 2026 update. The structural changes are significant: SBOM requirements are stricter, QMS integration is now required, and the lifecycle monitoring expectation is explicit.

CyberMed offers a free Cybersecurity Readiness Assessment that walks through your current posture against the updated FDA requirements. It takes about 10 minutes and produces a prioritized gap report.

The Forescout research isn't meant to scare anyone. It's meant to focus attention on where the real risk is, which is exactly what good cybersecurity programs are designed to do.

Source: Forescout 2026 Riskiest Devices Report (published March 2026). Stryker cyberattack details sourced from public disclosures and CISA advisory.