New Standards Aim to Protect Medical Patients from the ‘Internet of Things’

The National Institute of Standards and Technology (NIST) is developing specialized cybersecurity guidance to secure the integration of medical devices within clinical environments. This initiative marks a shift from generic IT standards toward more specific risk assessments for Internet of Things (IoT) devices, such as wearable monitors and sensors, which are increasingly vital to hospital operations. By addressing the unique vulnerabilities of connected medical systems, the new standards aim to mitigate the rising threat of ransomware and data breaches that jeopardize patient safety and healthcare infrastructure.

NIST’s latest initiative focuses on creating tailored cybersecurity frameworks for connected medical devices, moving away from legacy IT standards that often failed to address the specific needs of non-IT clinical products. This effort is part of a broader NIST strategy to refine guidance for the Internet of Things (IoT), specifically targeting objects with embedded technology that allow information exchange across networks, such as wearable health monitors and sensors. As hospitals increasingly rely on these digitally connected systems to manage patient records, medication histories, and resource transport, the need for specific security protocols has become critical to maintaining operational continuity amidst healthcare workforce shortages.

The urgency for these standards is underscored by a reported 30 percent increase in healthcare-related ransomware attacks in 2025. High-profile incidents, such as the February 2026 attack on the University of Mississippi Medical Center, have demonstrated how IoT vulnerabilities can lead to clinic closures and dangerous delays in chemotherapy treatments. Malicious actors often target legacy operating systems within medical imaging systems, as seen in the February 2023 Lehigh Valley Health Network breach. These attacks exploit IoT devices as entry points to disrupt entire care networks, forcing staff to resort to manual paper documentation and putting patient lives at risk.

Beyond general cybercrime, the sector faces national security challenges from Chinese-manufactured healthcare technology. U.S. government warnings have highlighted that certain Chinese-made patient monitors contain embedded backdoors capable of sending sensitive data to overseas locations or allowing attackers to alter patient data used for clinical decisions. In response, federal agencies are tightening oversight; the Food and Drug Administration (FDA) finalized medical device security guidance in June 2025, while the Department of Commerce’s Bureau of Industry and Security (BIS) launched an investigation into the security implications of imported equipment in late 2025. Experts suggest that Congress should leverage NIST’s research to prohibit the procurement of risky devices from adversarial nations to protect the American healthcare ecosystem.