Wearable medical devices are becoming increasingly common in everyday life, and thus is the reliance on them, the data they generate, and the resulting treatment plans. However, recent events in the supply chains of other devices have shown the catastrophic outcomes manipulation of them can have. In this article we showcase the importance of supply chain cybersecurity for medical devices and describe measures that can mitigate these risks.
Fiction can spark awareness, but real-world vulnerabilities are increasingly well-documented. In medical device cybersecurity, fiction and reality influence each other continually. For instance, a 2012 ‘Broken Hearts’ episode of the hit American TV show “Homeland” the Vice President is murdered through remote access to his implantable cardioverter-defibrillator (ICD), which is programmed to deliver a fatal electric shock1,2. Feasible? Just about. In the real world the first peer-reviewed report of the cybersecurity vulnerabilities of ICDs was published in 20083, but attacks relate to data privacy and integrity, and not to lethal shock delivery. However, the TV episode inspires a real-world ethical hacker, who recreated the attack4. Our market surveillance reveals a worrying wave of similar fatalities, all, it must be noted, are fictional.
In a twist inspired by both fact and fiction, a 2016 investigation by a cybersecurity research firm and a ‘due diligence-based investment firm’ (sometimes known as a ‘short seller firm’) published a report showing that cardiac implantable electronic devices from a major manufacturer were vulnerable to ‘battery drain’ and ‘crash’ attacks5, including through a universal code that could allow hackers to control the implants5. Even though an independent cybersecurity research firm is not able to reproduce clinically significant attacks6, the report results in a substantial fall in stock price of the manufacturer, Abbott Laboratories (ex St. Jude Medical Inc.). Cybersecurity is addressed by a US Congressional committee7, and the FDA acknowledges that some of the devices can be hacked8,9, and the first ever recall related to cybersecurity, affecting 500,000 devices5,10. A firmware upgrade is announced, that is not without risk10,11. Similar vulnerabilities have been shown in insulin pumps12,13,14 and many other safety critical devices, but the story is not new, and cybersecurity is known to be a never ending war of attrition between technology developers and administrators, and networks and hackers. Although this is an interesting News story, it is largely headlines of a decade ago - what happens next?
As the internet of medical things grows and develops its character has changed
In the decade since the described ICD cybersecurity vulnerabilities were revealed an ecosystem of Remote Patient Monitoring (RPM) has emerged, including Hospital-at-Home approaches15 that leverage wearables and IoMT devices, and healthcare is beginning to shift from a facility-based model to a patient-home-centered approach16. From connected pulse oximeters to smart insulin pumps, IoMT devices are becoming the digital backbone of modern care, enabling continuous data collection, real-time analytics, and automated intervention. Recognizing the importance of this transformation, the FDA has launched its Health Care at Home Initiative17,18, an ambitious effort to ensure that at-home medical technology is seamlessly integrated into a secure, patient-friendly ecosystem. During this decade, the nature of IoMT devices themselves has changed greatly. In 2015 the IoMT was dominated by expensive implanted devices, manufactured largely by leading US and European corporations using specifically designed and self-developed platform architectures19, e.g. with early connected implants having proprietary bedside transmitters that sent data via phone line or network20. By 2025 IoMT devices are becoming dominated by relatively cheap Chinese manufactured disposable, or short-lifetime Bluetooth devices, with platform architectures that overlap consumer electronics21.
The plot takes a turn, and the supply chain becomes a serious geopolitical concern
Recent incidents underscore real-world vulnerabilities within global supply chains, including examples of devices compromised during manufacturing to cause intentional harm22,23. This showcased the security vulnerabilities of the supply chain and the dramatic effect of its successful infiltration.
Prior to such events, cybersecurity concerns had been dominated by software vulnerabilities24, and where hardware concerns were raised, these were dominated by concerns over the supply chain of the critical core internet architecture, and the potential for malign foreign powers to insert backdoors. The nature of the highly targeted on-person attacks drew attention to the possibility of supply chain cybersecurity vulnerabilities of the everyday devices that have become commonplace in all our homes and pockets. Concerns were recently voiced in the UK parliament, with warnings regarding Chinese-manufactured components in smart devices which could serve as undetected entry points for sabotage and cyberattacks25.
Hardware exploits in critical systems show that our hardware really is spying on us
As the nature of medical devices and their supply chains change, so does the nature of cybersecurity vulnerabilities. In early 2025 the US Cybersecurity and Infrastructure Security Agency (CISA) released a notice of the vulnerability codenamed CVE-2024-1224826. This vulnerability relates to the Contec CMS8000 patient monitor, a device used in hospitals to monitor a patient’s vital parameters. Contec Medical Systems is a global medical device and healthcare solutions company headquartered in China, and its medical equipment is used in hospitals, clinics, and home healthcare environments in the EU and the US27. Alarmingly, the vulnerability in the device has been classified as a ‘backdoor’, which allows for what is known as remote code execution, even though there has not been attribution of malicious intent27,28. This enables the complete manipulation of the device by a remote actor, and possibly also their control or influence on other devices in the network. Considering the patient monitor’s use case, which is either in a hospital or in a Hospital-at-Home setting, successful exploitation of this backdoor could lead to catastrophic outcomes for a patient, from suppressing alarms in an emergency to actively manipulating the data, preventing an emergency from being detected in the first place29.
The security challenges in medical device supply chains
The uptake and success of remote patient monitoring and the Hospital-at-Home model rely on an increasingly complex ecosystem of connected medical devices. Whether provided as part of an integrated suite or incorporated through a “bring your own device” (BYOD) model30,31, these platforms depend on a global supply chain that spans multiple manufacturers, component suppliers, and software vendors30. This interdependence introduces inherent security risks, many of which remain poorly understood or inadequately addressed.
What makes these vulnerabilities so difficult to mitigate is the complexity and opacity of modern supply chains. A single medical device may contain hundreds of components, sourced from dozens of suppliers across different countries. In many cases, original equipment manufacturers rely on third-party suppliers for microchips, memory modules, and wireless communication components—many of which pass through little or no security verification before being integrated into finished medical devices.
This creates an environment where backdoors—either through design flaws or through intentional security weaknesses - can be introduced at any stage, often without the knowledge of the device manufacturers themselves. The result is an invisible attack surface, one that remains embedded within critical healthcare infrastructure long before the first vulnerability is ever detected. As the described cases demonstrate, hardware supply chain compromises in devices are not hypothetical—they are already happening.
Regulating to secure the IoMT supply chain
The vulnerabilities in medical hardware—whether pre-installed backdoors, compromised firmware, or supply chain infiltration—highlight the urgent need for stronger cybersecurity measures in the IoMT. The EU’s Cyber Resilience Act32 introduces mandatory cybersecurity requirements for digital products. It enforces security throughout a device’s lifecycle, supply chain controls, and long-term security updates, but does not apply to medical devices. In their case, the Medical Device Regulation (MDR)33 has similar, albeit less explicit, requirements for medical devices34. In the US, the Federal Food, Drug, and Cosmetic Act (FD&C Act)35 defines high-level cybersecurity requirements, such as to monitor and address postmarket vulnerabilities or to provide a software bill of materials (SBOM)36.
Technical advancements to secure the IoMT supply chain
Beyond regulation, technical safeguards are critical (Fig. 1). A secure foundation that can be implemented during the first stages of manufacturing, through an approach known as a Root of Trust. Here, hardware supply chain security is ensured through embedding a secure chip, such as an eSIM or a Trusted Platform Module (TPM), which is soldered onto the device’s circuit board. This serves to protect devices by preventing unauthorized software changes through cryptographic checks. An eSIM provides secure storage of cryptographic credentials, primarily used for authenticating a device within a cellular or network environment, and facilitates secure cryptographic operations related to identity verification. However, it does not directly ensure system software integrity. In contrast, a TPM is specifically designed to enhance device integrity. TPMs enable devices to securely store cryptographic keys and perform integrity checks by recording cryptographic hashes (measurements) of each component loaded during the boot process. TPMs allow systems to attest remotely that they are running only authorized and correctly signed software by securely reporting these measurements after boot. Improving visibility into the device supply chain by using systems that track individual components and automatically detect risks is also critical.
A selection of threats and mitigations in the IoMT with (a) showing possible avenues of attack emerging along a device’s supply chain and (b) showing a set of possible mitigations.
A secure software architecture can be facilitated through the concept of “Secure by Design”. In this approach, software subsystems are isolated according to the “Principle of Least Authority” to reduce the impact of vulnerabilities37. For example, software managing patient data should not have unnecessary permissions, such as controlling network settings, to minimize harm if compromised.
Modular chips, called chiplets, can achieve similar isolation among components from different suppliers at the hardware level. Employing these security best practices in design and implementation, along with formal verification methods for security-critical components, is paramount.
Once deployed in a hospital or the HaH the security can be increased by adopting Zero Trust security models38, where devices and users are continuously authenticated and network access is segmented. Employing these security best practices in design and implementation, along with formal verification methods for security-critical components, is paramount. In short, a holistic security architecture needs to be applied in the development and life cycle of an IoMT product.
Summary
IoMT medical devices of a decade ago, largely manufactured in the US and the EU, had vulnerabilities related to naive design and the lack of consideration of the potential for malicious actors to target patients. There is now clear and present danger of profit motivated or malicious cybersecurity attacks on EU and US healthcare systems39. Although personally targeted malicious or profit motivated attacks on individuals are not common, modern IoMT supply chains have weaknesses that can enable such attacks. As a response to geopolitical risks the EU and US are investing in semiconductor independence and tightening procurement policies to reduce reliance on high-risk vendors. One aspect of these risks is the accidental or intentional supply chain weaknesses or attacks with the inclusion of backdoors in hardware. As IoMT adoption accelerates, ensuring security requires both regulatory enforcement and proactive industry safeguards. In the EU, the MDR33 & Cyber Resilience Act32 provides a foundation, and in the US FD&C Act35. However, manufacturers and healthcare providers must act now to protect hardware, firmware, and network integrity before vulnerabilities become active threats.
Thus, manufacturers must proactively embed robust security measures, such as Roots of Trust and Zero Trust architectures, from the earliest stages of medical device manufacturing to protect against invisible threats hidden deep within the complex global supply chains, while regulators must urgently expand and clarify cybersecurity requirements in medical device regulations to enforce transparent, comprehensive security standards34 (Table 1).
Data availability
No datasets were generated or analysed during the current study.
References
Broken Hearts. Homeland (2013).
Laca, A. Barnaby Jack and the Death of Vice President Walden. Adapture https://adapture.com/technology-in-the-data-center-from-the-visionary-solutions-architects-at-adapture-homeland-fact-vs-fiction-barnaby-jack/ (2013).
Halperin, D. et al. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. in 2008 IEEE Symposium on Security and Privacy (sp 2008) 129–142 (2008). https://doi.org/10.1109/SP.2008.31.
Vallance, C. Could hackers break my heart via my pacemaker? BBC News https://www.bbc.com/news/technology-34899713 (2015).
Larson, S. FDA confirms that St. Jude’s cardiac devices can be hacked. CNNMoney https://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/index.html (2017).
Alexander, B. & Baranchuk, A. Cybersecurity and cardiac implantable electronic devices. Nat. Rev. Cardiol. 17, 315–317 (2020).
Fu, K. Infrastructure Disruption: Internet of Things Security. Testimony before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Communications and Technology and Subcommittee on Commerce, Manufacturing, and Trade https://docs.house.gov/meetings/IF/IF17/20161116/105418/HHRG-114-IF17-Wstate-FuK-20161116.pdf (2016).
Finkle, J. Hired experts back claims St. Jude heart devices can be hacked. Reuters https://www.reuters.com/article/technology/hired-experts-back-claims-st-jude-heart-devices-can-be-hacked-idUSKCN12O1ZF/ (2016).
Alder, S. FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked. The HIPAA Journal https://www.hipaajournal.com/fda-confirms-muddy-waters-claims-st-jude-medical/ (2017).
Kramer, D. B. & Fu, K. Cybersecurity concerns and medical devices: lessons from a pacemaker advisory. JAMA 318, 2077–2078 (2017).
Baranchuk, A. et al. Pacemaker Cybersecurity. Circulation 138, 1272–1273 (2018).
Codeso, N. Healthcare IT: When TV drama meets real-life medical device security. Cisco Blogs https://blogs.cisco.com/healthcare/healthcare-it-when-tv-drama-meets-real-life-medical-device-security (2019).
Hern, A. Hackable implanted medical devices could cause deaths, researchers say. The Guardian https://www.theguardian.com/technology/2018/aug/09/implanted-medical-devices-hacking-risks-medtronic (2018).
Sarvestani, A. Medical device hacking expert dies before releasing pacemaker exploit. MassDevice https://www.massdevice.com/medical-device-hacking-expert-dies-releasing-pacemaker-exploit/ (1AD).
Pandit, J. A., Pawelek, J. B., Leff, B. & Topol, E. J. The hospital at home in the USA: current status and future prospects. Npj Digit. Med. 7, 1–7 (2024).
Bestsennyy, O., Chmielewski, M., Koffel, A. & Shah, A. From facility to home: How healthcare could shift by 2025 | McKinsey. https://www.mckinsey.com/industries/healthcare/our-insights/from-facility-to-home-how-healthcare-could-shift-by-2025.
Brückner, S., Brightwell, C. & Gilbert, S. FDA launches health care at home initiative to drive equity in digital medical care. Npj Digit. Med. 7, 1–3 (2024).
U.S. Food & Drug Administration. Home as a Health Care Hub. FDA https://www.fda.gov/medical-devices/home-health-and-consumer-devices/home-health-care-hub (2025).
Medical Implants in the US (Orthopedic, Cardiac & Other), 6th Edition—Market Size, Market Share, Market Leaders, Demand Forecast, Sales, Company Profiles, Market Research, Industry Trends and Companies—The Freedonia Group. https://www.freedoniagroup.com/industry-study/medical-implants-in-the-us-orthopedic-cardiac-other-6th-edition-3465.htm?ReferrerId=FG-01&studyid=2852.
Tarakji, K. G. et al. Performance of first pacemaker to use smart device app for remote monitoring. Heart Rhythm O2 2, 463–471 (2021).
Assessing the risk from Chinese-manufactured IoT-connected healthcare devices. Pamir Consulting https://pamirllc.com/blog/assessing-the-risk-from-chinese-manufactured-iot-connected-healthcare-devices.
Berg, R. Ex-Israeli agents reveal how Hezbollah pager attacks were carried out. https://www.bbc.com/news/articles/cwy3l02wxqdo (2024).
Murphy, M. & Tidy, J. Hezbollah pagers and walkie-talkies: How did they explode and who did it? https://www.bbc.com/news/articles/cz04m913m49o (2024).
The 21st-century evolution of cyber security. https://www.icaew.com/insights/viewpoints-on-the-news/2023/oct-2023/the-21stcentury-evolution-of-cyber-security.
Fisher, L. Chinese components in ‘smart’ devices pose sabotage threat to UK, MP warns. Financial Times (2025).
National Institute of Standards and Technology. NVD - CVE-2024-12248. https://nvd.nist.gov/vuln/detail/CVE-2024-12248.
Cybersecurity & Infrastructure Security Agency. Contec CMS8000 Contains a Backdoor | CISA. https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoor (2025).
U.S. Food & Drug Administration. Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication. FDA (2025).
Ostermann, M., Freyer, O., Jahed, F., Rosenzweig, C. & Gilbert, S. Cybersecurity in the hospital at home: assessment of patient risks when using IoMT devices. Preprint at https://doi.org/10.5281/zenodo.14545326 (2024).
Mathias, R., McCulloch, P., Chalkidou, A. & Gilbert, S. How can regulation and reimbursement better accommodate flexible suites of digital health technologies? Npj Digit. Med. 7, 1–3 (2024).
Demanuele, C. et al. Considerations for conducting bring your own “device” (BYOD) clinical studies. Digit. Biomark. 6, 47–60 (2022).
European Parliament & European Council. Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance).
European Parliament & European Council. Regulation—2017/745—EN—Medical Device Regulation—EUR-Lex. https://eur-lex.europa.eu/eli/reg/2017/745/oj/eng.
Ostermann, M., Gilbert, S. & Freyer, O. Cybersecurity requirements for medical devices in the EU and US—a comparison and gap analysis. Preprint at https://doi.org/10.5281/zenodo.14583012 (2024).
Commissioner, O. of the. Federal Food, Drug, and Cosmetic Act (FD&C Act). FDA https://www.fda.gov/regulatory-information/laws-enforced-fda/federal-food-drug-and-cosmetic-act-fdc-act (2018).
Freyer, O. et al. Consideration of Cybersecurity Risks in the Benefit-Risk Analysis of Medical Devices: Scoping Review. J. Med. Internet Res. 26, e65528 (2024).
Biggs, S., Lee, D. & Heiser, G. The Jury Is In: Monolithic OS Design Is Flawed: Microkernel-based Designs Improve Security. in Proceedings of the 9th Asia-Pacific Workshop on Systems 1–7 (Association for Computing Machinery, New York, NY, USA, 2018). https://doi.org/10.1145/3265723.3265733.
Rose, S., Borchert, O., Mitchell, S. & Connelly, S. Zero Trust Architecture. https://csrc.nist.gov/pubs/sp/800/207/final (2020) https://doi.org/10.6028/NIST.SP.800-207.
ENISA. Enisa threat landscape: health sector. https://www.enisa.europa.eu/publications/health-threat-landscape (2024).
Acknowledgements
This work was supported by the European Commission under the Horizon Europe program as part of the Enhanced cybersecurity for networked medical devices through optimisation of guidelines, standards, risk management, and security by design (CYMEDSEC) project (grant 101094218). The views and opinions expressed are those of the authors only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authorities can be held responsible for them. Responsibility for the information and views expressed herein lies entirely with the authors. This work was supported by the German Federal Ministry of Education and Research (BMBF) as part of the “Zunkuftscluster SEMECO” (03ZU1210BA). During the preparation of this work, the authors used DeepL (DeepL SE), Grammarly (Grammarly, Inc.), and ChatGPT (in versions GPT-3.5, GPT-4, and GPT-4o; OpenAI, Inc.) to improve the grammar, spelling, and readability of the manuscript. After using these tools and services, the authors reviewed and edited the content as needed and take full responsibility for the content of the publication.
Author information
Authors and Affiliations
Contributions
M.O., O.F., C.W., K.M. and S.G. developed the concept of the manuscript. M.O. and S.G. wrote the first draft of the manuscript. M.O., O.F., C.W., K.M. and S.G. contributed to the writing, interpretation of the content, and editing of the manuscript, revising it critically for important intellectual content. M.O., O.F., C.W., K.M. and S.G. have read and approved the completed version. M.O., O.F., C.W., K.M. and S.G. take accountability for all aspects of the work in ensuring that questions related to the accuracy or integrity of any part of the work are appropriately investigated and resolved.
Corresponding author
Ethics declarations
Competing interests
M.O. declares no nonfinancial interests and no competing financial interests. O.F. has a leadership role and holds stock in WhalesDontFly GmbH, and has had consulting relationships with Prova Health Ltd. C.W. declares no nonfinancial interests and no competing financial interests. K.M. declares the following competing financial interests: he is an employee of secunet Security Networks AG. S.G. declares a nonfinancial interest as an Advisory Group member of the EY-coordinated “Study on Regulatory Governance and Innovation in the field of Medical Devices” conducted on behalf of the DG SANTE of the European Commission. S.G. declares the following competing financial interests: he has or has had consulting relationships with Una Health GmbH, Lindus Health Ltd., Flo Ltd, ICURA ApS, Rock Health Inc., Thymia Ltd., FORUM Institut für Management GmbH, High-Tech Gründerfonds Management GmbH, DG SANTE, Prova Health Ltd, haleon plc and Ada Health GmbH and holds share options in Ada Health GmbH. S.G. is a News and Views Editor for npj Digital Medicine. S.G. played no role in the internal review or decision to publish this News and Views article.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Ostermann, M., Freyer, O., Weinhold, C. et al. How secure are your health devices—stopping wearables becoming a personal and national security risk?. npj Digit. Med. 8, 317 (2025). https://doi.org/10.1038/s41746-025-01710-2
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41746-025-01710-2
