Verified identity in MedTech: are current access controls enough?

TL;DR: Two early-2026 MedTech incidents showed that phishing and stolen admin credentials can disrupt operations without exploiting devices, while GlobalData projects medical device cybersecurity spending will rise to $1.2 billion by 2027 from $631 million in 2022. The lesson is that verified identity, not perimeter hardening alone, is now the control plane that determines business continuity.

NHIMG editorial — based on content published by 1Kosmos: How two high-profile incidents are reshaping the identity security agenda across the medical tech industry

By the numbers:

• Medical device cybersecurity spending is projected to reach $1.2 billion by 2027, up from $631 million in 2022.
• Phishing accounted for the initial access vector in a majority of healthcare breaches in 2024.
• More than 70% of healthcare organizations reported moderate to severe financial effects from a cyber incident in the past two years.

Questions worth separating out

Q: How should MedTech organisations stop phishing from leading to privileged access abuse?

A: They should use phishing-resistant authentication, bind access to a specific device and verified identity, and remove SMS-based fallback paths wherever privileged systems are reachable.

Q: Why do stolen admin credentials create outsized risk in medical technology environments?

A: Because admin roles often span ordering systems, device management, and internal business applications, one compromised account can affect both operations and data.

Q: What do security teams get wrong about verifying identity once at login?

A: They assume the risk ends when the session begins, but in practice trust can decay over time or shift when the user moves from routine work to a sensitive task.

Practitioner guidance

• Upgrade workforce authentication to phishing-resistant methods Replace password and SMS-based login paths with device-bound, phishing-resistant authentication for employees, contractors, and vendors who can reach business or admin systems.
• Separate high-impact admin actions from routine administration Require stronger verification, tighter approvals, and dedicated privileged workflows for actions such as remote wipes, mass configuration changes, and privilege grants.
• Map every third-party access path to an owner and offboarding trigger Inventory vendor, field-service, and contractor access across business systems and device platforms, then tie each account to a named lifecycle owner and revocation condition.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• Device-bound authentication mechanics built around FIDO2/passkeys and biometric verification.
• How continuous identity assurance is applied during active sessions and sensitive actions.
• The MedTech-specific mapping to HIPAA, TEFCA, and post-market regulatory expectations.
• The article's walk-through of the two incidents and the exact control failures it says they expose.

👉 Read 1Kosmos' analysis of identity security risks in MedTech →

Verified identity in MedTech: are current access controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →