Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security What do security teams get wrong about protecting…
Cyber Security

What do security teams get wrong about protecting connected medical devices?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 12, 2026 Domain: Cyber Security

They often focus on patching while leaving device access too broad. In practice, a device can become a pivot point if default credentials, shared admin accounts, or weak segmentation remain in place. Device security must be treated as an access control problem as well as a patching problem.

Why This Matters for Security Teams

Connected medical devices sit at the intersection of patient safety, availability, and cyber risk. A missed control can turn an operational issue into a clinical one, especially when devices share flat network segments, use long-lived credentials, or depend on vendor-managed service access. Current guidance, including the NIST Cybersecurity Framework 2.0, pushes teams to treat security as an ongoing governance and risk management function, not a one-time hardening exercise.

The common mistake is assuming patch cadence alone reduces exposure. For medical devices, patching is often constrained by validation cycles, vendor dependencies, and clinical uptime requirements. That means access pathways, segmentation, asset visibility, and compensating controls matter just as much as software updates. If those basics are weak, even a fully patched device can remain reachable, misused, or leveraged as a pivot point into wider hospital systems. In practice, many security teams encounter device compromise only after abnormal network movement or an access review has already been missed.

How It Works in Practice

Effective protection starts with a complete device inventory and an understanding of what each device can reach, what it depends on, and who can administer it. For connected medical devices, that includes clinical workstations, update servers, remote support channels, and any shared service accounts. NIST guidance on access and governance is useful here, but medical environments also need operational controls tuned to uptime and patient care. The best practice is not to isolate everything blindly, but to build policy-driven segmentation that limits lateral movement while preserving legitimate clinical workflows.

Security teams usually get more value from reducing trust than from chasing perfect patch coverage. That means disabling default credentials, eliminating shared admin accounts where feasible, enforcing unique authentication for technicians, and placing vendor access behind tightly monitored approval paths. It also means pairing network restrictions with logging, alerting, and change control so that device activity can be reviewed when a patch cannot be applied immediately.

  • Map devices by criticality, vendor, network path, and clinical dependency.
  • Replace shared access with named accounts, strong authentication, and time-bound access where possible.
  • Segment devices from general-purpose user networks and restrict east-west traffic.
  • Monitor remote maintenance sessions, configuration changes, and unusual outbound connections.
  • Use compensating controls when patching is delayed, including allowlisting and tighter privilege boundaries.

Detection should be designed around device behavior, not just malware signatures. Attack patterns described in MITRE ATT&CK are helpful for understanding how valid accounts, remote services, and lateral movement show up in real environments, while the CISA recommended practices for industrial control and similar environments are useful for teams managing operationally sensitive assets. These controls tend to break down when legacy devices must remain on flat subnets and the organisation lacks a reliable way to inventory or monitor vendor access because the environment was designed for uptime first and security later.

Common Variations and Edge Cases

Tighter segmentation often increases operational overhead, requiring organisations to balance clinical availability against stronger isolation. That tradeoff is especially visible in hospitals with mixed generations of devices, where newer systems may support modern authentication while older platforms rely on static accounts or vendor-only servicing. In those cases, current guidance suggests using compensating controls rather than pretending uniform hardening is realistic.

One important edge case is devices that cannot be patched without extensive validation or regulatory review. Another is remote service access, where vendors may legitimately need temporary connectivity but should never have broad standing access. Guidance is evolving on how far to push zero standing privilege concepts into medical operations, but the direction is clear: access should be time-limited, recorded, and scoped to a specific support task whenever possible. The NIST Cybersecurity Framework 2.0 remains a useful organising model, but it must be adapted to clinical realities rather than applied as a generic enterprise checklist.

Security teams also need to account for devices that are technically secure but operationally unsafe if monitoring is too aggressive or if change windows are too narrow. The right answer is often a layered model: reduce privilege, control pathways, and monitor behaviour, while accepting that patching may be slower than on standard IT assets. Best practice is evolving, but the core lesson is consistent: medical device protection fails when teams focus on software currency and ignore access design.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Device access must be limited to authorised roles and services.
MITRE ATT&CKT1078Shared or default credentials enable valid-account abuse.
NIST AI RMFRisk governance applies when connected devices support automated clinical workflows.
NIST SP 800-53 Rev 5AC-2Account management is central when vendor and technician access exists.

Assign owners, assess risk, and manage device trust as part of ongoing governance.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org