A recent investigation by Modat has revealed a critical healthcare IoT security breach. More than one million healthcare IoT devices and connected medical systems worldwide are currently exposed online, leaking everything from MRI scans and X-rays to eye exams and blood test results. In many cases, these files are stored alongside patients’ names and other identifying details, creating a significant medical device data breach with far-reaching consequences. 

This is not the result of an advanced cyberattack. Instead, it stems from basic security failures, including: 

• Default manufacturer passwords like “admin” or “123456” left unchanged. 

• Unnecessary internet connectivity for devices that do not require remote access. 

• Failure to apply security patches because taking equipment offline is seen as operationally disruptive. 

The Real Risks of Healthcare Device Exposure 

The consequences of these vulnerabilities extend beyond privacy concerns: 

• Data privacy breaches: Highly sensitive health data, such as brain scans and lab results, made accessible to anyone with minimal technical know-how. 

• Patient safety threats: Cybercriminals could alter medical records or treatment plans, such as changing medication dosages, without detection. 

• Operational disruption: A single exposed medical device could provide an entry point for ransomware that shuts down an entire hospital. 

As Modat’s CEO Soufian El Yadmani warned, the primary risk is unnecessary network exposure. In healthcare, that exposure is more than a compliance issue — it is a patient safety issue. 

Why Healthcare IoT Devices Remain Vulnerable to Data Breaches 

Hospitals and healthcare providers face intense operational pressures. Updating firmware or rotating credentials can seem impossible when systems are in constant use for patient care. Many facilities also rely on legacy medical devices with limited security features and run in fragmented environments, which makes effective management difficult. 

These conditions mean manual, reactive security approaches are simply not enough. Automation, policy-based access control, and Zero Trust for healthcare IoT devices are no longer optional — they are essential for operational resilience and regulatory compliance. 

How Zero Trust and Automated Lifecycle Management Protect Healthcare IoT Devices 

At Device Authority, we advocate a lifecycle and identity-centric approach to securing connected medical devices: 

• Provision unique, cryptographically secure identities for every device from day one. 

• Automate credential issuance, rotation, and revocation to eliminate static passwords. 

• Enforce policy-based access control, where trust is based on verified device identity and attestation, not network location. 

• Maintain full device lifecycle management from onboarding through decommissioning, with real-time visibility and compliance reporting. 

Our KeyScaler™ platform automates these processes at scale, even for unmanaged or constrained devices, reducing the human workload and operational downtime that often prevent updates from being applied. 

Security in Healthcare is Non-Negotiable 

Device Authority CEO Darron Antill highlights the urgency: 

“Healthcare organisations cannot afford to take a reactive approach to device security. Every connected medical system must be verified, managed, and protected throughout its lifecycle to safeguard patient data and safety. Zero Trust, backed by automation, is the only way to achieve this at scale without disrupting critical care.” 

Protecting digital medical data must be treated with the same seriousness as sterilising an operating theatre. It is a fundamental requirement for modern healthcare that ensures both patient trust and safety. 

If your organisation operates connected medical devices, now is the time to act. Automation and Zero Trust are the foundation for resilient, compliant, and safe healthcare operations. 

Find out how to protect every connected medical device from onboarding to retirement — contact us today to learn more or request a healthcare IoT security assessment.