Cybersecurity remains a hot topic across healthcare including healthcare technology management (HTM). This month’s installment of the TechNation Roundtable article asked cybersecurity gurus to share the latest trends, hot topics and insights as it pertains to HTM.
Participants in the article, and the upcoming TechNation Webinar Wednesday Roundtable Webinar, are:
• Skip Sorrels, Field CTO-CISO, Claroty;
• Shawn Hewitt, Senior Product Manager, FSI; and
• Derek Hills, Senior Product Manager, PartsSource.
Q: WHAT DO YOU SEE AS THE BIGGEST CYBERSECURITY THREAT FACING HEALTHCARE TECHNOLOGY TODAY?
SORRELS: In 2026, the primary threat is prolonged operational downtime caused by ransomware and supply chain attacks. It’s no longer just about data privacy (HIPAA); it’s about patient safety. If a hospital is forced to divert patients because critical systems are offline, that is a patient safety crisis. With regard to adversarial approaches, we are seeing and will see increasing numbers of AI orchestrated attacks. In addition, I predict we will see an increasing number of attacks on the operational technologies within healthcare as the attackers realize these systems exist and they have been exploiting them in other industries for years.
HEWITT: When discussing with our HTM partners, it comes down to the increasingly interconnected nature of modern healthcare systems as the single greatest vulnerability. Significant risk stems from the large interconnected systems that hospitals and healthcare organizations are using today, putting both HFM and HTM teams at risk of attacks targeting essential operational systems and assets. On the HTM side specifically, medical devices are highly connected and may intersect with sensitive patient information – making them prime targets. While many of these attacks focus on systems related to patient data, they typically extend across departments and technologies, with maintenance and asset management identified as areas that continue to drive risk for future attacks. Ransomware and phishing remain the two dominant attack vectors, and the reliance on legacy systems with outdated firmware only amplifies the exposure. The threat isn’t just to patient records – it’s to the operational continuity that keeps patients safe.
HILLS: I think the biggest threat is still ransomware, but the larger issue is really the mix of ransomware, vendor and supply chain risk, and older clinical technology all operating in the same environment. Healthcare is a prime target because downtime has real patient care implications, and a lot of organizations are still managing legacy systems that were never designed for today’s threat landscape. So, to me, the biggest risk is not just one attack type, it is the combination of complex environments, connected devices and inconsistent cyber readiness.
Q: HOW CAN AI HELP HEALTHCARE FACILITIES WITH CYBERSECURITY CONCERNS AND STRATEGIES?
SORRELS: AI acts as a “force multiplier” for overwhelmed HTM teams. Key applications include:
• Anomaly Detection: Machine learning (ML) can baseline “normal” behavior for a specific infusion pump and instantly flag if it starts communicating with an unknown external IP.
• Predictive Vulnerability Management: AI can prioritize which devices to patch first by calculating the Exploit Prediction Scoring System (EPSS) against the device’s clinical criticality.
• Automated Inventory: AI-driven tools can identify “shadow IoT” (untracked devices) on the network more accurately than manual audits.
• Autonomous Triage: AI agents can automatically isolate a suspicious device (like a lab analyzer showing weird traffic) without waiting for a human analyst, preventing lateral movement across a multi-site network
HEWITT: AI’s greatest contribution to healthcare cybersecurity is shifting teams from being reactive to proactive. When embedded into a CMMS, AI can analyze patterns across thousands of assets, surface anomalies before they become incidents, and help prioritize which vulnerabilities to address first based on asset criticality. At FSI, we’re actively developing integration opportunities for having cybersecurity and risk insights embedded directly into CMMS workflows rather than relying solely on third-party alerts or work orders alone – with the goal of unifying signals from cybersecurity platforms, regulatory bodies, and recall sources like ECRI and the FDA, turning them into prioritized, technician-ready work orders to provide stronger guidance across the full asset life cycle. AI also enables smarter preventive maintenance scheduling, which indirectly reduces risk by ensuring devices remain updated and patched. For lean HTM teams especially, AI-driven automation can reduce the manual burden of monitoring and remediation – something that’s increasingly critical as teams are asked to do more with less.
HILLS: AI can help by making teams faster and more focused. It can spot unusual behavior earlier, help connect signals across multiple systems, and cut down the amount of manual triage teams have to do. That matters because most healthcare organizations are dealing with limited time and limited resources. At the same time, AI is not a replacement for the basics. You still need strong asset visibility, segmentation, patching, access controls and a real incident response plan. AI helps most when the fundamentals are already in place.
Q: HOW CAN HTM ADDRESS CYBERSECURITY IN OLDER MEDICAL DEVICES?
SORRELS: In 2026, the focus should be Zero Trust for Legacy Assets.
• Enclave Networking/Microsegmentation: Grouping legacy devices into highly restricted, monitored enclaves rather than just broad VLANs.
• KEV-Driven Patching: Prioritize patches based on CISA’s known exploited vulnerabilities catalog rather than just critical scores.
• Virtual Patching: Using Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) to block known exploits at the network level before they reach the unpatchable device.
• Life Cycle Hardening: This means having a standardized retirement trigger. If a device cannot meet a minimum-security baseline and lacks a vendor support path, it must be moved to a high-risk replacement list during capital planning.
HEWITT: Legacy devices are one of the most persistent challenges in HTM, and there’s no single silver bullet – but a CMMS is foundational to managing the risk. It starts with visibility. To build the foundations of a solid risk management framework, hospitals and healthcare organizations must first start with a complete inventory of all assets. A thorough data collection and validation process provides insight into critical gaps that can lead to higher risk, helping teams understand where to focus and how to prioritize risk mitigation strategies. Once you know what you have, you can begin segmenting and monitoring those older devices more closely, and use your CMMS to document compensating steps – network isolation, enhanced inspection frequencies, or manufacturer end-of-life status – as part of a formal risk assessment record. FSI’s CMMS supports risk documentation and assessment workflows alongside opportunity for integrations with cybersecurity platforms for device security workflows, so that alerts on vulnerable devices automatically become actionable work orders rather than disappearing into a separate system. Collaboration with your IT and cybersecurity team is equally essential – working in sync with cybersecurity leaders can ensure that best practices are aligned with data controls and governance strategies.
HILLS: With older devices, the goal is usually risk reduction more than perfect remediation. A lot of those systems cannot simply be patched or upgraded without operational impact, so HTM has to start with visibility. Then knowing what devices are on the network, which ones are unsupported, and which ones are most critical to patient care. From there, it becomes a matter of putting the right protections around them: segmentation, tighter access controls, coordination with IT and security, and a plan for replacement where needed. Sometimes the right answer is not fixing the device directly, it is reducing its exposure and managing the risk around it.
Q: WHAT CYBERSECURITY BEST PRACTICES DO YOU RECOMMEND HTM DEPARTMENTS IMPLEMENT RIGHT NOW?
SORRELS: Recommended cybersecurity practices include:
• MFA for Every Gateway: No vendor or technician should access a medical device gateway without multi-factor authentication.
• Cross-Functional Governance: Establish a permanent clinical security council that includes HTM, IT, nursing and risk management to ensure security decisions don’t break clinical workflows.
• Continuous Asset Discovery: Move away from annual audits to real-time, passive network monitoring that identifies new devices the moment they are plugged in.
• Immutable Backups: Ensure device configurations and databases are backed up in a way that cannot be deleted or encrypted by ransomware.
• Vendor Risk Management: Strict control and management of third-party access to devices and systems.
• Incident Response Drills: Conduct tabletop exercises specifically for HTM staff to practice what to do when a ventilator goes offline during a cyberattack.
HEWITT: There are several immediate actions HTM teams should prioritize:
• Conduct a full and clean asset inventory. You cannot protect what you cannot see. A validated, up-to-date asset database in your CMMS is step one.
• Integrate your cybersecurity tools with your CMMS. When alerts are not tied to a system of record like the CMMS, it creates gaps in transparency. Relying on a healthcare-specific CMMS ensures simplified integrations with cybersecurity and device monitoring platforms so alerts can automatically become actionable work orders, helping to address problems faster and providing transparency into remediation tasks for compliance reporting.
• Define clear data governance with IT. Best practices include defining which equipment will be tracked in each system and working in sync with cybersecurity leaders to ensure data controls and governance strategies are aligned.
• Verify your CMMS vendor’s security certifications. True security extends beyond product features – look for vendors holding SOC 2 Type II certification, which verifies maintained controls related to security and availability.
• Document everything and often. Regulatory compliance in the event of an incident depends on a clear audit trail. Use your CMMS to record risk assessments, corrective actions and maintenance activities related to cybersecurity.
HILLS: First, get an accurate inventory of connected medical devices and clear visibility into that inventory so you can see the full picture of each asset, including its health, support status, service history and potential cyber risk. Second, work closely with IT and security on network segmentation so clinical devices are not more exposed than they need to be. Third, strengthen access controls, especially for privileged access. Fourth, build a repeatable process for handling vulnerabilities, patches and incident escalation the same way hospitals already respond to major equipment issues. If a CT goes down, there is a clear process to assess it, assign ownership, escalate it and resolve it. Cyber issues should be brought into that same operational workflow, so they are managed with the same discipline and urgency. And fifth, make cybersecurity part of the life cycle of every device, from procurement and monitoring, through support and replacement. If you only think about cyber when something happens, you are already behind.
Q: HOW DO YOU STAY UPDATED ON EMERGING THREATS AND CYBERSECURITY TRENDS?
SORRELS: Rely on automated threat intelligence feeds and a community of one:
• Health-ISAC & CISA: Real-time data streams that feed directly into our security operations center (SOC).
• PSIRT Monitoring: Automated alerts from major manufacturers (GE, Siemens, Philips) regarding newly discovered zero-day vulnerabilities.
• Peer Networks: Participating in large-system forums where chief information security officers (CISOs) and HTM directors share lessons learned from recent incidents.
HEWITT: Staying current requires a combination of internal commitment and community engagement. At FSI, our product and technology teams maintain active awareness of evolving standards and threat landscapes – including guidance from FDA on medical device cybersecurity, AAMI technical standards and recall and advisory data from ECRI. We also deeply value the feedback loop with our customers: FSI actively incorporates feedback from HTM users into the product roadmap to enhance usability and functionality, with recent updates including streamlined mobile access, configurable workflow automations, and expanded reporting tools – all designed to meet the evolving needs of healthcare technicians. Industry events are irreplaceable for this – which is why we invest heavily in being present and engaged with the HTM community at conferences like AAMI eXchange and ASHE. Real-world conversations with biomed techs and HTM leaders tell us what the threat landscape looks like from the front lines.
HILLS: I stay informed though major healthcare cybersecurity alerts, FDA and manufacturer updates and mainly though conversations with teams working through these issues every day. But honestly, staying updated is the easy part. The harder part is operationalizing that information, knowing which assets are affected, understanding the risk in context of the asset and making sure the right action happens before it turns into downtime or disruption.
Q: WHAT ELSE WOULD YOU LIKE TO SHARE WITH THE TECHNATION COMMUNITY?
SORRELS: Cybersecurity is a team sport. The silo between HTM (biomed) and IT (security) must be demolished. HTM brings the clinical context (understanding how a device affects a patient), while IT brings the technical defense. Neither can protect the hospital alone. We must shift the culture from “cybersecurity is IT’s job” to “cyber-safety is patient safety.” In healthcare, a cyberattack is a clinical event, not just a technical one. The goal isn’t just to keep the bad guys out; it’s to ensure that even if they get in, we can continue to deliver high-quality care without interruption.
HEWITT: We want the TechNation community to know that FSI is fully committed to making your cybersecurity work easier – not harder. FSI’s solutions actively manage over 400 million square feet of hospital space each year, empowering maintenance teams with unified, intelligent maintenance tools needed to stay ahead of disruptions and optimize resources. Cybersecurity is no longer a siloed IT concern; it lives in every work order, every connected device, and every maintenance workflow. A purpose-built healthcare CMMS should be your command center for managing that risk – not an afterthought. If you’re heading to AAMI eXchange 2026, come find us in Denver! As you know, AAMI eXchange brings together 2,000+ healthcare technology professionals. This year will feature, more than 80 educational sessions covering cybersecurity, AI in HTM, regulatory updates, and career development. The FSI team will be on the floor, and we’d love to connect, demo what we’ve been building, and hear directly from HTM professionals about what keeps you up at night – so we can build solutions that help you sleep a little better.
HILLS: I think cybersecurity has become part of patient safety and operational reliability. It is no longer just an IT issue sitting off to the side. HTM teams bring an important perspective because they understand the full picture of the asset, its condition, service history, vendor support, operational role and the impact downtime has on care delivery. The best outcomes happen when HTM, IT, security and manufacturers are all working together instead of operating in separate lanes. That collaboration is where a lot of the real progress happens.
