There are still many clinics where the most advanced medical equipment — scanners, MRIs or digital X-ray machines — are connected to the internet without anyone stopping to think about what that really means. It’s convenient, fast, and seems normal in a world where everything is digital. The problem is that this connection, if poorly configured, can turn these devices into an open door to your clinic’s most sensitive data — and a serious cybersecurity risk in medical devices.
Over one million exposed medical devices worldwide
Just a few weeks ago, the team at Modat uncovered something that should worry any clinic: over one million medical devices around the world were connected to the internet without proper security. And it wasn’t just a handful of stray files: among the medical data the researchers found were brain scans, dental X-rays, eye exams, lung MRIs, and even blood test results — all containing private information left completely unprotected.
And what struck me most when reading this report is that we’re not just talking about distant countries like the US. We’re talking about European countries — close neighbours of Spain — such as Germany, Ireland, the UK, and France. In other words: the problem is already in Europe, right on our clinic doorsteps.
Cybersecurity in medical devices: why do these breaches happen?
What’s strange is that these issues are relatively easy to fix, and yet they keep repeating in clinics across the globe. If you’re running a clinic, here are some of the most common flaws you should check for:
- Factory-set passwords like “admin” or “123456”
- Medical devices directly connected to the internet without any real need (like a scanner or an X-ray machine)
- Outdated software — equipment that hasn’t been updated in years or doesn’t receive updates when manufacturers release them
All these issues are simple to solve, yet they become the weakest and most exploitable entry points. And the worrying part is, you don’t need to be a seasoned cybercriminal to take advantage of them — these are such basic errors that anyone with bad intentions could exploit them.
As Soufian El Yadmani, Modat founder and expert in this field, put it:
“Why are there still MRI scanners directly connected to the internet without proper security?”
These systems should only be accessed remotely when there’s a clear clinical need. The problem is, too often they remain open — and vulnerable.
When remote access does make sense
Of course, there are legitimate cases where remote access to a medical device makes sense — for example, when a specialist needs to review a scan from another clinic. The risk isn’t in the remote access itself, but in doing it without the proper security measures.
That’s when what should be a tool to improve care becomes an open door to your entire clinic.
The risk of ignoring security in medical equipment
Today, many clinics still rely on legacy medical equipment that no longer receives updates or support from the manufacturer. It still works, it was expensive, and replacing it isn’t always feasible in the short term. But without updates or security patches, these devices become easy targets.
And this is where the biggest risk lies: a vulnerability in a scanner or X-ray machine could open the door to ransomware that paralyses your clinic, or something even worse. As I’ve mentioned in other articles on cybersecurity in clinics, the real blow comes when patient data gets leaked — and ends up in the hands of third parties for blackmail, insurance fraud, or even identity theft.
Now imagine one of those patients is a well-known public figure, and their health data ends up circulating uncontrolled: the damage to the clinic wouldn’t just be legal or financial — it would be a direct hit to your reputation and the trust of every single patient.
Cybersecurity in medical devices is now part of the clinical standard
I’ll keep saying it: cybersecurity in clinics is no longer optional. Not just because cyberattacks in the healthcare sector are on the rise, but because, since 2023, clinics are legally required to comply with thehttps://www.boe.es/buscar/doc.php?id=DOUE-L-2022-81963 NIS2 Directive — which mandates staff training, clear protocols, and protecting patient confidentiality.
It’s a shift as necessary as when wearing seatbelts became mandatory. At first it felt like a nuisance, but today no one questions that it saves lives. It’s the same in a clinic: just like you ensure sterilisation to prevent infection, you now have to guarantee digital protection to prevent data leaks.
In the end, these regulations are there to protect you, to save you from a lot of headaches, and to give you the peace of mind that your clinic, your patients, and your reputation are truly secure.
And remember: lock the doors well — and the ports too. Cyber-protect yourself.
