Episode 26- When Medical Devices Meet Malware: Axel Wirth on Cyber Risk in Care

Cyber Survivor host Dan Dodson interviews Axel Wirth, chief security strategist at MedCrypt, about the rising cyber risks facing medical devices and what that means for patient care. Wirth explains that he began as a hardware electrical engineer in the medical device and health IT world before moving into cybersecurity in 2008, eventually focusing exclusively on medical device security and helping manufacturers both improve their products and meet evolving global regulatory expectations. Over the last decade, he has seen clear maturation: regulators like the FDA and international counterparts now explicitly require cybersecurity as part of market approval, and some devices are even being rejected solely for cybersecurity shortcomings, prompting manufacturers to strengthen designs and documentation. Dodson and Wirth then dig into the massive challenge of legacy devices: millions of clinically functional but aging devices—CT and MRI scanners, infusion pumps, and more—remain deployed in hospitals, often with serious vulnerabilities and enormous replacement costs. They note that healthcare operates on tight or negative margins, making large-scale replacement difficult, and that any change introduces disruption, retraining needs, and operational risk. Wirth points to industry efforts, such as detailed guidance on legacy devices, but questions whether the sector can move fast enough given the growing sophistication of attackers and the broad attack surface created by all these connected systems. They explore the threat landscape, emphasizing that risk has increased significantly. Attackers have not yet commonly launched deliberate, patient‑harming attacks on medical devices themselves; instead, devices often become collateral damage when they run unpatched commercial operating systems targeted by generic malware, as illustrated by the WannaCry incident that crippled the UK’s NHS and disrupted care. Wirth also cites evidence of criminal groups that intentionally use medical devices as entry points into hospital networks, as well as the economic incentives behind ransomware campaigns that seek to disrupt care, raising pressure on hospitals to pay ransoms to restore operations quickly. Looking ahead, they discuss how AI and geopolitics will accelerate and intensify threats. Wirth notes that AI already enables cheaper, highly targeted attacks, with some campaigns now largely executed by automated tools, and he expects that trend to grow. At the same time, more nation‑state and hacktivist actors are likely to see healthcare as a strategic target. While there has been real progress—better tooling for manufacturers and hospitals, improved device architectures, stronger inventory visibility, network segmentation, and clearer regulatory pressure—Wirth is skeptical that defenders are improving faster than attackers. He worries that a large, catalytic event, similar to WannaCry but perhaps even more severe in healthcare, may be what finally forces the scale of investment and coordination needed. The conversation also highlights operational friction between hospitals and manufacturers. Dodson raises the frustration many CISOs feel: patch cycles are slow and complex, responsibility is fragmented across IT, biomed/clinical engineering, third‑party servicers, and cybersecurity teams, and hospitals often end up “holding the bag” after an incident. Wirth agrees that patching is inherently complex—vulnerabilities must be verified, patches developed and tested, then deployed without compromising clinical operations—and that delays occur on both sides. However, he stresses that both manufacturers and providers are getting better: post‑market security responsibilities are more widely accepted, tooling is improving for patch development and deployment, and hospitals are investing in visibility and governance over who owns medical device security decisions. Despite his concerns, Wirth ends on a cautiously optimistic not