A Candid Chat on Cybersecurity, AI, and Medical Devices: Why "Good Enough" Is No Longer Enough

By Marie Dorat, M.E. Dorat Consulting 

Hello everyone. If you’re in Medtech—whether you’re a manufacturer, quality leader, regulatory professional, or executive—I want to have a straight-talk conversation today. We’ve all seen the headlines. Connected devices, AI-powered tools, and the promise of better patient outcomes are exciting. But the risks? They’re real, growing, and hitting patients and companies hard. Being vigilant and proactive about cybersecurity and responsible AI use isn’t optional anymore. It’s table stakes.

Let me pull up a chair and walk you through why, with real-world examples that should make all of us pause.

The Wake-Up Calls We Can’t Ignore

Remember the massive Change Healthcare ransomware attack in early 2024? It disrupted claims processing nationwide, affected tens of millions of records, and rippled through the entire healthcare ecosystem. Fast-forward to 2025–2026: we saw continued high-profile incidents, including attacks on medical device companies like Stryker (with reports of compromised networks and a proposed class-action lawsuit over potential health data exposure) and Intuitive Surgical, where phishing led to data theft—though, thankfully, their core surgical systems weren’t directly hit.

Medical devices themselves are prime targets. In 2025–2026 reports, about 22% to 24% of healthcare organizations experienced cyberattacks that directly impacted or compromised medical devices, with 75% to 80% of the incidents that directly affected medical devices caused moderate-to-significant disruptions to patient care. Hospitals are now rethinking devices over weak cybersecurity—56% in recent surveys, up significantly year-over-year.

On the AI side, the stories are equally concerning. Reuters highlighted cases with AI-enhanced surgical navigation systems (like the TruDi system) where malfunctions surged after AI integration (In the 3 years prior to the AI upgrade, the FDA received only about seven reports of device malfunctions. Following the integration of artificial intelligence, reported malfunctions and adverse events surged to over 100.) misidentifying instrument locations during delicate head surgeries, leading to reported injuries. Analyses of FDA databases—including the Manufacturer and User Facility Device Experience (MAUDE) system—reveal a significant increase in reports on AI devices increased adverse events, recalls tied to AI/ML components, and issues like overlooked heart rhythms or misidentified anatomy. This spike has prompted regulators to expand post-market. ECRI (Emergency Care Research Institute) even named misuse of AI chatbots their top health tech hazard for 2026 because they confidently give wrong medical advice.

These aren’t hypotheticals. They’re patient safety issues. A compromised infusion pump, a hacked pacemaker, or biased AI diagnostics can mean real harm.

So, what can we do? We stop reacting and start building resilience from the ground up.

Why Partner with Cybersecurity and AI Consulting Experts?

I’ve spent years in pharma, biotech, and medical devices helping teams turn compliance into a competitive advantage. Here’s the truth: most internal teams are stretched thin. Cybersecurity requires deep expertise in threat modeling, secure-by-design principles, ongoing vulnerability management, and post-market surveillance. AI adds layers—data bias, model drift, adversarial attacks, explainability, and ethical governance.

Working with specialists lets you:

• Conduct thorough risk assessments tailored to your devices (not generic checklists).

• Embed security and AI controls into design and development early (shift-left approach).

• Prepare for audits, regulatory scrutiny (FDA, EU MDR, etc.), and supply chain pressures.

• Respond swiftly to incidents instead of scrambling.

  
  

It’s not about outsourcing everything—it’s about providing support for your team so you innovate safely. At M.E. Dorat Consulting, we guide clients through exactly this: practical, actionable strategies that align quality, regulatory, and tech teams.

ISO Certification: From “Nice-to-Have” to Non-Negotiable

Clients often ask me, “Marie, do we really need this certification?” My answer now is unequivocal: Yes.

For cybersecurity, key standards include:

• ISO/IEC 81001-5-1 — Specifically for cybersecurity of health software and medical devices. It helps embed security throughout the lifecycle.

• ISO/IEC 27001 — The gold standard for Information Security Management Systems (ISMS). It’s increasingly expected for medical device vendors handling PHI and connected systems.

  
  

For AI, ISO/IEC 42001 stands out as the first certifiable standard for Artificial Intelligence Management Systems (AIMS). It covers responsible development, risk management, transparency, and continual improvement—perfect for AI-enabled medical devices.

Pair these with core Medtech standards like ISO 14971 (risk management, adapted for AI via guides like AAMI TIR 34971), ISO 13485 (QMS), and IEC 62304 (software lifecycle).

Why is certification now essential?

• Regulatory pressure — FDA and global bodies expect proactive cybersecurity and AI governance in submissions.

• Customer demands — Hospitals and payers are scrutinizing vendors more than ever.

• Liability and reputation — Breaches or AI harms lead to lawsuits, recalls, and lost trust.

• Business survival — In a world of connected, intelligent devices, certification demonstrates you’re a trusted partner, not a risk.

  
  

It’s no longer paperwork. It’s patient safety, market access, and resilience.

Closing Thoughts

Look, I treat every product as if it were for my own family—that’s the mindset at M.E. Dorat Consulting. Vigilance means ongoing monitoring, not one-and-done. Proactivity means designing security and responsible AI from day one.

If your team is navigating these challenges, let’s talk. Whether it’s gap assessments, training, QMS integration, or full support or ISO certifications, we’re here to help you move from reactive to leading the way.

Reach out at https://www.medoratconsult.com/ai-cyber-services . The future of Medtech is connected and intelligent—let’s make sure it’s also secure and trustworthy.

Stay safe out there,