How two high-profile incidents are reshaping the identity security agenda across the medical tech industry
The medical technology industry runs on uptime; a delayed order, an inaccessible system, or a disrupted supply chain can ripple through hospitals within hours.
And while cybersecurity has long been framed as an IT problem, two incidents in early 2026 changed that framing for many MedTech executives. Neither attack used exotic zero-day exploits. Both used phishing emails and stolen admin credentials, which is what made them dangerous.
Medical device cybersecurity spending is projected to reach $1.2 billion by 2027, up from $631 million in 2022, according to GlobalData. The investment is accelerating for a reason: attackers have found that targeting business operations, not the devices themselves, produces faster and more damaging results.
Two incidents, one clear pattern
Breach #1: a phishing entry point
In March 2026, a major surgical robotics company disclosed that a targeted phishing attack resulted in unauthorized access to internal business systems. Network segmentation kept its flagship surgical platform isolated, so clinical operations were unaffected. Attackers still accessed sensitive internal data including employee and customer information.
Phishing accounted for the initial access vector in a majority of healthcare breaches in 2024, a pattern that shows no sign of reversing. The attack did not require any technical sophistication. It required one employee to click one link.
Breach #2: no malware, massive disruption
Around the same time, a leading medical device manufacturer experienced an attack that wiped tens of thousands of devices without deploying a single piece of malware.
Attackers obtained Global Admin privileges and used Microsoft Intune, a legitimate mobile device management platform, to remotely wipe devices across the organization. Ordering systems went down. Operations were disrupted. The attack was conducted entirely through valid credentials and native tooling.
This is a category of attack that traditional endpoint security was never designed to catch. No signature matched. No antivirus flagged it. The attacker looked, at every layer of detection, like an authorized administrator.
Why identity has become the primary attack surface
Both incidents share the same root cause: the attacker did not break in, they logged in. Traditional security architectures protect the perimeter - firewalls, endpoint detection, network monitoring. Those controls remain necessary, but they cannot stop a threat actor operating with legitimate credentials inside a trusted session. In both cases, perimeter defenses did not fail. Identity controls did.
MedTech environments make this worse. Consider what a typical access landscape looks like:
Distributed remote access across engineers, field technicians, and clinicians on external networks
Dozens of third-party vendors with privileged access to core infrastructure
Legacy systems running alongside cloud platforms, creating authentication gaps that are difficult to close
Pressure to minimize friction, because patient care depends on operational continuity
The result is an environment where over-provisioned credentials and broad admin privileges are the norm. A 2025 Ernst & Young and Klas Research report found that more than 70% of healthcare organizations reported moderate to severe financial effects from a cyber incident in the past two years, and nearly 60% cited clinical impacts.
The attack surface is not the device. It is the identity layer sitting in front of everything else.
The regulatory environment is tightening
Regulators on both sides of the Atlantic are responding. The FDA, which published final cybersecurity guidance under Section 524B of the Federal Food, Drug, and Cosmetic Act in June 2025, is expected to shift from reviewing pre-market submissions to auditing real-world post-market security performance. Organizations that built their compliance programs around paperwork will need to demonstrate that their security controls actually work in production environments.
In the EU, a December 2025 revision to the MDR/IVDR framework introduced new obligations requiring manufacturers to notify cybersecurity incident response teams and the EU Agency for Cybersecurity (ENISA) of actively exploited vulnerabilities within 30 days. The Cyber Resilience Act and NIS2 Directive add further obligations for connected device manufacturers.
The 2025 HIPAA Security Rule update mandates multi-factor authentication across all access points to electronic protected health information. Organizations that have not yet implemented strong authentication across their workforce face both elevated breach risk and growing compliance exposure.
From zero trust to verified identity
Zero Trust architecture has been the prevailing framework for the past several years: never trust, always verify. The model is sound, but both incidents demonstrate where it falls short when identity verification itself is weak.
Telling a system to verify every access request is only as strong as the verification mechanism. If that mechanism is a password and a one-time code sent via SMS, phishing can still defeat it. If admin credentials can be obtained and reused without binding to a specific device or verified human identity, privilege escalation remains straightforward.
The next generation of identity security in MedTech requires moving beyond Zero Trust as a policy layer and building verified, human-bound identity as the foundation. That means authentication credentials tied to a specific device and a specific person, not just a token that can be captured and replayed.
See how 1Kosmos maps to NIST 800-63-3, the HIPAA Security Rule updates, and TEFCA in one platform.
What 1Kosmos delivers for MedTech environments
1Kosmos addresses the specific failure modes that these recent incidents exposed. The platform centers on identity-first security: verifying who is behind every access request before granting any permission.
Eliminating phishing as an attack vector
The first breach started with a phishing email.
1Kosmos replaces passwords and SMS-based one-time codes with passwordless authentication built on FIDO2/passkeys and device-bound cryptographic credentials. The private key never leaves the device and is tied to biometric identity, so there is no credential to phish. A fake login page captures nothing useful.
This directly addresses the reality that compromised credentials typically obtained through phishing are still the primary attack vector, per the 2024 Verizon Data Breach Investigations Report.
Preventing privilege escalation
The second attack was possible because admin credentials, once obtained, could be used to perform any action the role permitted.
1Kosmos prevents this by binding every identity to a verified human and a specific device. Admin actions become non-repudiable and traceable, and even if an attacker acquires credentials, they cannot satisfy the biometric and device-bound authentication requirements needed to execute privileged actions.
This approach directly counters the living-off-the-land attack pattern used in that breach, where legitimate tools became weapons because there was no mechanism to verify the human behind the session.
Continuous identity assurance
A single authentication event at login is not sufficient in environments where a session can persist for hours and the blast radius of a compromised session is massive.
1Kosmos provides continuous authentication signals throughout a session and triggers step-up verification for sensitive actions, such as accessing patient data, executing admin commands, or modifying device configurations.
Identity proofing at onboarding ensures that the trust model starts from verified evidence rather than assumed credentials. For MedTech organizations managing large, distributed workforces, contractors, and third-party vendors, this eliminates the ghost account and orphaned credential problems that frequently open the door to insider threats and external attackers.
Unified coverage across the workforce ecosystem
MedTech authentication challenges span multiple populations: internal employees and engineers, field technicians accessing hospital networks, clinical staff using device management systems, and third-party vendors with privileged access to infrastructure.
1Kosmos addresses all of these through a unified identity fabric that covers workforce authentication, patient identity verification, and third-party access within a single platform.
Point solutions that address only workforce authentication leave patient portals and vendor access paths unprotected, while a unified approach closes those gaps without requiring separate tooling for each population.
What comes next for MedTech security
These incidents mark a shift in how sophisticated attackers approach MedTech targets.
Targeting business operations and identity infrastructure is faster, less noisy, and often more damaging than attempting to compromise medical devices directly. Ordering systems, supply chains, and workforce access are soft targets that, when disrupted, affect patient care without ever touching a regulated device.
The security architecture that addresses this requires five things:
Passwordless, phishing-resistant authentication for all workforce and third-party access
Device-bound, biometrically verified credentials that prevent credential reuse and privilege abuse
Continuous trust verification throughout sessions, not only at login
Identity proofing at onboarding that establishes a verified baseline before access is granted
Unified identity coverage across employees, vendors, and patients
Regulatory pressure from the FDA, the HIPAA Security Rule update, the EU Cyber Resilience Act, and MDR/IVDR revisions is pushing the same direction. Organizations building verified identity infrastructure now are investing in compliance readiness as much as breach prevention.
When identity controls fail, trust breaks before any device is ever compromised.
1Kosmos helps MedTech organizations ensure every access point is verified, every session is accountable, and every privileged action is traceable to a confirmed human identity. See how we can help below.
