by
Gus Iversen, Editor in Chief | June 08, 2026
By Keri Forsythe-Stephens
Healthcare-targeted cyberattacks are no longer measured solely in financial losses or operational disruption. They are now reaching the point of care.
Heidi Dondlinger, senior global product manager for connected device ecosystems at GE HealthCare, drove that point home during “Actionable Strategies for Cybersecurity Challenges in Biomedical Device Management” at the 2026 AAMI eXchange in Denver. Citing industry data showing that nearly three-quarters of healthcare organizations have experienced patient-care disruptions tied to cyberattacks, Dondlinger argued that cybersecurity has become as much a care delivery issue as a technology issue.
Ad Statistics
Times Displayed: 2773
Times Visited: 5 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money.
Yet many healthcare organizations still face a familiar gap: turning awareness into action.
“The goal is to get three things connected that don’t always get put together: what’s actually happening in healthcare environments, what [federal] guidance is saying, and what that means for how we operate day to day,” Dondlinger said.
One of the biggest obstacles, she said, is a lack of clarity. “Who owns what? Who’s responsible for remediation? Who decides when a risk is acceptable? Who coordinates downtime?” she posited.
For healthcare technology management (HTM) teams, answering those questions starts with visibility, Dondlinger explained.
Medical devices routinely remain in service for 10 to 15 years—and often longer. As cyber threats evolve, healthcare organizations are left managing legacy systems that were never designed for today’s connected environments. “Achieving perfect security isn’t realistic,” Dondlinger said. “We’ve all realized that ship has probably sailed.”
The focus, she said, should be resilience. Regulatory guidance increasingly recognizes compensating controls—including network segmentation, continuous monitoring, and restricted access—as essential safeguards for devices that cannot easily be upgraded or patched. But without visibility into device inventories, software versions, and communication pathways, “you can’t ask what’s at risk, what should be prioritized, or whether you’re really compliant,” Dondlinger said.
Visibility alone, however, is not enough. Ownership remains another challenge. During a cybersecurity event, responsibilities often span clinical engineering, information technology teams, and external service providers. When those roles are not clearly defined, response efforts can slow when speed matters most, she said.
“Responsibilities fall between teams,” she said. “Clear accountability reduces risk just as much as technical measures.”
