Cybersecurity in connected medical devices: a policy agenda for the NHS
Cybersecurity in connected medical devices: a policy agenda for the NHS
https://www.nature.com/articles/s41746-026-02534-4
Publish Date: 2026-03-10 05:17:00
Source Domain: www.nature.com
The cloud layer acts as a shared central node for collecting, processing, and routing CMD data. It interfaces with the physical layer, via the network layer, using integration protocols, typically implemented as application programming interfaces (API) or on-premises gateways (OPGs). While experts often frame vulnerabilities in cloud environments as issues of software, firmware, or hardware, rooted in architectural design, computational limitations, or proprietary systems, the likelihood of cloud-layer compromise, and its capacity to propagate downstream into patient harm, is more accurately understood as a socio-technical problem. This rationale refers to the interdependent relationship between people (e.g., developers, security operatives, or high-level executives), organisational processes (e.g., software supply chain verification), and technologies (e.g., identity management systems and notably connected medical devices).
As organisations such as the NHS are confronted with the growing complexity of cloud infrastructure, one of the most prevalent risks they may face is cloud-level misconfiguration (CLM). This often manifests as vulnerabilities in authentication and access control mechanisms, allowing attackers to gain unauthorised access to private integration protocols, such as the CMD API. In such cases, security mechanisms are bypassed, potentially exposing sensitive patient data at the cloud layer. The underlying causes of CLM, especially at larger CMD vendors, are less attributed to the absence of broken user authentication and more about broader organisational challenges, including a shortage of skilled professionals and outdated practices.
Identity and access management (IAM) failures are another major risk in modern cloud environments, referring to the inability to adequately control which users can and cannot access sensitive data, applications, and other resources. A common manifestation of this is excessive account permissions (EAP), where users or…
