Jonathan Dedman, director of Cloudhouse, explains why IT failures are becoming a major patient safety risk in healthcare.
Healthcare and medtech organisations have to manage some of the most complex IT estates in any sector. The problem is that this complexity provides fertile ground for cyber incidents to take place, putting patient safety at risk. Nearly every healthcare organisation (93%) was hit by a cyberattack last year. And it’s estimated that each incident can cost $3.9 million (£2.9 million) on average. The disruption and financial damage of these events can mean critical medical supplies aren’t delivered on time, and purchases aren’t made when they are needed.
In response to the severity of these risks, regulators are responding quickly, and the compliance environment in 2026 already looks materially different from even two years ago.
In the US, the US Food and Drug Administration’s (FDA) updated cybersecurity guidance now treats IT security as a lifecycle obligation for connected medical devices, while the EU’s Medical Device Regulation (MDR) will come into force throughout 2026-2028 – EUDAMED, “which provides a living picture of the lifecycle of medical devices”, is mandatory from 28 May.
For organisations that manufacture, distribute or operate medical technology, this regulatory pressure falls squarely on IT infrastructure. Failing to manage configuration drift or document changes won’t just be an operational nuisance but could turn into an audit failure that comes to light after an investigation by regulators.
Therefore, it’s essential that organisations ensure they have the necessary governance and systems in place to manage configuration and build real-time change visibility. Otherwise, they put both themselves and their patients at risk.
Drift in complex environments
Configuration drift occurs when system configurations diverge from their intended, documented or approved state. It is typically gradual and often goes undetected, meaning it builds without the knowledge of IT teams. A routine operation, such as a patch being applied to one server but not another, or a firewall rule being temporarily relaxed only to never be restored, is the initial drift and this only compounds over time as more changes are made and additional drift creeps in.
The IT estate of a global manufacturer can be incredibly diverse, ranging from production environments for device software and supply chain management systems to clinical data platforms and, increasingly, connected product infrastructure. These complex environments are perfect for drift to take place, as changes can easily go unnoticed.
Medical device manufacturers, for example, often have to run environments where outdated platforms and modern cloud services interoperate and where configuration baselines vary. What’s more, as they launch any new connected products such as digital twins or remote monitoring platforms, this supported cloud infrastructure then becomes part of the regulated environment.
Many medtech companies also have to operate across various regions and therefore have to maintain standards across a host of sites, time zones and local IT teams. And in a sector where system reliability and availability directly impact patient care, there can be a continuous pressure to deploy changes quickly – yet this speed can lead to shortcuts and, consequently, undocumented drift.
The true cost of poor change visibility
While it can be easy to treat configuration drift under the remit of IT, the consequences of not detecting it extend far beyond it. The first direct impact is audit failure. If a manufacturer were to present their devices as compliant but they were also, even unknowingly, harbouring undocumented configuration changes, the company would be at risk of investigation.
Regulatory bodies like the FDA now expect clear traceability between configuration baselines, change logs and risk documentation – if this visibility is not there, they will request more information. This can lead to delayed approvals on submitted products for certification and, in the worst cases, even refusal. In Europe, for example, devices that fail to meet MDR requirements by the applicable deadline risk being pulled from the market entirely. Subsequently, an investigation can result in delayed or blocked market access.
There are more immediate and wide-ranging impacts as well. One of the foremost causes of unexplained outages is configuration drift. If a system fails and IT is unable to easily see what changed, then the time it takes to resolve an outage increases substantially. This can impact patient care and stall the production of vital products, subsequently damaging revenue and reputation. The median cost of downtime in the healthcare sector can cost $1-2 million per hour.
Finally, every undocumented change opens up a potential attack vector. If a patch has been skipped on a single server or the elevated privileges of a service account remain active, that creates a gap for bad actors to exploit. A typical hospital bed in the US can have between 10 and 15 connected devices on average, and with most hospitals suffering from cyberattacks, the threat of cyber incidents is widespread and growing.
Meeting regulator expectations
Often, regulatory expectations can vary across borders. But the FDA, the EU’s MDR and supporting standards do have a consistent set of expectations to meet for governing IT infrastructure in healthcare and medtech.
This includes a real-time visibility of every change across the estate instead of periodic snapshots or manual reviews; documented change baselines for every environment against which drift can be measured/reported; automated audit-ready reports available on demand (rather than retrospective reports); and configuration management that spans the full product lifecycle.
Meeting these expectations rests on using a change management solution that comprises tools that centrally monitor IT infrastructure and automatically detect and provide a detailed audit of every configuration change as it takes place. With IT teams setting a defined compliance baseline, the system can monitor assets and compare their status against this standard to flag any instances of drift. This forms a single, real-time view of the configuration status of systems and devices across a healthcare organisation’s entire IT infrastructure.
The brilliant aspect of this approach is that it creates an audit-ready log of change activity and, if an outage takes place, this real-time change visibility means teams can diagnose and resolve the root cause of the incident faster. Ultimately, regulations tackling IT failures are in place to protect patient safety. By centralising change management, healthcare companies can significantly alleviate the risk of IT failures and the damaging consequences they can have on care outcomes.
