June 27, 2025
Medical device cybersecurity has traditionally focused on the device itself - designing with security in mind, managing vulnerabilities, and ensuring compliance through the premarket and postmarket phases. But looking at the entire product lifecycle, the complexities of cybersecurity risks of operational technologies (OT) used to manufacture medical products has been overlooked.
The FDA’s recent whitepaper, Securing Operational Technologies and Equipment Used for Medical Product Manufacturing, brings long-overdue attention to this risk. In an era of connected production lines, Industrial Internet of Things (IIoT), and complex global supply chains, a compromise at the manufacturing level could be just as harmful as a device vulnerability discovered in the field.
The convergence of IT and OT is not new to industries like aerospace, automotive, or energy. These sectors have long recognized the security implications of blending physical systems with digital control layers. OT-specific protocols, network segmentation, and supply chain visibility are standard practice.
But in the medical products industry, OT cybersecurity is still catching up. Production networks are often cobbled together with legacy equipment, commercial off-the-shelf (COTS) systems, and complex vendor relationships. Many OEMs rely on third-party manufacturers or contract manufacturers (CMs) that operate semi-independently - and with varying levels of security maturity.
Quick fixes like disabling Wi-Fi or enforcing air-gapped networks are sometimes seen as a stopgap, but these can inadvertently:
The reality? Turning off connectivity doesn't eliminate risk - it just obscures it.
While the whitepaper is not formal guidance, it is a clear signal: FDA is widening its lens on where cybersecurity matters. Just as the 2025 Final Premarket Cybersecurity Guidance clarified expectations for device design, and the 2016 Postmarket Guidance focused on lifecycle management, this whitepaper fills in the missing middle - the manufacturing environment.
It outlines challenges like:
And it proposes familiar yet essential practices:
Medcrypt’s Perspective: Secure Products Require A Secure Factory Floor
At Medcrypt, we believe safe medical devices require a holistic cybersecurity approach across the entire value chain. You can design the most secure device in the world, but if it’s produced in a compromised environment, all bets are off.
One of the critical production-stage risks is cryptographic key provisioning.
Encryption keys underpin everything from device authentication and secure updates to patient data protection. These keys are often generated and injected during manufacturing—making the OT environment a high-value target. A breach at this stage could:
Medcrypt’s Guardian platform was built to address this. It provides:
This ensures that even in complex contract manufacturing setups, OEMs maintain cryptographic control - not just over their designs, but over the trust anchors embedded in their products.
While regulators and medical device manufacturers continue to raise the bar on cybersecurity, we also notice a shift in device operators’ awareness. As medical device connectivity and software directly impact operational capability, buyers are increasing their focus on security during the purchasing process and indicated willingness to pay a higher price for security,
RunSafe’s 2025 Medical Device Cybersecurity Index provides the supporting data and makes clear that security is no longer an IT issue - it is becoming a procurement requirement.
Hospitals and health systems are demanding transparency through SBOMs, built-in security features, and assurance that devices were produced securely - not just designed securely.
The FDA’s whitepaper may not yet be regulatory guidance, but it’s a window into the agency’s thinking—and the broader evolution of medical device oversight.
For manufacturers, this means the bar is rising:
Because in the end, devices are only as trustworthy as the environment that built them.
June 26, 2025
June 24, 2025
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information