Back
Whitepaper

Bridging the Gap: Understanding System Limitations in Secure Connectivity for Medical Devices

Why Secure Implementation Still Lags – Even When Devices Support Secure Standards

Author:
No items found.
Reading time:
12
minutes
August 5, 2025
Even when medical devices support secure communication protocols like HL7, DICOM, or ASTM, real-world implementation often falls short—leaving vulnerabilities that aren't addressed during FDA review. This white paper explores the systemic disconnects between device vendors, hospitals, and regulators that lead to insecure deployments. We examine why secure connectivity remains elusive, highlight the technical and organizational barriers within HDOs, and offer actionable recommendations to align stakeholders and improve cybersecurity outcomes.

Executive summary

Secure communication between medical devices and health information systems is now a regulatory expectation — but in practice, adoption of secure standards like HL7, DICOM, and ASTM remains inconsistent.This whitepaper explains the disconnect between regulatory guidance and real-world deployment, showing how infrastructure limitations, legacy systems, and divided regulatory responsibilities contribute to insecure implementations. Drawing on real examples and audits, it identifies systemic barriers to secure connectivity and provides actionable recommendations for device manufacturers, healthcare organizations, and regulators to bridge the gap.

Why it matters

The FDA requires manufacturers to support secure connectivity as part of device cybersecurity, yet most hospitals operate on infrastructures that can’t — or don’t — enforce it.While device manufacturers fall under FDA oversight, healthcare delivery organizations (HDOs) are governed by HIPAA, creating a regulatory blind spot where secure system integration is no one’s responsibility.This paper outlines how that gap undermines both patient safety and compliance, and what all parties can do to drive progress toward true system-level security and interoperability.

Who should read

  • Medical Device Manufacturers (MDMs): regulatory, engineering, and product security teams demonstrating secure interoperability in FDA submissions.
  • Healthcare Delivery Organizations (HDOs): IT, clinical engineering, and security teams maintaining HIS/LIS/PACS/RIS infrastructures.
  • Regulators and Policymakers: professionals working across FDA, OCR, or international equivalents on coordinated oversight.
  • System Integrators and Vendors: interoperability specialists and network engineers designing mixed legacy-modern healthcare environments.

Key insights

  • Device-side secure protocol support does not guarantee secure deployment.
  • Regulatory oversight gaps between FDA and HIPAA create systemic weaknesses.
  • Most hospitals still operate on outdated HL7/DICOM configurations due to complexity and cost.
  • Real-world breaches demonstrate that lack of interoperability coordination leads to real patient-care disruption.
  • Cross-industry collaboration and secure-by-default configurations are essential to closing the gap.

Table of contents

  1. Introduction & Objectives
    1. Purpose of the paper and overview of secure communication challenges
    2. What readers will gain: clarity on misalignments, case studies, and actionable guidance
  2. Section 1: The Regulatory Disconnect
    1. FDA expectations for device-level security and interoperability
    2. HIPAA’s jurisdiction and the hospital-side implementation gap
    3. Real-world case: the 2018 SingHealth breach and the consequences of fragmented responsibility
  3. Section 2: Real-World Limitations in HDO Infrastructure
    1. Overview of common protocols (HL7, ASTM, LIS) and their secure variants
    2. Why many LIS and HIS systems disable secure options (compatibility, cost, complexity)
    3. DICOM and HL7 in imaging systems: outdated configurations and weak defaults
    4. Global audit findings: millions of unsecured DICOM records exposed
    5. Cultural factors: “internal traffic doesn’t need encryption” mindset
  4. Section 3: The Complexity of “Just Use a Secure Version”
    1. Why technical feasibility ≠ deployment reality
    2. Challenges in implementing TLS and mutual authentication at scale
    3. Infrastructure requirements: key management, configuration, and maintenance burdens
    4. Lack of standardized mandates, training, and industry-wide research
    5. Case data: 3,800 DICOM servers in 110 countries found unencrypted
  5. Section 4: Recommendations by Stakeholder
    1. For FDA Reviewers:
      1. Differentiate between device-capable and system-dependent security
      2. Encourage risk-based labeling and transparent documentation
    2. For Manufacturers:
      1. Default to secure configurations and clear documentation
      2. Provide HDO-ready deployment guides and training
    3. For HDOs and Policymakers:
      1. Invest in skills, tooling, and governance for secure protocol adoption
      2. Establish cross-sector best-practice frameworks and joint task forces
  6. Section 5: Conclusion — Shared Responsibility for Secure Connectivity
    1. Why device manufacturers, HDOs, and regulators must align expectations
    2. Lessons from major ransomware incidents (Ireland HSE, New Zealand Waikato DHB)
    3. Secure connectivity as a lifecycle collaboration, not a compliance checkbox
Download now
play icon
Thank you! Let us know how you like the whitepaper or what we can do to improve it! We love your feedback!
Download whitepaper
Oops! Something went wrong while submitting the form.
This is some text inside of a div block.
This is some text inside of a div block.
Time:
This is some text inside of a div block.