Research, not marketing

Even when medical devices support secure communication protocols like HL7, DICOM, or ASTM, real-world implementation often falls short—leaving vulnerabilities that aren't addressed during FDA review. This white paper explores the systemic disconnects between device vendors, hospitals, and regulators that lead to insecure deployments. We examine why secure connectivity remains elusive, highlight the technical and organizational barriers within HDOs, and offer actionable recommendations to align stakeholders and improve cybersecurity outcomes.

Since the FDA released their Postmarket Cybersecurity Guidance in 2016, the monthly rate of ICS-CERT medical device advisories has increased by 386%, but appears to have plateaued from 2022 through 2024.

With increasing concerns about cyber attacks, and the implications on national security, governments and regulators are raising the bar on cybersecurity. As a result, implementing robust security capabilities and demonstrating their sufficiency has become a critical requirement for medical device manufacturers seeking FDA approval.

This whitepaper outlines the medical device software lifecycle processes and details the necessary documentation and activities required to meet newcybersecurity requirements. We will cover best practices for integrating cybersecurity throughout the medical device lifecycle, from design to post-market management. Key global regulatory expectations from the FDA and EU will be highlighted, along with insights into common challenges that result in approvalrejections. Additionally, the document will include examples of regulatory body responses and real-world feedback from the past year, guiding manufacturers toward improved compliance and enhanced product security.

Implementing cybersecurity for modern medical devices requires compliance with complex regulations as well as adoption to a changing healthcare ecosystem where hospital networks are considered inherently hostile, devices are increasingly integrated, and data is moving into the cloud. Getting cybersecurity right requires mature processes, careful design considerations, and finding the right balance between the desired level of security and a device’s capabilities and utility. Getting cybersecurity wrong can have significant ramifications for patient safety, regulatory compliance and approval, and business and reputation. Read more for an introduction to achieving device security through cryptography.

The root causes associated with medical device cybersecurity disclosures to date, reveals 81.8% of the related root causes would be impacted by the implementation of monitoring practices.

The Food and Drug Administration (FDA) issued an updated draft of the Premarket Cybersecurity Guidance in April 2022 which, when combined with existing finalized Postmarket Management of Cybersecurity in Medical Devices Guidance, specifies process and technical requirements to ensure medical devices are “secure by design” and that their security posture can be maintained over the lifetime of the device. In this paper we propose a hypothetical medical device vendor’s mature cybersecurity program that complies with FDA guidance, and we will analyze the processes and tools that aid in their success.

In the 2022 update of our annual ICS-CERT cybersecurity disclosure analysis, we found that the rate of medical device advisories has increased by 490% since the release of the FDA Postmarket Cybersecurity Guidance in 2016, but appears to have plateaued. Read about the latest medical device vulnerability data trends and predictions for the future.

Software bills of material (SBOM) capture software used in products. SBOMs are prerequisites to proactive product security, as well as vulnerability and risk management programs. However, extracting the full potential value of SBOMs at scale will take sustained effort, requiring tooling to overcome inherent complexities.

The sobering reality is that all the promise held in technology advancing healthcare is foundationally reliant on security. Unfortunately, not only does the healthcare supply chain inherit what makes information security hard, healthcare additionally inherits economic constraints that allow security debt to pass to consumers. Watch the webinar where Seth explores the six constraints: https://youtu.be/1pYlbqkM9Ew

With medical devices being increasingly network-connected, we leveraged our collective expertise in medical device security and clinical risk management, to provide a holistic analysis of vulnerabilities in the medical device space through the assessment of clinical case studies using quantitative analytics, and a discussion of incident prevention recommendations.

There is no silver bullet. Complying with FDA cybersecurity regulations requires a variety of processes and technologies. A hypothetical device vendor’s approach to securing their product is analyzed, and leading tools are identified.

In this paper we highlight the specific cybersecurity requirements that can be satisfied using various features of MedCrypt.

Medical device cybersecurity requirements from global regulators will continue to evolve as the industry and ecosystem matures. The industry must be cautious against over reliance on “security frameworks” and must rapidly iterate to keep up with emerging technology best practices.

International regulators as well as customers are expecting Medical Device Manufacturers to deliver proactively secured devices. A deep dive into the unique considerations when threat modeling for medical devices.

An analysis of ICS-CERT cybersecurity disclosures reveals no correlation between a vulnerability’s CVSS score and the likelihood a patch will be made available by the manufacturer.