Security

FDA Tightens Its Medical Device Cybersecurity Guidance for Manufacturers

Legacy medical devices face growing scrutiny as regulators push for stronger cybersecurity, transparency and risk management.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

The Food and Drug Administration issued updated cybersecurity guidance for medical devices, setting stricter requirements that many existing systems — and the software that runs them — cannot meet without significant redesign.

The FDA’s updated guidance, enacted through the omnibus appropriations legislation known as Section 524B, marks a major shift in how device security is regulated. The new framework requires manufacturers to implement security throughout the product lifecycle, including documenting software components, managing vulnerabilities and maintaining secure development processes.

The shift is forcing healthcare providers, federal agencies and manufacturers to rethink how device security is managed across the full lifecycle, rather than relying on retroactive fixes.

Organizations including the departments of Health and Human Services and Veterans Affairs, along with industry groups such as the Health Information Sharing and Analysis Center (Health-ISAC), are working to help health systems align with the FDA’s expectations, improve risk visibility and strengthen protections for connected medical infrastructure.

Click the banner below for a cyber resilience strategy that supports success.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

Medical Device Cybersecurity Has Become a Patient Safety Priority

Phil Englert, director of medical device security at Health-ISAC, says he has watched the transformation of medical device security — from a niche technical concern to a critical pillar of patient safety and operational resilience — unfold over decades of working inside hospitals and health systems.

He explains that when cybersecurity first emerged as a concern, few organizations understood the implications. That gap reflected the broader reality of healthcare IT environments, where medical devices represent a relatively small but highly specialized portion of connected infrastructure.

“Medical devices represent between 5% and 11% of the endpoints, while your Internet of Things and operational technology population represents about 30%,” Englert says. “The rest are the traditional IT endpoints we’re used to.”

Today, with connected devices generating vast volumes of clinical data and playing a central role in diagnosis and treatment, securing them has become essential not only for data protection but also for ensuring care delivery itself.

What Are the New FDA Security Requirements for Medical Devices?

The new FDA cybersecurity guidance reflects growing concern that vulnerable devices pose not just technical risks but direct threats to clinical operations and patient safety, particularly as hospitals rely on increasingly connected technologies for monitoring, diagnosis and treatment.

“Vendors must provide a software bill of materials, manage the risks of those components, develop their product under a secure software development program and provide those SBOMs to customers upon demand,” Englert says.

These requirements reflect a broader recognition that cybersecurity directly affects patient safety. Historically, the FDA focused primarily on evaluating whether devices performed their intended medical functions. Now, regulators are also examining whether devices can be compromised or misused.

“Cybersecurity engineering is about preventing devices from doing tasks you don’t want or expect,” Englert says. “The FDA identified this as a software quality issue, which is important because protecting device functionality ensures they remain safe for patient use.”

The stakes are high, particularly given the scale and complexity of healthcare environments: Englert points out a 300-bed hospital generates about 1.37 terabytes of data a day.

“A lot of that comes from medical devices,” he says. “Making sure those devices are available and that the data remains accessible is essential to providing care.”

The key to solving the legacy problem is understanding where the risks reside and incorporating cybersecurity into replacement planning.”

Phil Englert Director of Medical Device Security, Health-ISAC

Do Cyberattacks on Medical Devices Impact Patient Outcomes?

Cybersecurity incidents affecting medical devices can disrupt clinical workflows and delay care, with potentially serious consequences. Englert points to ransomware attacks that have interfered with hospital operations and reduced access to critical systems.

“We’ve seen the real impact on patient safety and availability to deliver care,” Englert says. “It’s about device availability and access to the data those devices generate.”

In ransomware scenarios, even temporary loss of system access can disrupt diagnostic and treatment processes, forcing hospitals to divert patients or delay procedures.

That reality has elevated medical device cybersecurity from a compliance issue to a clinical imperative.

How Can Healthcare Organizations Secure Legacy Medical Devices?

One of the biggest challenges healthcare organizations face is securing legacy medical devices that were not designed with modern cybersecurity protections. These systems often remain in service for years or even decades, creating persistent risk exposure.

“Those legacy device risks were always there, whether we knew about them or not,” Englert says.

Healthcare providers are increasingly deploying new tools and strategies to mitigate those risks without immediately replacing costly equipment. Passive monitoring systems, for example, can identify and track medical devices across hospital networks.

“These tools help classify devices, understand inventory and recognize unexpected traffic,” Englert says.

DISCOVER: Zero trust stands as a secure foundation for healthcare’s IoMT devices.

Network segmentation is another critical safeguard, helping contain potential cyber incidents and preventing attackers from moving freely within hospital environments.

“If one area is impacted, we can limit the blast radius,” Englert says.

Healthcare organizations are also implementing stricter configuration controls and removing unnecessary data from devices.

“Many groups delete unnecessary data so that if a device is accessed, the amount of data exposed is limited,” Englert says.

How Can Vendors and Providers Coordinate Security?

Medical device cybersecurity requires close coordination between healthcare providers and manufacturers. Both parties share responsibility for maintaining device security throughout its lifecycle.

“We realize this is a shared responsibility where we understand what you’re responsible for and you understand what we’re responsible for,” Englert says.

Industry initiatives such as standardized contract language frameworks are helping clarify security expectations and accelerate incident response. These efforts strengthen collaboration and ensure both providers and vendors remain accountable for maintaining device security.

“Developing that rapport and rebuilding that trust improves our ability to detect and recover much more quicky,” Englert says.

Click the banner below to sign up for HealthTech’s weekly newsletter.

While new safeguards can help reduce risk, long-term security requires replacing legacy devices with systems designed for ongoing cybersecurity maintenance.

“The key to solving the legacy problem is understanding where the risks reside and incorporating cybersecurity into replacement planning,” Englert says.

Modern medical devices must support regular updates and patches to remain secure against evolving threats.

“New devices should have the ability to stay current with emerging threats and be patched and updated,” Englert says. “That’s no different than maintaining any other critical system.”

Increasingly, cybersecurity considerations are influencing procurement decisions, ensuring new equipment meets long-term resilience requirements.

How Can Federal Agencies and Providers Collaborate?

Government healthcare providers, including the VA, are active participants in Health-ISAC’s security collaboration efforts. These partnerships help strengthen cybersecurity across public healthcare systems while enabling information sharing with industry partners.

Collaboration allows organizations with greater cybersecurity resources to share knowledge and expertise with smaller providers, strengthening healthcare cybersecurity across the entire sector.

“It’s really good to leverage their expertise and pass that along to benefit our least resourced members,” Englert says.

Ultimately, medical device cybersecurity depends on sustained investment, collaboration and lifecycle management. As healthcare organizations continue to modernize their infrastructure, cybersecurity will remain essential to ensuring both operational continuity and patient safety.

“The real key is making sure devices can adapt and remain secure throughout their lifecycle,” Englert says.

jittawit.21/Getty Images