Introduction

In an era of connected healthcare, medical devices are no longer isolated appliances — they form integral parts of hospital networks, software ecosystems, and patient data flows. While connectivity enables advanced functionalities, it also introduces cyber risk. A cyberattack or vulnerability exploit in a medical device can, in the worst case, affect patient safety, data integrity, service continuity, or confidentiality.

This insight article provides (1) a panorama of the regulatory & technical landscape, (2) examples of near-misses and incidents, and (3) lessons learned and guidance for manufacturers, healthcare providers, and stakeholders.

The Regulatory & Technical Landscape

Regulatory Guidance & Expectations

• In the U.S., the FDA's "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" is a foundational guidance, updated in June 2025. It requires manufacturers to incorporate cybersecurity risk management across the product life cycle, provide vulnerability-handling plans (e.g., for Section 524B devices), and integrate cybersecurity into design controls and postmarket surveillance.¹^,²
• The FDA also emphasizes the need for Secure Product Development Frameworks (SPDFs), which embed security activities (threat modeling, vulnerability assessments, patching) into the development lifecycle.³
• In Europe, the MDCG 2019-16 Rev.1 guidance remains the key reference under the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) for lifecycle cybersecurity, including risk assessment, software updates, and vulnerability handling.
• Regulatory bodies now expect near-misses or "non-harmful cybersecurity events" to feed into postmarket surveillance (PMS) and risk management processes.

The Threat Landscape & Trends

• A report from Runsafe Security found that 22% of healthcare organizations experienced cyberattacks targeting medical devices, and among those, 75% of incidents disrupted patient care.⁴
• Over 1.2 million medical devices have been found openly exposed to the internet, allowing attackers to access sensitive data in some cases.⁵
• Legacy or unsupported systems continue to be a major risk vector. For example, GE HealthCare issued a recall of older models of its "Muse 5" cardiology system due to critical security risks.⁶
• Recently, Masimo (a medical device manufacturer) disclosed a cyberattack that impaired order processing and shipping capabilities, affecting business continuity.⁷
• In early 2025, the FDA flagged cybersecurity risks in Contec and Epsimed patient monitors — vulnerabilities that could allow unauthorized remote access or manipulation. Although no incidents or injuries have yet been reported, these are considered near-miss signals.⁸

Selected Incidents & Near Misses

Lessons Learned & Best Practices

1. Embed cybersecurity from day one.
   Adopt a Secure Product Development Framework (SPDF) so that threat modeling, secure coding, fuzzing, and security validation occur alongside functional development.
2. Manage vulnerabilities proactively.
   Maintain a Vulnerability Handling Process (e.g., coordinated vulnerability disclosure), track a Software Bill of Materials (SBOM), and define patching/update pathways.
3. Treat near-misses as first-class signals.
   Even if no harm occurs, anomalies, attempted intrusions, or discovered vulnerabilities should feed into the risk management and PMS system.
4. Address legacy system risks.
   Deploy compensating controls (network segmentation, monitoring, intrusion detection) or plan for decommissioning/upgrades when security patching is impossible.
5. Ketenrisico (supply chain and vendor risk)
   Ensure that third-party components, connectivity modules, or service vendors adhere to cybersecurity requirements. Control remote access surfaces.
6. Continuous monitoring & threat intelligence.
   Monitor CISA/CISA ICS advisories, FDA safety communications, known CVEs, and sector-specific alerts.¹⁰
7. Transparency & stakeholder communication.
   Maintain clarity in labeling, user guidance (e.g., "security update required"), end-of-life policies, and incident response procedures.
8. Align with risk frameworks & standards.
   Integrate ISO 14971 (risk management) with cybersecurity risk practices. Use NIST, IEC 62304, and standards like AAMI TIR-57 for guidance.

Secure Product Development Framework (SPDF)

A Secure Product Development Framework (SPDF) is a set of processes designed to embed security into every stage of a product's lifecycle, from design to decommissioning. This proactive approach aims to reduce and mitigate product vulnerabilities and is particularly emphasized by the FDA for medical devices, requiring manufacturers to integrate cybersecurity measures throughout development and maintenance. Key components include risk management, secure design, testing, secure communications, and postmarket surveillance.

Key components of an SPDF

• Risk Management: Involves proactively identifying, evaluating, and mitigating cybersecurity risks throughout the product's life.
• Design and Development Controls: Ensures security is integrated into the design phase, not added as an afterthought. This includes "security by design" principles.
• Information Security Management: Establishes policies and controls to safeguard data and protect against breaches.
• Secure Communications: Protects data both when it is stored and when it is in transit.
• Postmarket Surveillance and Response: Includes continuous monitoring of devices in the field to identify and address vulnerabilities, often through patching and updates.
• Threat Modeling: Analyzing potential vulnerabilities early in the process to proactively address them.
• Regulatory Compliance: Adhering to relevant regulations, such as FDA guidelines, HIPAA, and other cybersecurity standards like IEC 81001-5-1.

Why SPDF is important

• Reduces vulnerabilities: By building security in from the start, it helps prevent and reduce the number and severity of security gaps.
• Ensures safety and trust: For connected devices, especially medical ones, security is critical for user safety, data privacy, and maintaining public confidence.
• Meets regulatory requirements: Frameworks like the FDA's SPDF are essential for medical device manufacturers to meet regulatory obligations and for premarket submissions.
• Simplifies the development process: Integrating security early can streamline development and avoid costly and time-consuming security-related delays later on.

Footnotes (sources):

1. FDA: "Cybersecurity in Medical Devices" guidance, June 2025, U.S. Food and Drug Administration
2. FDA: Quality system & premarket submission guidance U.S. Food and Drug Administration+1
3. Summary / SPDF approach in commentary on FDA guidance Cobalt+2Regulatory knowledge for medical devices+2
4. Runsafe report: 22 % of organizations, 75 % impacted patient care, Industrial Cyber
5. Over 1.2M devices exposed on the Internet, Cybernews
6. GE recalls Muse 5 cardiology systems, Cardiovascular Business
7. Masimo's cyberattack affects order fulfillment. The Record from Recorded Future+1
8. FDA identifies risks in Contec / Epsimed patient monitors (no harm reported yet) U.S. Food and Drug Administration+3Reuters+3Reuters+3
9. SimonMed Imaging data breach (1.2 million patients), TechRadar
10. CISA / ICS medical cybersecurity advisories CISA