April 1, 2025
Medical device cybersecurity is evolving rapidly, and regulatory expectations continue to shift as the threat landscape expands. To help medical device manufacturers (MDMs) stay ahead, Medcrypt recently hosted an Ask Me Anything (AMA) webinar featuring industry experts who tackled some of the most pressing cybersecurity regulatory challenges. Here’s a breakdown of the key takeaways from our insightful discussion.
A major concern for MDMs is the flexibility of applying risk-based cybersecurity approaches. The FDA provides guidance that suggests a risk-based approach but doesn’t always explicitly define acceptable levels of risk. A critical takeaway from the discussion is that even if a device is not intended to be network connected, it still may be categorized as a cyber device and manufacturers still need to apply cybersecurity principles. If software is embedded within a device, regardless of its connectivity, it remains vulnerable and requires proper security risk management.
Additionally, pre-market submissions must reflect a thoughtful risk-based approach. Submissions with missing cybersecurity elements will likely face deficiencies during FDA review, particularly if critical documents such as threat models, cybersecurity risk assessments, and software bills of materials (SBOMs) are absent, incomplete, or inconsistent.
One of the more nuanced discussions revolved around the FDA’s stance on “likelihood” in cybersecurity risk assessments. The FDA discourages using likelihood in a probabilistic manner but recognizes exploitability as a relevant metric. Standards such as CVSS (Common Vulnerability Scoring System) reference “likelihood of exploitation,” which can be used effectively if framed correctly. Manufacturers should explicitly state that their assessments are not probabilistic but based on exploitability factors, and detail what those factors are and how they are measured.
Threat modeling plays a fundamental role in pre-market cybersecurity submissions. The key is to ensure it is iterative and comprehensive, accounting for all use cases — including non-clinical aspects such as software updates and failsafe mechanisms. The FDA expects manufacturers to justify their scoping decisions and include all relevant system interfaces in their threat models.
For software-based and cloud-hosted medical devices, cybersecurity documentation should map to the FDA’s guidance. The best approach is to use the FDA’s eSTAR template as a roadmap, even if submitting in a different format, to ensure all required documentation is included in a structured and logical manner.
The role of SBOMs in medical device cybersecurity has gained significant attention. The FDA has statutory authority to request machine-readable SBOMs to include minimum elements such as supplier name, component name, version number, and dependency relationship, among others. FDA also has explicitly stated that they expect the MDM to provide software component support information including level of support and end of support dates. However, challenges arise when this information is unavailable, particularly for open-source components. In such cases, the best practice is to document any available information and threat model what could go wrong if a software component is not maintained and becomes vulnerable to support the risk assessment relating to unknown or unsupported components.
Penetration testing (pen testing) remains an area where regulatory expectations continue to evolve. While traditional IT pen testing methodologies exist, they often require adaptation for medical device applications. Frameworks such as OWASP’s IoT Penetration Testing Guide and MITRE’s ATT&CK framework for ICS provide useful starting points. However, manufacturers must ensure their pen testing strategies align with product security requirements rather than general IT security approaches. They also need to ensure that the penetration testing teams produce reports with the relevant information that FDA’s guidance recommends, including a narrative about the independence of the testers from the developers and including the credentials of the personnel performing the testing. These elements are often missing in pen test reports submitted to FDA.
Vulnerability management also extends beyond scoring mechanisms such as CVSS. A holistic approach that incorporates additional data, such as EPSS (Exploit Prediction Scoring System) and real-world exploitability information, can enhance risk prioritization. Nonetheless, these systems should be used to supplement — not replace — the expertise of development and security teams.
For MDMs seeking market approval in both the U.S. and the EU, understanding regulatory differences is crucial. The FDA provides more prescriptive cybersecurity guidance through its pre-market and post-market cybersecurity guidelines, whereas the EU’s MDR and IVDR regulations rely on referenced standards rather than direct cybersecurity-specific guidance. One key difference is the role of Notified Bodies in the EU, which perform the market approval assessment but also conduct cybersecurity audits and have begun implementing unannounced inspections.
As regulatory expectations tighten, MDMs must adopt proactive cybersecurity strategies rather than treating compliance as a checkbox exercise. The key is to integrate cybersecurity into the software development lifecycle, maintain comprehensive documentation, and anticipate regulatory scrutiny in pre- and post-market phases.
This AMA session reinforced that staying ahead in cybersecurity isn’t just about compliance — it’s about patient safety, regulatory longevity, and market trust. If you missed the live discussion, stay tuned for more insights from Medcrypt’s experts as we continue to decode the complexities of medical device cybersecurity.
For more resources and guidance reach out to our team at info@medcrypt.com.
March 28, 2025
March 19, 2025
March 10, 2025
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information