5 Best Practices for Cybersecurity in Medical Devices

Regulators have tightened laws on medical device manufacturers to ensure their products are cybersecure. Releasing safe and clinically effective devices isn't enough anymore. Now your devices must have protection built in from the ground up, from product development through the entire lifecycle. 

The threat is substantial: A recent survey showed more than one-third of healthcare executives believe device security is their most pressing concern.

This article will help you understand the new standards you face in key markets, including the EU's Medical Device Regulation and the latest US Food & Drug Administration rules. 

We also detail five best practice approaches for your business to adopt, along with insights from Prof. Yang Wei, Professor of Wearable Technology, Lead of the Smart Wearable Research Group (SWRG), and MTIF Fellow in Smart Medical Textiles and Wearable Technologies at Nottingham Trent University.

Cybercriminals have long been a threat to the healthcare sector. For years, hackers have used ransomware attacks to lock physicians out of systems and steal patient data. 

The most high-profile attack of this kind was the 2017 WannaCry incident that crippled parts of the UK's National Health Service (NHS). Attacks like these still occur, but the attack surface has grown. Cybercriminals are now also targeting the devices connected to patients.

RunSafe Security surveyed 605 healthcare decision-makers, highlighting this shift. 22% reported their organisations had experienced an attack on medical devices. Two-thirds of respondents stated that those breaches affected the care of patients. As a result, 35% now say medical devices are their top cybersecurity concern. 

Health authorities agree, as they regularly issue warnings about these types of vulnerabilities.  

For example, in 2019, the NHS reported on a security issue with Medtronic's insulin pumps. The weakness meant hackers could gather patient data and even control insulin delivery if they gained access. 

Another example was the 2025 US Food & Drug Administration (FDA) press release on Contrec and Epsimed patient monitors. A flaw in the devices meant unauthorised users could identify and extract a patient's personal and health information.

These all point to the need for up-to-date and actionable cybersecurity solutions for medical devices.

These cyber threats are significant, and legislators around the world are keen to catch up. The new laws they've passed apply not just to the development of devices but also to how you manage them post-launch. 

The key international cybersecurity guidelines for medical devices are outlined in ISO 14971:2019. For the software itself, the International Electrotechnical Commission developed a key standard known as IEC 62304. It covers the entire software lifecycle, from initial development to long-term maintenance.

Below is a brief cybersecurity in medical devices theme analysis of the standards manufacturers need to follow in different parts of the world:

In the EU, manufacturers have been required to have the CE Mark to confirm compliance with the Medical Device Regulation (MDR) since May 2021. Devices used to test patient samples must adhere to the In Vitro Diagnostic Regulation (IVDR). 

Older devices, passed under the previous Medical Devices Directive (MDD) or Active Implantable Medical Devices Directive (AIMDD) rules, are still legal, but only if they meet certain conditions.

They aren't the only laws that apply in the EU. The General Data Protection Regulation (GDPR) is relevant because medical devices handle patient data. 

Laws affecting your customers also impact your business. For example, both the GDPR and NIS Directive apply to healthcare providers. These laws require them to maintain a secure digital network and protect patient data. 

This means they will only buy devices that they can integrate into their own environment that meet their legal obligations. As such, by default, you need your products to be NIS compliant. 

The NIS2 Directive heightened security and reporting requirements even further in 2025. These requirements raise the bar for device manufacturers.

Post-Brexit, the UK still closely mirrors many EU laws. Britain has its own NIS Regulation (2018) and the Data Protection Act 2018 (its version of GDPR). The NHS requires medical devices to achieve Digital Technology Assessment Criteria (DTAC) standards.

In the US, the FDA introduced new regulations on cyber medical devices in 2023. Under this law, cybersecurity needs to be a key consideration at every step. This includes the initial design of the product, its development, testing, and post-release support. 

The rules also require manufacturers to follow the guidelines if they make big changes to an existing product.  

In general, there are five best practices to ensure your medical devices meet cybersecurity guidelines:

The most impactful practice for medical device cybersecurity is making your products "secure by design". This means that cybersecurity is a priority at the start and throughout your development cycle. 

Identify and map out potential threats and create a plan to mitigate each one. Test each security control before the product reaches the market, keeping detailed records at each stage. Follow the FDA's quality system considerations and IEC 81001-5-1:2021 for life cycle security management.

Supply chain management is another key factor. On the software side, you should keep a list of every code component, known as a software bill of materials (SBOM). An SBOM helps you track third-party software dependencies and monitor them for new security flaws. 

Hardware is also an important consideration. You should verify that all physical chips are genuine and come from a trusted source. This is the best way to stop counterfeit or malicious parts from creating vulnerabilities. 

Incidents like Spectre and Meltdown show that even trusted components can have weaknesses. Even when you take supply chain precautions, you need an update process to fix post-launch flaws.

Device hardening is another important factor. This makes your devices as tough as possible for attackers to get into. Useful software safeguards include removing factory-default passwords and requiring stronger user authentication. Make your device harder to breach with secure microcontrollers and security authentication chips. 

Fixing post-launch flaws requires a secure update process. An important part of this is a signed update mechanism for your healthcare device. This is where you or a supplier digitally verify new or updated software, firmware, or patches. 

The benefit of this process is that it confirms the code's origin, authenticity, and integrity, ensuring no one has tampered with it.

You should also set up a coordinated vulnerability disclosure (CVD) policy. This allows researchers to share information about vulnerabilities with you. You only announce the potential weakness to users when you release a fix. 

In the US, this could be part of your section 524B Federal Food, Drug, and Cosmetic (FD&C) Act compliance on post-market security management. For existing products, the International Medical Device Regulators Forum (IMDRF)'s legacy medical device principles provide effective best practice.

Finally, build in features to help healthcare clients meet their cybersecurity obligations. In the US, you must follow the FDA 2025 Premarket Cybersecurity Guidance (GUI00001825). However, it's also a way to help your healthcare clients stay compliant.

One of the best ways to do this is to ship a comprehensive user manual with clear steps for clients to deploy your device. Include diagrams, infrastructure requirements, exact ports and protocols, and what to do if there is a security event. Share where they can access version-identifiable, manufacturer-authorised software and firmware. Tell clients about backup modes, which events the device logs, and how to export those logs to their SIEM or IDS.

The closer your clients follow your operating and security instructions, the lower the risk for them and you.

Manufacturers have always strived to deliver safe clinical devices for healthcare clients. Now, you must factor in cybersecurity during product development, deployment, and retirement. Following the best practices in this guide will help you achieve the most effective cybersecurity solutions for your medical devices.

Do this by carefully considering the components you choose. Explore our healthcare sector manufacturer solutions so you can build in protection at the hardware level.