Cybersecurity in Medical Devices: What Manufacturers Need to Know

As Axel Wirth of Medcrypt emphasized during a webinar held by RAPS Ontario: “Yes, medical devices should be safe and secure, but what affects a volume of patients are ransomware attacks on hospitals.” Research by Choi, Johnson, and Lehman highlights that out-of-hospital patients are especially vulnerable when breach remediation slows down the flow of clinical information. 

Regulatory Developments 

“Across both Europe and the United States, regulators now view cybersecurity as inseparable from medical device quality and safety—making compliance an essential condition for market access,” says Yuan Li, Director of Medical Business at DQS and expert contributor to industry information. Here’s what that covers in each region: 

European Union: MDR Coverage 

The EU’s Medical Device Regulation (MDR) makes cybersecurity compliance a prerequisite for market entry. This applies not only to device manufacturers but to any organization in the supply and service chain that touches medical data. 

United States: FDA Guidance 

In the US, the FDA has modernized its oversight by moving toward ISO 13485 alignment. Wirth noted that “the FDA now has heightened authority over cybersecurity, and its alignment with ISO 13485 further raises the bar for manufacturers.” 

This means that, as of 2023, the FDA has greater authority over cybersecurity, and the latest guidance sets clear expectations: 

• Continuous monitoring of devices for vulnerabilities. 
• Timely remediation through patches and updates. 
• Communication of end-of-life (EOL) support policies so that healthcare providers understand when devices will no longer be secured. 

Why Certification Still Matters 

Wirth and Li agree: The core objective of certification remains unchanged: devices must be safe to use and reliable throughout their lifecycle.  

Cybersecurity now sits at the center of that requirement. A device that is functionally sound but digitally vulnerable cannot be considered safe. For manufacturers, cybersecurity has shifted from being a compliance exercise to a critical component of product quality. 

Practical Checklist for Medical Device Manufacturers 

The FDA’s expectations can be distilled into four essential practices: 

• Monitor and remediate cybersecurity issues continuously. 
• Release scheduled updates for known risks. 
• Patch critical threats immediately when they are discovered. 
• Plan and communicate end-of-life (EOL) timelines to ensure users are never left with unsupported devices. 

Global Alignment: MDSAP, MDR, and ISO 13485 

For manufacturers operating internationally, harmonization efforts are reshaping quality and cybersecurity expectations. The Medical Device Single Audit Program (MDSAP) allows a single audit to satisfy the regulatory requirements of multiple jurisdictions, including the US, Canada, Brazil, Japan, and Australia. Because MDSAP audits are based on ISO 13485, the quality management standard is now the backbone of global compliance. The EU’s MDR adds another layer by explicitly incorporating cybersecurity and post-market surveillance obligations. Together, these frameworks are creating a common language: cybersecurity is no longer a peripheral IT concern but a core quality and safety requirement across all major markets. 

Outlook for Manufacturers 

The regulatory landscape is moving toward active post-market responsibility. Manufacturers that build monitoring, rapid response, and transparent communication into their quality systems will be better positioned not only to meet compliance requirements but also to maintain trust with hospitals and patients.