1. Introduction
Medical Device Cybersecurity is the discipline of designing, building, deploying and maintaining networked and software-enabled medical devices so that they preserve safety, effectiveness and data protection across their entire life cycle. Unlike general enterprise IT security, medical device security must reconcile clinical safety (a device must not harm a patient), regulatory compliance (a device must clear market authorisation) and operational resilience (a device must keep working in a hospital that cannot be patched on demand). This guide provides an auditor-grade, implementer-ready deep-dive spanning the two dominant regulatory and standards pillars: the U.S. Food and Drug Administration (FDA) premarket and postmarket cybersecurity expectations, and the IEC 81001-5-1 / IEC/TR 60601-4-5 / AAMI TIR57 / UL 2900-2-1 standards ecosystem, all anchored to a Total Product Life Cycle (TPLC) and Secure Product Development Framework (SPDF) philosophy.
The scope covers Software as a Medical Device (SaMD), Software in a Medical Device (SiMD), connected diagnostic and therapeutic devices, implantables, wearables, hospital gateways and the supporting infrastructure. The guide is written for two audiences at once: the assessor/auditor who must gather objective evidence and render a finding, and the manufacturer/product team who must engineer, document and sustain the controls that produce that evidence.
A defining characteristic of this domain is asymmetry of tempo. Enterprise IT patches on a weekly or monthly cadence; a medical device may be validated for a specific software configuration, deployed for ten to fifteen years, and legally frozen against unvalidated change. This means that security must be engineered in at design time, because the opportunity to retrofit is severely constrained once a device reaches the bedside. It also means that manufacturers and healthcare delivery organisations must share responsibility explicitly: the manufacturer builds intrinsic controls and a safe update path, while the hospital provides compensating network controls, monitoring and physical protection. The documentation that records this shared-responsibility boundary — often expressed through the MDS2 disclosure and the security use instructions — is itself a first-class audit artefact. Assessors who ignore it will misattribute residual risk and reach an unsound conclusion.
The reader should treat this guide as a lattice rather than a linear checklist. Section 4 defines the domains; Section 5 enumerates every control group with a verify/evidence pairing; Sections 6 through 12 wrap those controls in scoping, implementation phasing, maturity grading, audit method, evidence collection, role assignment and measurement. The concluding sections give a readiness checklist, catalogue the failure modes we most frequently observe in the field, and map the scheme to adjacent frameworks so that an organisation already certified to ISO/IEC 27001 or conformant to IEC 62443 can reuse evidence rather than duplicate effort.
Copyright and standards-use note
IEC 81001-5-1, IEC/TR 60601-4-5, IEC 62304, ISO 14971, ISO/IEC 27001, UL 2900-2-1 and AAMI TIR57/TIR97 are copyrighted works of IEC, ISO, UL and AAMI. This guide is an original, independent interpretation for educational and audit-preparation purposes. It paraphrases requirements and does NOT reproduce normative text, tables or clauses. FDA guidance documents (e.g. the 2023 premarket cybersecurity guidance, Section 524B of the FD&C Act, the 2016 postmarket guidance) are U.S. Government works and generally not copyright-restricted, but should be read in the original. Purchase the current editions of all standards from the relevant standards body before making conformity or regulatory-submission decisions.
2. What is Medical Device Security
Medical Device Security is the application of cybersecurity engineering and governance to devices whose intended use is diagnosis, cure, mitigation, treatment or prevention of disease. It differs materially from IT and OT security because the primary asset under protection is the patient and the clinical outcome, not merely data confidentiality. A ransomware event on a patient-monitoring gateway is a patient-safety event, not only a data-availability event; a firmware flaw in an insulin pump is a potential loss of life. Consequently the field fuses three engineering disciplines: safety risk management (ISO 14971), software life-cycle management (IEC 62304) and security risk management (IEC 81001-5-1 / AAMI TIR57).
The regulatory centre of gravity in the United States is Section 524B of the Federal Food, Drug, and Cosmetic Act (added by the Consolidated Appropriations Act, 2023), which makes cybersecurity a mandatory condition of premarket submission for 'cyber devices'. FDA operationalises this through its premarket cybersecurity guidance (final September 2023), which requires a Secure Product Development Framework, a Software Bill of Materials (SBOM), threat modelling, security architecture views and a plan to monitor, identify and address postmarket vulnerabilities. The international standards centre of gravity is IEC 81001-5-1 (health software and health IT systems safety, effectiveness and security — security activities in the product life cycle), harmonised in the EU under the Medical Device Regulation (MDR 2017/745) and the NIS2 / Radio Equipment Directive (RED) cybersecurity essential requirements.
It is worth naming the specific engineering constructs the scheme expects, because vague conformity claims fail review. The FDA package expects an explicit threat model methodology (STRIDE or attack-tree based), four named architecture views (global system, multi-patient harm, updateability/patchability, and security use case), a machine-readable SBOM in SPDX or CycloneDX format carrying the CISA minimum elements, and a postmarket plan whose remediation clock starts when an uncontrolled risk is identified. IEC 81001-5-1 in turn defines a set of security-activity processes — planning, requirements, design, implementation, verification, release, and problem resolution — that mirror IEC 62304 but add security-specific expectations. Where independent testing or certification is pursued, schemes such as UL 2900-2-1 define structured penetration and known-vulnerability testing, IEC 62443-4-1 (via the ISASecure programme) defines a graded secure-development-lifecycle assurance, and Common Criteria defines Evaluation Assurance Levels (EAL 1 to EAL 7). Cryptographic modules are frequently validated to FIPS 140-3, which itself defines four security levels of increasing physical and logical protection. Assessors should always establish which of these named levels and constructs a manufacturer is claiming, because the level is what makes a claim testable.
| Dimension | Medical Device Security emphasis |
|---|
| Primary asset | Patient safety and clinical effectiveness, then data |
| Governing risk triad | Safety (ISO 14971) + Software (IEC 62304) + Security (IEC 81001-5-1 / TIR57) |
| Life-cycle model | Total Product Life Cycle (TPLC) / Secure Product Development Framework (SPDF) |
| Patch reality | Long-lived, rarely-patchable, clinically-validated configurations |
| Failure consequence | Physical harm or death, not only breach of confidentiality |
| Key US legal hook | FD&C Act Section 524B ('cyber device') |
| Key intl standard | IEC 81001-5-1, IEC/TR 60601-4-5, ISO 14971 |
3. Who Must Comply
Obligations attach to any organisation that manufactures, integrates, distributes, or operates connected or software-enabled medical devices. The concept of a 'cyber device' under Section 524B is broad: any device that (a) includes software validated, installed, or authorised by the sponsor, (b) has the ability to connect to the internet, and (c) contains technological characteristics that could be vulnerable to cybersecurity threats.
| Actor | Obligation trigger | Primary duties |
|---|
| Device manufacturer (OEM) | Places a cyber device on the market | SPDF, SBOM, threat model, premarket submission, postmarket vulnerability management |
| SaMD / SiMD developer | Software is the device or drives it | IEC 62304 life cycle plus IEC 81001-5-1 security activities |
| System integrator / VAR | Combines devices into a clinical system | Configuration hardening, secure deployment, residual-risk transfer documentation |
| Healthcare Delivery Organisation (HDO / hospital) | Operates devices clinically | Asset inventory, network segmentation, patch governance, incident response |
| Component / OTS supplier | Supplies SOUP / third-party libraries | SBOM contribution, vulnerability disclosure, support and end-of-life notice |
| Managed service / remote-support provider | Remote access to devices | Secure remote access, least privilege, session logging |
| Notified Body / FDA reviewer | Regulatory conformity assessment | Reviews cybersecurity documentation against guidance and standards |
- US: FDA premarket review under 524B applies to 510(k), De Novo, PMA, PDP, HDE and BLA submissions containing device software.
- EU: MDR/IVDR Annex I General Safety and Performance Requirements (GSPR) 17.2 and 17.4 mandate security for programmable devices; MDCG 2019-16 provides guidance.
- UK: MHRA guidance on medical device cybersecurity aligns to the same TPLC principles post-Brexit.
- Global: IMDRF 'Principles and Practices for Medical Device Cybersecurity' provides an internationally harmonised baseline.
4. Structure of Medical Device Security
Medical Device Security is not a single monolithic control set; it is a lattice of overlapping frameworks that together define premarket engineering expectations, testing/certification schemes and postmarket operations. The table below maps the principal domains, the standard or scheme that owns each, and the representative control families within it. These domains form the backbone of the master assessment checklist in Section 5.
| Domain / family | Owning standard or scheme | Representative controls / requirements |
|---|
| Security risk management | IEC 81001-5-1, AAMI TIR57, ISO 14971 | Security risk analysis, threat modelling, risk evaluation, risk control, residual-risk acceptance |
| Secure Product Development Framework (SPDF) | FDA premarket guidance, NIST SSDF (SP 800-218) | Prepare organisation, protect software, produce well-secured software, respond to vulnerabilities |
| Software life-cycle processes | IEC 62304 | Development planning, requirements, architecture, unit implementation, integration, system testing, maintenance |
| Security architecture & design | FDA premarket guidance, IEC 62443-4-1/4-2 | Global system view, multi-patient harm view, updateability view, trust boundaries, defence in depth |
| SBOM & software transparency | FDA 524B, NTIA/CISA SBOM minimum elements | Component inventory, provenance, SOUP management, license and EOL tracking |
| Design security capabilities | IEC/TR 60601-4-5, IEC 62443-4-2 | Authentication, authorisation, cryptography, integrity, confidentiality, audit, resiliency |
| Security verification & testing | FDA guidance, UL 2900-2-1, AAMI TIR97 | Vulnerability scanning, fuzz testing, penetration testing, SBOM/CVE analysis, malformed input testing |
| Labelling & transparency | FDA guidance, IEC 81001-5-1 | Cybersecurity bill of materials, security use instructions, hardening guides, MDS2 form |
| Postmarket vulnerability management | FDA 2016 postmarket guidance, ISO/IEC 30111, ISO/IEC 29147 | Vulnerability intake, triage, coordinated disclosure, patch deployment, exploitability assessment |
| Certification / conformity assessment | UL 2900-2-1, IEC 62443-4-1 (ISASecure), Common Criteria | Independent testing, evaluation assurance, certificate issuance and surveillance |
5. Master Assessment Checklist
This is the operational heart of the guide. Every control group below is expressed as an h3 with a table whose columns are 'What to verify' (the assessor's test) and 'Typical evidence' (the objective artefact that satisfies it). No domain from Section 4 is omitted. Assessors should sample across the TPLC — do not accept a design document without evidence that its controls were verified in the built device and are sustained in the field.
5.1 Security Risk Management (IEC 81001-5-1 / AAMI TIR57 / ISO 14971)
| What to verify | Typical evidence |
|---|
| A documented security risk management process exists and is integrated with the ISO 14971 safety process | Security risk management plan; procedure referencing ISO 14971 interface |
| Assets, security capabilities and data flows are characterised | Data flow diagrams; asset register; trust boundary maps |
| Threats are identified using a structured method (e.g. STRIDE, attack trees) | Threat model report; STRIDE decomposition per element |
| Vulnerabilities and threat sources are enumerated and rated for exploitability | Vulnerability register; CVSS/exploitability scoring rationale |
| Security risks are evaluated against defined acceptability criteria linked to patient harm | Risk evaluation matrix; harm-linkage (safety impact) analysis |
| Risk controls are selected, implemented and verified in priority order (inherent, protective, information) | Risk control table with verification references |
| Residual security risk is evaluated and formally accepted by authorised roles | Residual-risk report; management sign-off record |
| Benefit-risk determination considers security-derived safety risk | Benefit-risk analysis document |
5.2 Secure Product Development Framework (SPDF) / NIST SSDF SP 800-218
| What to verify | Typical evidence |
|---|
| Prepare the Organisation (PO): security roles, policies, toolchains and training are defined | Secure development policy; role matrix; training records; tool inventory |
| Protect the Software (PS): source integrity, code signing and archival are enforced | Signed commits; branch protection; artefact signing logs; secure repository config |
| Produce Well-Secured Software (PW): secure design, coding standards, review and testing are applied | Secure coding standard; threat model; SAST/DAST reports; code review records |
| Respond to Vulnerabilities (RV): intake, analysis and remediation are operational | Vulnerability handling procedure; PSIRT charter; remediation tickets |
| SPDF is applied across the whole TPLC, not only premarket | SPDF plan mapping activities to each life-cycle phase |
| Third-party and open-source components follow the same SSDF rigour | Supplier security requirements; SOUP evaluation records |
5.3 Software Life-Cycle Processes (IEC 62304)
| What to verify | Typical evidence |
|---|
| Software safety classification (Class A/B/C) is assigned and justified | Software safety classification record |
| A software development plan covers all life-cycle activities | Software development plan (SDP) |
| Software requirements include security and derived risk-control requirements | Software requirements specification with security requirements traced |
| Software architecture identifies segregation for risk control | Architecture design document; SOUP segregation rationale |
| Detailed design, implementation and unit verification are documented | Detailed design; unit test records |
| Integration and system testing include security test cases | Integration/system test plan and results |
| Software maintenance process handles problem resolution and change control | Maintenance plan; problem reports; change requests |
| SOUP anomaly lists and version constraints are managed | SOUP list with known-anomaly evaluation |
5.4 Security Architecture and Design Views (FDA premarket guidance)
| What to verify | Typical evidence |
|---|
| A global system view depicting all connections and interfaces is provided | Global system architecture diagram |
| A multi-patient harm view assesses aggregated/scaled impact (e.g. server, fleet) | Multi-patient harm analysis view |
| An updateability and patchability view documents how the device is patched | Update architecture view; patch process description |
| A security use case view maps end-to-end data and trust flows | Security use case / data flow views |
| Trust boundaries, entry points and attack surfaces are explicitly defined | Trust boundary diagram; attack surface enumeration |
| Defence-in-depth layering is demonstrated (not single-point reliance) | Layered control mapping across views |
5.5 SBOM and Software Transparency (FDA 524B / CISA SBOM minimum elements)
| What to verify | Typical evidence |
|---|
| A machine-readable SBOM (SPDX or CycloneDX) accompanies the submission | SBOM file in SPDX/CycloneDX format |
| SBOM contains the minimum elements (supplier, component, version, unique ID, dependency, author, timestamp) | SBOM field completeness review |
| Commercial, open-source and off-the-shelf software are all listed | Component inventory cross-check |
| Level of support and end-of-support/end-of-life dates are documented per component | EOL/EOS support matrix |
| Known vulnerabilities in listed components are assessed and safety-impact rated | CVE-to-component mapping; VEX statements |
| A process exists to keep the SBOM current across releases | SBOM maintenance procedure; version-controlled SBOM history |
5.6 Design Security Capabilities — Authentication and Authorisation (IEC/TR 60601-4-5 / IEC 62443-4-2)
| What to verify | Typical evidence |
|---|
| User and device authentication is enforced for privileged functions | Authentication design; test evidence; screenshots/logs |
| Multi-factor or strong authentication is used where risk warrants | MFA configuration; risk-based rationale |
| Default credentials are eliminated or force change on first use | Provisioning procedure; first-boot behaviour test |
| Role-based access control enforces least privilege | RBAC matrix; permission test cases |
| Session management includes timeout, lock and secure termination | Session policy config; timeout test evidence |
| Service, maintenance and remote-access accounts are individually attributable | Account inventory; remote-access authentication logs |
5.7 Design Security Capabilities — Cryptography, Integrity and Confidentiality
| What to verify | Typical evidence |
|---|
| Data in transit is protected with current, standards-based encryption (e.g. TLS 1.2+) | Protocol/cipher configuration; network capture analysis |
| Sensitive data at rest is encrypted with managed keys | Encryption design; key inventory |
| Cryptographic modules use validated algorithms (e.g. FIPS 140-3 where applicable) | Algorithm list; FIPS certificate references |
| A secure key management life cycle (generation, storage, rotation, destruction) exists | Key management procedure; HSM/secure element evidence |
| Firmware and software integrity is verified via code signing / secure boot | Secure boot design; signature verification test |
| Anti-tamper and integrity monitoring detect unauthorised modification | Integrity monitoring logs; tamper-response design |
5.8 Design Security Capabilities — Audit, Logging and Detection
| What to verify | Typical evidence |
|---|
| Security-relevant events are logged with sufficient detail and timestamps | Audit log specification; sample log extracts |
| Logs are protected against unauthorised alteration and deletion | Log integrity controls; access-control evidence |
| The device supports export/forwarding of logs to HDO SIEM | Syslog/forwarding configuration |
| Detection of anomalous or malicious activity is provided where feasible | Detection design; alerting test evidence |
| Clinicians/operators are alerted to security-relevant degradations affecting safety | Alerting behaviour; failsafe notification design |
5.9 Design Security Capabilities — Resiliency, Recovery and Updateability
| What to verify | Typical evidence |
|---|
| The device fails to a safe state under attack or resource exhaustion | Fail-safe design; denial-of-service test results |
| Backup and restore of configuration and data are supported | Backup/restore procedure and test |
| Secure, authenticated firmware/software update mechanism is implemented | Update mechanism design; signed-update verification test |
| Rollback protection prevents downgrade to vulnerable versions | Anti-rollback test evidence |
| Recovery time and continuity of clinical function are validated | Recovery/continuity test report |
| Emergency access ('break-glass') is available without weakening baseline security | Break-glass procedure and audit trail |
5.10 Security Verification and Testing (UL 2900-2-1 / AAMI TIR97 / FDA)
| What to verify | Typical evidence |
|---|
| Static analysis (SAST) of source code was performed and findings triaged | SAST report; triage disposition |
| Software composition analysis (SCA) covers all third-party components | SCA report; CVE findings and dispositions |
| Dynamic and fuzz testing of interfaces was performed (malformed input robustness) | Fuzzing report; interface robustness results |
| Independent penetration testing exercised the attack surface | Penetration test report; remediation evidence |
| Vulnerability scanning of the device and its services was completed | Scan reports; false-positive analysis |
| Test coverage traces to threat model and security requirements | Traceability matrix (threats to tests) |
| Residual/unresolved findings are risk-assessed and justified | Open-finding risk assessment |
5.11 Labelling, Transparency and Security Documentation
| What to verify | Typical evidence |
|---|
| Security-relevant information for users (hardening, network requirements) is documented | Security hardening guide; product security whitepaper |
| An MDS2 (Manufacturer Disclosure Statement for Medical Device Security) is provided | Completed MDS2 form |
| A Cybersecurity Bill of Materials / SBOM is disclosed to HDOs | Customer-facing SBOM disclosure |
| End-of-support and end-of-life security implications are communicated | EOL/EOS communication policy and notices |
| Instructions cover secure decommissioning and data sanitisation | Decommissioning and sanitisation procedure |
| A coordinated vulnerability disclosure contact/policy is published | Public CVD policy; security.txt / PSIRT contact |
5.12 Postmarket Vulnerability and Incident Management (FDA 2016 / ISO/IEC 30111 / 29147)
| What to verify | Typical evidence |
|---|
| A vulnerability intake process (researchers, feeds, ISAOs) is operational | CVD policy; intake queue; ISAO/H-ISAC membership |
| Vulnerabilities are triaged for exploitability and patient-safety impact | Triage records; CVSS + safety-impact scoring |
| A defined timeline distinguishes routine updates from remediation of uncontrolled risk | Postmarket procedure; SLA definitions |
| Coordinated disclosure and advisory publication are practised | Published security advisories; CISA ICS-Medical advisories |
| Patch/mitigation deployment to the field is tracked to closure | Deployment tracking; fleet patch status |
| Adverse events with cybersecurity root cause are reported to regulators | MDR/MedWatch reporting records |
| Postmarket surveillance feeds back into the SPDF and threat model | Threat-model update records; lessons-learned log |
5.13 Supply Chain and Third-Party / SOUP Security
| What to verify | Typical evidence |
|---|
| Supplier security requirements are contractually imposed | Supplier agreements; security requirement schedules |
| Third-party components are assessed for known vulnerabilities before inclusion | Component security assessment records |
| Provenance and integrity of acquired software are verified | Hash/signature verification records |
| Supplier vulnerability notification and support obligations are defined | Support/notification clauses; supplier SBOM contributions |
| Manufacturing and update supply chains are protected against tampering | Supply chain integrity controls; signing infrastructure security |
5.14 Certification and Conformity Assessment (UL 2900-2-1 / ISASecure / Common Criteria)
| What to verify | Typical evidence |
|---|
| The applicable certification scheme and target level are defined | Certification plan; target level/EAL declaration |
| An accredited test lab / certification body performed the evaluation | Lab accreditation; evaluation contract |
| Structured penetration and known-vulnerability testing per the scheme was completed | Scheme test report (e.g. UL 2900-2-1 report) |
| A valid certificate has been issued and is within its surveillance period | Certificate; surveillance/maintenance records |
| Certificate scope matches the device configuration on the market | Scope-to-configuration cross-check |
5.15 Certification and Testing Levels — Named Assurance Scales
Where a manufacturer claims a graded assurance level, the assessor must verify the claim against the scheme's defined scale. The table below consolidates the principal named levels an auditor encounters in medical device security so that the claimed level, the awarding scheme, and its meaning are unambiguous.
| Scheme / scale | Levels | Meaning of increasing level |
|---|
| Common Criteria (ISO/IEC 15408) | EAL 1 to EAL 7 | Depth and formality of design analysis, testing and independent evaluation increase |
| FIPS 140-3 (crypto modules) | Level 1 to Level 4 | Physical tamper protection and role-based/identity-based authentication strengthen |
| ISASecure / IEC 62443-4-1 (SDL) | Maturity 1 to 4 | Rigour and repeatability of the secure development lifecycle increase |
| IEC 62443-4-2 (component) | Security Level SL 1 to SL 4 | Capability to resist casual through nation-state attackers increases |
| UL 2900-2-1 | Pass / fail against defined tests | Structured malware, malformed-input, known-vuln and pen-test criteria are met |
| NIST IAL/AAL/FAL (identity, where applicable) | 1 to 3 | Identity proofing, authenticator and federation assurance strengthen |
5.16 Certification and Testing Lifecycle
Certification and independent testing follow a defined lifecycle that runs in parallel with, and feeds, the regulatory submission. Auditors should confirm each stage produced its expected artefact and that the certificate remains valid and in scope.
| What to verify | Typical evidence |
|---|
| The Target of Evaluation and claimed assurance level are formally defined | Security target / evaluation scope declaration |
| An accredited, independent test lab or certification body was engaged | Accreditation certificate; engagement contract |
| Pre-assessment gap analysis was performed before formal testing | Gap analysis report; remediation log |
| Formal testing (pen test, known-vuln, malformed input, crypto) was executed | Test lab report per scheme |
| Findings were remediated and re-tested to closure | Remediation and re-test records |
| A certificate was issued with defined scope and validity period | Issued certificate |
| Surveillance / maintenance activities keep the certificate current | Surveillance audit records; change-impact assessments |
| Certificate scope is re-validated on material device change | Change-impact-to-scope re-assessment |
6. Scoping
Scoping determines what is assessed and to what depth. For medical device security the boundary is the 'device system' as intended and labelled — including firmware, embedded OS, application software, companion mobile apps, cloud back-ends, gateways, accessories and the interfaces between them. Scoping must be driven by intended use and by where cybersecurity failures could translate into patient harm.
A disciplined scoping exercise begins from the intended use statement and the essential performance defined for the device, then works outward along every path by which data or control can enter or leave the system. Each such path is an entry point and therefore part of the attack surface. The scope boundary should be drawn to include everything the manufacturer controls or can influence, and to explicitly exclude — with written rationale — anything transferred to the operating environment. A common scoping error is to evaluate the physical device while excluding its cloud analytics back-end; because a compromise of a shared back-end can affect every deployed unit simultaneously, that back-end almost always belongs inside the multi-patient harm view and therefore inside scope. Equally, wireless interfaces are frequently under-scoped: Bluetooth Low Energy pairing, Wi-Fi association and cellular management channels each carry their own threat surface and each must be enumerated.
- Include: all software (including SOUP/OTS), all network and physical interfaces, wireless (Bluetooth, Wi-Fi, cellular, NFC), maintenance/service ports, cloud and companion apps, and the update pathway.
- Include the multi-patient / scaled-harm perspective: servers, PACS, gateways and fleets where one compromise scales across many patients.
- Classify by IEC 62304 software safety class (A/B/C) and by security risk to prioritise rigour.
- Exclude, with justification, purely mechanical components and non-connected legacy items — but document the rationale and any data-transfer paths.
- Define the device configuration under evaluation precisely (versions, options, network posture) so that certification scope is unambiguous.
- Distinguish manufacturer-controlled controls from HDO-controlled compensating controls; document the transfer of residual risk to the operator.
7. Implementation Approach
Implementation follows a phased Secure Product Development Framework mapped to the Total Product Life Cycle. Each phase below lists key activities and the deliverables an auditor should expect.
Phase 1 — Governance and Preparation
- Activities: establish a Product Security Incident Response Team (PSIRT), define secure development policy, assign security roles, provision tooling (SAST/SCA/DAST/fuzzing), train engineers, and adopt IEC 81001-5-1 / SSDF as the framework.
- Deliverables: security governance charter, secure development policy, role matrix, training records, tool inventory.
Phase 2 — Security Risk Analysis and Threat Modelling
- Activities: characterise assets and data flows, perform threat modelling (STRIDE/attack trees), enumerate vulnerabilities, and evaluate risks against acceptability criteria linked to patient harm.
- Deliverables: threat model, security risk analysis, data flow and trust boundary diagrams, initial risk register.
Phase 3 — Secure Architecture and Design
- Activities: define security requirements and controls, produce the four FDA architecture views, select cryptographic and authentication mechanisms, design update and recovery paths, and establish SOUP segregation.
- Deliverables: security requirements specification, security architecture views, design specifications, SBOM baseline.
Phase 4 — Secure Implementation and Verification
- Activities: apply secure coding standards, run SAST/SCA on every build, implement controls, and perform integration and system security testing.
- Deliverables: code review records, SAST/SCA reports, control implementation evidence, security test results, traceability matrix.
Phase 5 — Security Validation and Independent Testing
- Activities: fuzz testing, independent penetration testing, vulnerability scanning, and (where pursued) scheme certification testing (UL 2900-2-1 / Common Criteria).
- Deliverables: penetration test report, fuzz/robustness report, residual-risk assessment, certification test report and certificate.
Phase 6 — Regulatory Submission and Labelling
- Activities: assemble the premarket cybersecurity documentation package (524B/MDR), finalise SBOM disclosure, complete MDS2, and produce customer security documentation.
- Deliverables: premarket cybersecurity submission, MDS2, security hardening guide, published CVD policy.
Phase 7 — Postmarket Management and Maintenance
- Activities: operate vulnerability intake and triage, monitor threat intelligence and ISAOs, deploy patches, publish advisories, and feed lessons back into the SPDF.
- Deliverables: postmarket surveillance plan, advisories, patch/deployment records, updated threat models and SBOMs.
8. Maturity / Capability Model
A maturity model helps both manufacturers and auditors calibrate where a product security programme sits and what 'good' looks like. The five-level model below is adapted from common capability-maturity constructs and aligned to IEC 81001-5-1 and SPDF expectations. Regulatory conformity is achievable at Level 3, where the SPDF is defined and consistently applied across the Total Product Life Cycle; Levels 4 and 5 add the quantitative management and continuous-improvement characteristics that distinguish a resilient, defensible programme from a merely compliant one. Auditors should score each control group in Section 5 independently, because a programme is often mature in design but immature in postmarket operation, or vice versa; the overall rating is only as strong as its weakest safety-relevant domain.
| Level | Name | Characteristics |
|---|
| 1 | Initial / Ad hoc | Security handled reactively; no formal process; safety and security risk not integrated |
| 2 | Managed | Basic secure development policy and threat modelling exist but applied inconsistently |
| 3 | Defined | SPDF documented and applied across TPLC; SBOM, architecture views and testing standardised |
| 4 | Quantitatively Managed | Metrics-driven; vulnerability SLAs, coverage and residual-risk tracked and reviewed |
| 5 | Optimising | Continuous improvement; threat intelligence, red-teaming and postmarket feedback drive the SPDF |
9. Assessment and Audit Approach
- Define scope and objectives: identify the device system, configuration under review, applicable regulations (524B/MDR) and certification schemes.
- Collect documentation: request the SPDF plan, threat model, security risk analysis, architecture views, SBOM, test reports and postmarket procedures.
- Assess design adequacy: evaluate whether controls in the architecture views mitigate the modelled threats to acceptable residual risk.
- Verify implementation: sample evidence that designed controls exist in the built device (configuration review, test result inspection, live demonstration).
- Conduct or review independent testing: examine penetration test, fuzzing, SAST/SCA and scan results; validate exploitability of open findings.
- Evaluate postmarket capability: confirm PSIRT operation, CVD policy, patch deployment tracking and regulatory reporting readiness.
- Assess supply chain: review SBOM currency, SOUP vulnerability handling and supplier security obligations.
- Rate findings: score each control area against the maturity model and acceptability criteria, linking security gaps to patient-safety risk.
- Report: document findings, evidence gaps, non-conformities and prioritised remediation with a re-assessment plan.
- Follow up: verify corrective actions and update the risk register and certification status.
10. Evidence Request List
The following artefacts, grouped by category, constitute a typical evidence pack for a medical device security assessment.
- Governance: secure development policy, PSIRT charter, role matrix, training records, tool inventory.
- Risk: security risk management plan, threat model, security risk analysis, risk register, residual-risk report and sign-off.
- Design: security requirements specification, four FDA architecture views, cryptography and key management design, update/recovery design.
- Software life cycle: IEC 62304 software development plan, safety classification, SOUP list, detailed design.
- SBOM and supply chain: machine-readable SBOM, EOL/EOS matrix, VEX statements, supplier security agreements.
- Testing: SAST, SCA, DAST/fuzz, penetration test and vulnerability scan reports plus triage/traceability.
- Certification: certification plan, accredited lab report, issued certificate, surveillance records.
- Labelling: MDS2, security hardening guide, customer SBOM disclosure, decommissioning/sanitisation instructions.
- Postmarket: CVD policy, vulnerability intake and triage records, advisories, patch deployment tracking, regulatory reporting records.
11. Roles and Responsibilities
| Role | Primary responsibilities |
|---|
| Product Security Officer / PSIRT lead | Owns the SPDF, vulnerability response and security governance |
| Systems / security architect | Produces threat model and security architecture views; selects controls |
| Software engineering lead | Implements controls, secure coding, SAST/SCA integration |
| Quality / regulatory affairs | Assembles premarket submission; ensures 524B/MDR conformity and reporting |
| Risk management lead | Integrates security risk with ISO 14971 safety risk; residual-risk acceptance |
| Verification & validation lead | Plans and executes security testing; maintains traceability |
| Supply chain / procurement | Enforces supplier security requirements; manages SBOM contributions |
| HDO clinical engineering / biomed | Operates devices securely; segmentation, patch governance, incident response |
| Independent assessor / auditor | Renders objective conformity findings against standards and guidance |
12. KPIs to Track
- Percentage of products with a current, complete and machine-readable SBOM.
- Mean time to triage (MTTT) and mean time to remediate (MTTR) reported vulnerabilities.
- Percentage of critical/exploitable vulnerabilities remediated within SLA.
- Threat model coverage: proportion of releases with an updated threat model.
- Security test coverage traced to security requirements and modelled threats.
- Number of SOUP/third-party components past end-of-support in shipping products.
- Patch deployment rate across the deployed fleet (field closure rate).
- Number of published security advisories and coordinated disclosures per period.
- Percentage of products meeting the target maturity level (Level 3+).
- Recurrence rate of previously-remediated vulnerability classes.
13. Readiness Checklist
- Secure development policy and PSIRT are established and staffed.
- Threat model and security risk analysis exist and are integrated with ISO 14971.
- All four FDA security architecture views are complete and current.
- A machine-readable SBOM with minimum elements and EOL data is maintained.
- Authentication, cryptography, integrity, logging and update controls are implemented and tested.
- SAST, SCA, fuzz and independent penetration testing are complete with findings triaged.
- Residual security risk is documented and formally accepted.
- MDS2, hardening guide and customer SBOM disclosure are prepared.
- A published coordinated vulnerability disclosure policy is live.
- Postmarket vulnerability intake, patch deployment and regulatory reporting are operational.
- Premarket cybersecurity documentation package is assembled per 524B / MDR.
- Certification scope (if pursued) matches the marketed configuration.
14. Common Gaps
- Security risk analysis treated separately from ISO 14971 safety risk, so security-derived patient harm is missed.
- SBOM produced once for submission then left stale, with no VEX and no EOL tracking.
- Threat model that stops at the device and ignores the multi-patient / cloud back-end scaled-harm view.
- Hard-coded or default credentials and unauthenticated maintenance/service interfaces.
- Firmware updates that are unsigned or lack anti-rollback protection.
- No coordinated vulnerability disclosure policy or PSIRT contact, so researchers cannot report safely.
- Postmarket process that cannot distinguish routine updates from uncontrolled-risk remediation timelines.
- Testing limited to a vulnerability scan, with no fuzzing or independent penetration testing.
- SOUP components shipped past end-of-support with unpatched known CVEs.
- Residual risk not formally accepted by an authorised role, or acceptance undocumented.
- Logs that cannot be exported to the HDO SIEM, blinding hospital detection.
- Certification certificate scope that does not match the shipping device configuration.
15. Medical Device Security Mapped to Other Frameworks
| Medical Device Security element | Maps to | Relationship |
|---|
| Security risk management (IEC 81001-5-1) | ISO 14971 / AAMI TIR57 | Extends safety risk management to security; shares process interface |
| SPDF (FDA) | NIST SSDF SP 800-218 | SPDF operationalises SSDF practices (PO/PS/PW/RV) for devices |
| Design security capabilities (IEC/TR 60601-4-5) | IEC 62443-4-2 | Adapts industrial component security requirements to medical context |
| Secure development process | IEC 62443-4-1 / ISO/IEC 27034 | Aligns with secure product lifecycle and application security |
| Vulnerability handling | ISO/IEC 30111 & 29147 | Directly implements disclosure and handling standards |
| Information security management (org level) | ISO/IEC 27001 | Provides the enterprise ISMS wrapper around product security |
| Certification testing | UL 2900-2-1 / Common Criteria | Independent conformity assessment schemes for device security |
| EU market access | MDR GSPR 17 / MDCG 2019-16 / NIS2 | EU legal and guidance equivalents to FDA 524B expectations |
16. How CyberSigma Helps
How CyberSigma helps
CyberSigma brings CERT-In empanelled, PCI QSA-grade rigour to medical device cybersecurity across the Total Product Life Cycle. We stand up your Secure Product Development Framework, build threat models and the four FDA architecture views, generate and maintain machine-readable SBOMs with VEX and EOL tracking, and integrate security risk management with your ISO 14971 and IEC 62304 processes. Our labs perform SAST/SCA, fuzz testing and independent penetration testing aligned to UL 2900-2-1 and AAMI TIR97, and we assemble submission-ready premarket cybersecurity packages for FDA Section 524B and EU MDR. Post-launch, we operate PSIRT-as-a-service, coordinated vulnerability disclosure, advisory publication and fleet patch governance. Talk to CyberSigma to move your device programme to Level 3+ maturity and clear regulatory review with confidence.