How to ensure medical device security and achieve regulatory approval

It is no surprise that the medical device industry is one of the most regulated industries. After all, the products created are used on humans. Healthcare providers and patients alike expect that all medical devices perform as intended to improve patient outcomes efficaciously and safely. Medical device manufacturers are tasked with meeting high regulatory standards set by notified bodies around the globe. These notified bodies, including the Food and Drug Administration (FDA), are taking a larger role in verifying medical device security.

Why is medical device security so important?

Medical devices have vastly improved over the past decade. What was unthinkable 20 years ago is now a reality. Medical devices now connect to everyday wearable technology and the same internet that we use on a daily basis. This connectivity has many benefits – the ability to access data from the internet, collect data from multiple devices, and even adjust devices remotely.

However, it goes without saying that with greater connectivity comes greater concerns about the security of these devices. Privacy is at the forefront of patients’ minds. Security breaches and ransomware in medical devices is not to be taken lightly. Having secure devices assures customers and patients that their interactions with these devices is serious and important, and so is their health and personal information.

This is why the FDA has published guidance on medical device requirements that mandate a number of facets of device development and maintenance. In addition, other countries have created their own guidelines on medical device cybersecurity. There are three significant guides on medical device security:

  1. “Content of Pre-Market Submissions for Management of Cybersecurity in Medical Devices” outlines recommendations regarding cybersecurity device design, labeling and documentation to be included in pre-market submission for devices with cybersecurity risk.
  2. “Postmarket Management of Cybersecurity in Medical devices” outlines management of cybersecurity issues found after a product has been released on the market.
  3. “Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software” outlines how FDA guidelines can be achieved when using OTS software with medical devices.

What is a security vulnerability?

A security vulnerability is a programming defect or bug that puts a device at risk for an internal or external application that was not intended. Medical device manufacturers must be prepared and recognize that every device has security vulnerabilities. It is in the way they limit exposure or potential damage that matters most.

One way in which companies can mitigate potential issues is through Common Vulnerabilities and Exposures (CVEs). CVEs are a repository of known security issues that exist or have existed in all products. When a device has security issues, a CVE is reported, documented and published so that other companies can learn from the exploit. CVEs give product developers the opportunity to improve their devices while keeping them secure.

Protecting your medical devices

In the world of cybersecurity, knowledge is power. Security issues can sprout from many directions – issues that are largely known in the community, issues that develop after product release and issues introduced by software due to insufficient development. Knowing what has happened in the past can help prepare your devices for a better future.

For example, Linux is an embedded device operating system used for medical device security. Having the most up-to-date version of your chosen software can help monitor and find known exploits. If you are using Linux or other open-source software for medical device design, you must be prepared for CVEs.

While there is no perfect defense, manufacturers can control potential flaws in their own applications and tools. Other ways to prepare for security vulnerabilities include:

  • Applying preventative development techniques, such as coding standard or static analysis
  • Product testing for known security issues using a vulnerability scanner
  • Product testing for unknown security issues using penetration testing and fuzz testing

Learn how to make your medical devices more secure and give customers more confidence by limiting security exposures. Download the whitepaper here.

Want to stay up to date on news from Siemens Digital Industries Software? Click here to choose content that's right for you

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at