Healthcare: Medical Devices

Cyber security within the medical device sub-sector is not as well publicised, compared with the rest of the healthcare sector.

Nonetheless, securing medical devices is vitally important, as digital technologies now connect medical devices to the internet, for example, connecting pacemakers and insulin pumps with patients, hospitals and even your mobile phone. Therefore, there is risk of either software vulnerability being exploited by attackers or personal data being stolen.

The medical device sub-sector is regulated.

Most notably, in the UK, medical devices are regulated by the Medicines and Healthcare products Regulatory Agency (MHRA) and in the US, the Food and Drug Administration (FDA). The FDA includes addressing cyber security within its Quality System Regulation (QSR).

Furthermore, the FDA provides pre- and post-market cybersecurity recommended guidance on how to comply with the QSR’s specific regulation. The European Union has produced Medical Device Coordination Group (MDCG) 2019-16 Guidance on cyber security for medical devices, and of course other guidance may also refer – for example Network and Information Security Directive (NIS) and General Data Protection Regulation (GDPR).

For detailed industry-accepted best practice, organisations should seek direction from internationally recognised standards, for example, ISO 14971:2019 Application of Risk Management to Medical Devices, ISO13485 Medical device Quality Management Systems (QMS) and IEC 62304:2006/A1:2015 Software Lifecycle Processes. These standards are rarely used in isolation and should be considered amongst other internationally recognised security standards to provide a comprehensive approach to reducing cyber risk to medical devices, for example ISO27001 and NIST.

Cyber challenges

Increasing attack surface area

Thanks to the increase in medical device and information databases connected to internet, there is an increased attack surface area for cyber criminals. With medical professionals and patients able to access information through devices and internet portals, educating both on good cyber security is vital.

Complex supply chains and stakeholders

Understanding and reducing vulnerability in devices and embedded systems is no small task. Medical device manufacturers need to employ secure by design in the Software Development Lifecycle (SDL), secure access, understand and address vulnerability and protect, detect and respond to malware. Furthermore, software bill of materials can be extensive and cyber security must be addressed across the supply chain. However, stakeholders such as medical professionals, hospitals and the end users must also be considered.

Cutting though the complexity of industry guidance

No single framework addresses the multitude of quality and security concerns. For example, the FDA are proposing to ‘advance medical device safety by explicitly requiring that medical device manufacturers design cybersecurity into their devices and by ensuring that FDA and the public have certain information about device cybersecurity.’ There are also plenty of internationally recognised standards.  However, understanding and applying industry accepted best practice, e.g., ISO27001, ISO 14971:2019, IEC62443, IEC62304 ISO 14971:2019 ISO13485 can be daunting.


Opliciti creates appropriate, proportionate cyber security strategy aligned with industry accepted best practice.

Let us help you:

  • Assess and present cyber security as a business risk to drive board ownership and risk appetite.

  • Create business-integrated or aligned cyber security strategy across IT and OT environments to enable safety, resilience and create and protect value.

  • Align with industry accepted best practice, ISO27001, NIST, NIS CAF, IEC62443 etc, identifying prioritised risk and aligning appropriate proportionate controls that are suitably governed.

  • Manage security operations using artificial intelligence and machine learning with automated response to stop cyber threats efficiently and effectively.