Design for Security from the Start: Making Medical Device Cybersecurity More Resilient

MedTech innovation is revolutionizing healthcare but is also introducing new cyberattack vectors that can put manufacturers, hospitals, and patients at risk.

In Episode 44 of the MedTech Speed to Data Podcast, Key Tech VP of Business Development Andy Rogers and Senior Computer Engineer Jamie Kendall discuss the FDA’s latest cybersecurity guidance.

Need to know

• Smart, connected devices have greater risks — Medical devices are emerging vectors for bad actors targeting the healthcare industry.
• FDA’s 2025 cybersecurity guidance update — The agency recommends risk-based development frameworks to make device cybersecurity more resilient.
• Clarifying “cyber devices” — The FDA’s guidance applies to any medical device that runs software and could connect to the Internet.

The nitty-gritty

“Cybersecurity was always baked into our process,” Jaime explains. More specifically, Key Tech has adapted the TIR57 risk-based standard for managing medical device security to the new rules. “[The FDA’s] 2023 guidance really laid the groundwork for our latest process. We’ve tweaked it slightly with the [latest update]. There are more explicit documentation requirements around vulnerability monitoring and more details on the software bill of materials (SBOMs).”

Jamie goes on to describe how Key Tech’s cybersecurity risk management plan informs product development. The security team starts by developing a threat model based on evaluations of data flows, data storage, and the cybersecurity activities protecting that data.

“One of the first things that we always do is a threat model. This is a visual model of the system to show the elements of the device, where data is flowing, and where your trust boundaries are. This is a one-page, digestible visual that everyone can look at, assess, and go ‘yep, that makes sense’ and then build your initial architecture and risk assessment based on that.”

The security team documents the resulting security architectures using the FDA’s recommended views:

• Global System View: Describes how software integrates with hardware and networks and the associated cybersecurity mitigations.
• Multi-Patient Harm View: Identifies mitigations for vulnerabilities or failures that could compromise multiple devices and harm multiple patients.
• Updateability/Patchability View: Summarizes the end-to-end process for distributing software updates and patches, especially if manufacturers do not control the entire path.
• Security Use Case View: Documents scenarios in which vulnerabilities can compromise the device’s safety or effectiveness.

“To give a sense of scale,” Jamie says, “this isn’t one or two documents. It’s a pretty large effort, and it’s one of those things that you want to start early in your development process.”

Data that made the difference:

Throughout his conversation with Andy, Jamie shares some of the lessons Key Tech has learned about designing secure medical devices, including:

• Design for security from the beginning. Late changes are expensive, especially once in pre-production or after your FDA submission.
• Avoid cyber rabbit holes. Rather than addressing every possible threat, use data and risk to prioritize the real threats.
• Don’t roll your own cybersecurity. Stick to standard practices, or you risk introducing unknown, novel vulnerabilities.
• Fully document your SBOMs. Standard libraries introduce layers of dependencies that you must understand. That’s the only way to control your exposure to new vulnerabilities.
• Design devices that are truly safe. Cybersecurity risks are real. Don’t treat compliance as a check box.

Watch the whole conversation in the video below to learn more about designing for cybersecurity, the importance of third-party penetration testing, and more.

What is MedTech Speed to Data?

Speed-to-data determines go-to-market success for medical devices. You need to inform critical decisions with user data, technical demonstration data, and clinical data. We interview med tech leaders about the critical data-driven decisions they make during their product development projects.