How organizations can deliver medical device security the care it needs

Many smart medical devices in health care today are not designed with security in mind, exposing sensitive data to risk.

In brief

• Existing medical devices are not designed with cybersecurity in mind
• Unprotected devices can expose sensitive patient and organizational data to criminals
• Manufacturers must adopt a secure-by-design approach to protect devices

Diagnosing and treating the root causes of cybersecurity challenges and vulnerabilities in the health and life sciences sectors used to be simpler. The rapid growth of internet-connected medical devices in health care is expanding the cyber risk landscape dramatically. As the smart medical device market is set to exceed $125.5 billion by 2033¹, organizations must recognize and respond to the broad cybersecurity risks these devices now bring — from outdated legacy systems to insecure third-party components. This growth will likely rise as more sectors pursue a direct-to-consumer service model and increase remote patient care options. While technological advances bring incredible care, research and medical device manufacturing opportunities, they also lead to a much larger threat landscape. Many organizations are unprepared for the implications and necessary steps to align their cyber capabilities. This ultimately exposes organizations to operational risk, reputational damage from cyber incidents, financial losses and, most importantly, threats to patient health and safety. If this is not yet a concern for your business leaders, it almost certainly should be. Understanding the way medical devices are changing risk is now essential for health and life sciences sector leaders. It is time to adopt a “secure by design” approach to device protection. Let’s take a look at the key factors to consider.

While many legacy devices designed for patient outcomes perform well, they were not built with cybersecurity in mind and are unable to implement the essential firmware and software updates that are now critical for protecting both devices and data. To protect devices, health care organizations and patient care going forward, manufacturers are now adopting a secure by design philosophy where cybersecurity is integrated into the development lifecycle of medical devices — not treated as an afterthought. This means balancing clinical performance with security from day one. By utilizing this approach, medical device manufacturers and health care providers do not have to choose between patient outcomes and cyber protection — they can and must deliver both. This approach incorporates consideration of risk, exposure and possible threat into the design process along with practical and functional patient care performance.

Suggested measures for regulatory compliance

Given guidance from the Food and Drug Administration (FDA), released in June 2025, along with Health Insurance Portability and Accountability Act (HIPAA) regulations related to data protection and patient privacy, organizations should continue to establish or refine product security capabilities across three dimensions: people, process and technology. Steps include:

• Improving accountability for product security by utilizing a qualified, skilled and central function employing security advocates within the product and device development teams to provide strategy, oversight and management of vulnerabilities and responses. This function will systemize security enhancements and maintain central control.
• Utilizing a post-deployment customer support function to formally integrate medical device security and privacy considerations into post-deployment activities, including checklists for decommissioning connected products or transferring ownership.
• Clarifying roles and responsibilities across multiple functional areas, including product management, supply chain, manufacturing, commercial sales, marketing, field services and customer support as well as legal, regulatory and information technology.
• Tracking the medical device lifecycle to provide a single source of truth for cyber-relevant product information, automated processes to maintain inventory and insights into product security deliverable compliance. This enables informed business decisions around compliance and product security deliverables; helps to manage conversions; and supports better compliance, FDA reporting, and incident management times and procedures.
• Establishing software bills of materials (SBOMs) to control sourcing, quality and security of third-party parts and materials for secure device design.
• Implementing continuous product improvement of security capabilities by conducting periodic cyber and product security program assessments to guide further action and the adjustment of risk profiles.

Technical steps to enhance device security

As health care organizations implement the measures necessary to evolve medical device design and development processes for improved compliance, the following required steps across the people, process and technology dimensions should be considered:

Mehul Purohit, Justin Munier, and Sharon Cohen contributed to the development of this article.