Connected medical devices are everywhere in modern healthcare. Infusion pumps that report dosing data to the EHR. Patient monitors that stream vitals to nursing stations. Imaging systems that push DICOM studies to PACS servers. Wearable sensors that transmit remote patient monitoring data to cloud platforms. Every one of these device-to-system data flows represents both a clinical capability and a cybersecurity attack surface.
The FDA has responded with increasingly specific cybersecurity requirements for medical devices, culminating in Section 524B of the Food, Drug, and Cosmetic Act (added by the Consolidated Appropriations Act of 2023). These requirements fundamentally change what device manufacturers and healthcare organizations must do to secure connected medical devices throughout their lifecycle.
This guide covers the regulatory landscape, the technical requirements, and the practical implications for teams that build, integrate, and maintain connected medical devices.
Section 524B: The Regulatory Foundation
Section 524B of the FD&C Act, which took effect on March 29, 2023, established statutory cybersecurity requirements for medical devices. Prior to 524B, FDA’s cybersecurity expectations were communicated through guidance documents that were technically non-binding. Section 524B made cybersecurity a legal requirement for premarket submissions.
What Section 524B Requires
The law applies to “cyber devices,” defined as devices that include software validated, installed, or authorized by the sponsor, have the ability to connect to the internet, and contain any technological characteristics that could be vulnerable to cybersecurity threats. In practice, this covers virtually every connected medical device.
For premarket submissions (510(k), PMA, De Novo), manufacturers must now provide:
- A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure.
- A plan for providing reasonable assurance of device cybersecurity, including updates and patches throughout the device’s total product lifecycle.
- A Software Bill of Materials (SBOM) listing all commercial, open-source, and off-the-shelf software components in the device.
- Evidence of compliance with other requirements the FDA may establish by regulation.
The FDA can refuse to accept a premarket submission that does not include these elements. This is a significant enforcement mechanism: cybersecurity is no longer a post-approval afterthought but a gate to market access.
Premarket Cybersecurity Documentation
FDA’s premarket cybersecurity guidance (most recently updated in September 2023) details what the agency expects in a premarket submission. The key elements include:
Threat Modeling. Manufacturers must identify and document cybersecurity threats relevant to the device, including threats to confidentiality, integrity, and availability of the device and the data it processes. The threat model should consider the device’s intended use environment, its connectivity interfaces, and the types of data it handles.
Security Architecture. The submission must describe the device’s security architecture, including authentication mechanisms, encryption implementations, network segmentation, and access controls. The architecture should demonstrate defense in depth: multiple layers of security controls so that the compromise of any single control does not result in complete device compromise.
Security Testing. FDA expects evidence of security testing appropriate to the device’s risk level. This includes static and dynamic code analysis, software composition analysis (identifying known vulnerabilities in third-party components), fuzz testing of network interfaces, and penetration testing of the device in its intended deployment configuration.
Cybersecurity Risk Assessment. The submission must include a risk assessment that evaluates cybersecurity risks alongside safety risks, using the risk management framework from ISO 14971. Cybersecurity risks should be traceable to specific threats, vulnerabilities, and mitigations.
Software Bill of Materials (SBOM) Requirements
The SBOM requirement in Section 524B is one of the most operationally significant provisions. An SBOM is a structured list of all software components in a device, including:
- Commercial software packages (with version numbers).
- Open-source libraries and frameworks (with version numbers and license information).
- Operating system components.
- Firmware and embedded software.
SBOM Format
FDA recommends using machine-readable SBOM formats, specifically SPDX (Software Package Data Exchange) or CycloneDX. These standardized formats enable automated vulnerability tracking: when a new CVE is published for a software component, organizations can quickly determine which devices in their environment contain the affected component.
Why SBOMs Matter for Integration
For healthcare organizations that integrate medical devices with their clinical systems, SBOMs provide critical visibility into the software supply chain. Consider a scenario where a critical vulnerability is discovered in a widely used open-source library like Log4j. With SBOMs for every connected device, your security team can quickly identify which devices are affected, prioritize patching or compensating controls, and communicate risk to clinical stakeholders.
Without SBOMs, the same scenario requires manually contacting every device manufacturer, waiting for their assessment, and hoping they respond promptly. During the Log4Shell crisis in December 2021, many healthcare organizations spent weeks trying to determine which medical devices in their environment were vulnerable. SBOMs eliminate that uncertainty.
SBOM for Integration Components
The SBOM requirement applies to the device itself, but the principle extends to integration infrastructure. If you are running an integration engine (Mirth Connect, OIE, Rhapsody) that processes data from medical devices, maintaining an SBOM for your integration stack enables the same rapid vulnerability assessment. This is not a regulatory requirement for the integration engine, but it is a security best practice that aligns with the spirit of 524B.
Postmarket Cybersecurity Management
Section 524B does not end at market clearance. Manufacturers must maintain cybersecurity throughout the device’s total product lifecycle, which the FDA defines as the period from design through end of support.
Coordinated Vulnerability Disclosure
Manufacturers must establish and maintain a coordinated vulnerability disclosure (CVD) process. This means:
- Publishing a vulnerability disclosure policy that tells security researchers how to report vulnerabilities.
- Maintaining a dedicated channel for receiving vulnerability reports (typically a security@manufacturer.com email or a web form).
- Acknowledging reports within a defined timeframe.
- Providing a timeline for remediation.
- Publishing advisories when vulnerabilities are confirmed and patches are available.
For integration teams, this means you should know where to find CVD information for every medical device in your environment. Bookmark the manufacturer’s security advisory page. Subscribe to their notification lists. Include device cybersecurity monitoring in your regular vulnerability management cadence.
Patch and Update Management
Manufacturers must provide security patches and updates in a timely manner. The FDA’s postmarket guidance recommends:
- Critical vulnerabilities: Remediation within a controlled (short) timeframe, with interim mitigations communicated immediately.
- High vulnerabilities: Remediation within the next planned update cycle or sooner.
- Moderate/Low vulnerabilities: Addressed in regular update releases.
Healthcare organizations must have processes to receive, test, and deploy these patches. This is where medical device integration and IT operations intersect: patching a device may require coordination with clinical engineering, biomedical teams, and the integration team to ensure that patches do not break device-to-EHR data flows.
IEC 62304: Software Lifecycle Standard
IEC 62304 (Medical Device Software — Software Lifecycle Processes) is the international standard for medical device software development. While not specific to cybersecurity, it establishes the software development lifecycle processes that underpin secure device software.
Software Safety Classification
IEC 62304 classifies software into three safety classes:
| Class | Risk Level | Requirements |
|---|---|---|
| Class A | No injury or damage to health is possible | Basic lifecycle processes |
| Class B | Non-serious injury is possible | Detailed design and testing |
| Class C | Death or serious injury is possible | Full lifecycle documentation, verification, and traceability |
The safety classification determines the rigor of development, testing, and documentation requirements. Integration software that processes clinical data from medical devices may itself be classified as a medical device (depending on its intended use), in which case IEC 62304 applies.
Key IEC 62304 Processes
For cybersecurity-relevant processes, IEC 62304 requires:
- Software development planning that addresses security requirements.
- Software architecture design that separates safety-critical and non-safety-critical components (software of unknown provenance, or SOUP, must be identified and risk-assessed).
- Software unit verification including security-focused testing.
- Software integration testing that verifies security controls work correctly when components are combined.
- Software system testing in the intended deployment configuration.
- Problem resolution processes for addressing discovered vulnerabilities.
- Configuration management for all software assets, including third-party components.
IEC 81001-5-1: Health Software Security
IEC 81001-5-1 (Health Software and Health IT Systems Safety, Effectiveness and Security — Part 5-1: Security) is a newer standard that specifically addresses cybersecurity for health software. Published in 2021, it provides a security-focused lifecycle framework that complements IEC 62304.
Key areas covered by IEC 81001-5-1 include:
- Security requirements analysis during the design phase.
- Secure design principles including least privilege, defense in depth, and fail-secure.
- Secure coding practices with specific attention to common vulnerability classes (injection, authentication bypass, improper input validation).
- Security verification and validation including threat modeling, security testing, and penetration testing.
- Security update management for the full product lifecycle.
- Security event handling including incident response and communication.
The FDA has indicated that compliance with IEC 81001-5-1 is one way to demonstrate that a device meets the security requirements expected in premarket submissions. For organizations developing medical device software or integration software that may be classified as a medical device, adopting IEC 81001-5-1 provides a structured path to FDA compliance.
Integration Security: Device-to-EHR Data Flows
Medical device cybersecurity does not exist in isolation. Devices connect to clinical systems, and those connections create security considerations that span the device, the network, and the receiving system.
Authentication
Every device-to-system connection should be authenticated. Common patterns include:
- Certificate-based mutual TLS (mTLS): Both the device and the receiving system present certificates to authenticate each other. This is the strongest option for persistent device connections and is required for many DICOM and HL7 MLLP connections in security-conscious environments.
- API key authentication: For RESTful device APIs (increasingly common in IoMT and remote monitoring), API keys provide a simple authentication mechanism. Keys should be unique per device, rotated regularly, and transmitted only over encrypted connections.
- OAuth 2.0: For cloud-connected devices and modern IoMT platforms, OAuth 2.0 provides token-based authentication with scoped access and token expiration. The SMART on FHIR backend services specification is relevant for server-to-server device data flows.
Encryption
All device data in transit must be encrypted. TLS 1.2 is the minimum acceptable version; TLS 1.3 is preferred. For HL7 v2 messages over MLLP, this means configuring MLLP over TLS (sometimes called “secure MLLP” or “HL7 over TLS”). For DICOM, this means DICOM TLS. For FHIR APIs, HTTPS is mandatory.
Data at rest on the integration engine should also be encrypted, particularly the message store (where Mirth Connect or OIE persists messages for retry and audit purposes). These messages often contain PHI extracted from medical devices.
Network Segmentation
Medical devices should reside on segmented network zones, separated from general-purpose IT networks and from each other where appropriate. Integration engines that receive data from medical devices should have network access limited to the specific ports and protocols needed for each device connection.
A common architecture places the integration engine in a DMZ-like position between the medical device network and the clinical systems network:
[Medical Device VLAN] → [Integration Engine] → [EHR/Clinical Systems]The integration engine acts as a controlled gateway, receiving data from devices on one network interface and forwarding processed data to clinical systems on another. Firewall rules restrict traffic to the specific ports and protocols configured for each integration.
Clinical Alarm Systems
Clinical alarm integration (patient monitors, ventilators, infusion pumps) carries elevated cybersecurity risk because alarm data is time-critical. A cyberattack that delays or suppresses clinical alarms could directly harm patients.
For alarm system integrations, security measures should include:
- Redundant communication paths so that a single network failure does not silence alarms.
- Integrity checking on alarm messages to detect tampering.
- Availability monitoring that detects when alarm data stops flowing and alerts clinical staff through an independent channel.
- Separation from general network traffic to prevent congestion-related alarm delays.
Assessing Your Device Integration Security Posture
If you are responsible for medical device integrations at a healthcare organization, use the following checklist to assess your current security posture against FDA expectations and industry best practices.
Inventory and Documentation
- Do you maintain a complete inventory of connected medical devices, including software versions?
- Do you have SBOMs (or access to manufacturer SBOMs) for connected devices?
- Are device integration interfaces documented, including protocols, ports, authentication methods, and data elements?
Authentication and Encryption
- Are all device-to-system connections authenticated (not just IP-based filtering)?
- Is TLS 1.2 or higher used for all device data in transit?
- Are certificates managed with a defined lifecycle (issuance, rotation, revocation)?
- Is data at rest encrypted on integration engines and message stores?
Network Security
- Are medical devices on segmented VLANs with firewall rules restricting traffic?
- Does your integration engine sit in a controlled network zone between devices and clinical systems?
- Are unused ports and protocols disabled on both devices and integration engines?
Vulnerability Management
- Are you subscribed to cybersecurity advisories from all device manufacturers in your environment?
- Do you have a process to receive, test, and deploy manufacturer security patches?
- Is your integration engine (Mirth Connect, OIE, etc.) patched and updated on a regular cadence?
Incident Response
- Does your incident response plan specifically address medical device cybersecurity incidents?
- Have you tested your response to a scenario where a device integration is compromised?
- Do you know who to contact at each device manufacturer for cybersecurity incidents?
Medical device cybersecurity is not solely the manufacturer’s responsibility. Healthcare organizations that integrate devices with their clinical systems share accountability for the security of those data flows. The FDA’s 524B requirements set the floor for manufacturer obligations; your organization’s integration security practices build on that floor.
For help securing your medical device integrations or assessing your cybersecurity posture, explore our related services:
- Medical Device Integration — End-to-end device-to-EHR integration
- Healthcare Cybersecurity — Security assessment, hardening, and monitoring
- Medical Software Development — IEC 62304-compliant software development