Cybersecurity Labeling

Why this matters

Cybersecurity labeling is pivotal for protecting patients and healthcare infrastructure from increasingly sophisticated cyber threats targeting medical devices. In today's interconnected healthcare ecosystem, a lack of transparent security information can expose vulnerabilities, leading to patient harm, data breaches, and operational disruptions. The FDA's 'Cybersecurity in Medical Devices' Final Guidance, dated February 3, 2026, emphasizes the critical need for manufacturers to clearly communicate device security postures. This guidance aligns with existing standards bodies such as IEC 81001-5-1, ISO 14971, and AAMI TIR57, urging manufacturers to provide detailed disclosures on security controls, known vulnerabilities, and mitigation strategies. Effective labeling enables healthcare providers to conduct thorough risk assessments and select devices that meet their security requirements, thereby enhancing patient safety and maintaining clinical continuity. Without clear, standardized labeling, the responsibility for identifying and mitigating device risks falls disproportionately on hospitals, diverting crucial resources from patient care. The transparency fostered by proper labeling drives accountability among manufacturers, encouraging the integration of security by design principles and continuous improvement in device security throughout the product lifecycle. This ultimately strengthens the overall resilience of healthcare delivery against cyber perils.

Unlocking the Importance of Cybersecurity Labeling for Medical Devices

In the rapidly evolving world of medical technology, cybersecurity has become a critical concern for both manufacturers and healthcare providers. As devices become increasingly connected and data-driven, the need for transparent and comprehensive cybersecurity labeling has never been more pressing.

In this blog post, we’ll explore the nuances of cybersecurity labeling, its role in fostering accountability, and the best practices for medical device manufacturers to communicate security information to their customers effectively.

Understanding Cybersecurity Labeling: A Primer

Cybersecurity labeling, in the context of medical devices, refers to the information that manufacturers must provide to users and patients regarding the security risks and mitigations associated with their products. This labeling serves a dual purpose: it empowers healthcare providers to make informed decisions about the devices they purchase, and it holds manufacturers accountable for the security of their products.

As Christian Espinosa, CEO of Blue Goat Cyber, explains, “Labeling is the information that a manufacturer or a MedTech innovator needs to portray to users and patients. This will essentially fall under the cybersecurity context. What risk are they taking on by using the product, and how can they work to mitigate that risk?”

The concept of cybersecurity labeling is not entirely new, as it builds upon the long-standing tradition of product labeling in the medical device industry. However, the increasing focus on cybersecurity has brought this aspect of labeling into sharper focus, with regulatory bodies and healthcare organizations demanding more transparency and accountability from manufacturers.

The Role of Standardized Approaches: MDS2 and JSP2

To streamline the cybersecurity labeling process, the industry has adopted several standardized approaches, including the Manufacturer Disclosure Statement for Medical Device Security (MDS2) and the Medical Device and Health IT Joint Security Plan, version 2 (JSP2).

The MDS2 is a questionnaire that manufacturers must complete to disclose specific details about their product’s security features, including the type of encryption used, authentication methods, and compliance with various security standards. As Trevor Slattery, Chief Technology Officer at Blue Goat Cyber, explains, “The MDS2 is essentially saying, it’s a questionnaire. I think it’s about 180 line items, and it’s different questions about the product document, basically that a manufacturer has to fill out to disclose certain information, like what type of encryption you have, what type of authentication you’re using.”

The JSP2, on the other hand, focuses more on the customer-facing aspects of cybersecurity labeling, guiding users on how to configure and integrate the device into their existing systems. As Slattery notes, “The JSP2 customer security documentation goes into more on the what the user should do side. So, MDS2 is facts about the product, and JSP2 is how to use those facts to increase your security posture.”

By leveraging these standardized approaches, manufacturers can ensure that they are providing a comprehensive and consistent set of cybersecurity information to their customers, making it easier for healthcare providers to compare and evaluate different medical devices.

Addressing Common Misconceptions About Cybersecurity Labeling

Despite the growing importance of cybersecurity labeling, several misconceptions persist that manufacturers must address. One of the most common concerns is the fear that disclosing security information will make their devices more vulnerable to attacks.

As Slattery explains, “Part of that comes from the software bill of materials being part of labeling. So, you’re disclosing the different components of the product. Part of that comes from disclosing the potential risks in the product. Part of that comes from disclosing the architecture. And while if you have an insecure product, that information can be leveraged by attackers, if you have an insecure product, they’re going to attack it anyway.”

In other words, the transparency required by cybersecurity labeling is not a vulnerability in itself, but rather a means of holding manufacturers accountable for the security of their products. By disclosing potential risks and security measures, manufacturers are incentivized to address these issues proactively, rather than relying on “security through obscurity.”

Another common misconception is the uncertainty around where to start with cybersecurity labeling. As Slattery notes, “The FDA has a list of requirements that they want to see for labeling, and we often get a lot of questions, ‘Oh, is this going to be covered by MDS2? Is this going to be covered by our software documentation?’ And the answer is sometimes.”

To address this challenge, manufacturers should adopt a hybrid approach, combining the MDS2 and JSP2 frameworks to ensure that they are covering all the necessary bases. By understanding the specific requirements of their target audience, whether it’s a hospital, a private practice, or a consumer, manufacturers can tailor their cybersecurity labeling to meet the needs of their customers.

Balancing Transparency and Technical Complexity

One of the key challenges in cybersecurity labeling is striking the right balance between providing detailed technical information and ensuring that the content is accessible and understandable to a wide range of users, from healthcare IT administrators to patients.

As Slattery explains, “There are two different kinds of groups that are going to look for this information. The first is the actual user, who we’re assuming doesn’t know very much about cybersecurity. And so when we’re talking about that level of information, we want to make sure that that user is well informed on any potential risk in common language as well as any common mitigations in common language.”

For more technically inclined users, such as hospital IT administrators, the labeling should provide more detailed information about the device’s architecture, network integration requirements, and specific security controls that can be implemented.

Slattery emphasizes the importance of this balance, saying, “We also want to have some more information for a hospital IT administrator who’s likely going to be more familiar with these technical terms. And so, how will they integrate this into a complex network? What network controls can they implement? Do they need to make any changes to their firewall?”

By catering to the needs of both technical and non-technical users, manufacturers can ensure that their cybersecurity labeling is comprehensive, transparent, and accessible to all stakeholders.

Contextualizing Cybersecurity Labeling: Understanding the Audience

See also: IEC 81001-5-1 vs AAMI SW96: Which Standard for Your SPDF?, AAMI TIR57 vs TIR97 vs SW96: Medical Device Guide, and MedTech Cyber Standards Every Device Team Must Know.

Another critical aspect of effective cybersecurity labeling is understanding the specific context in which the medical device will be used and the requirements of the target audience. As Slattery notes, “The requirements if you’re selling direct to consumers for labeling are likely going to be pretty thin. You might not even be asked for your labeling most of the time. You should still provide it, regardless. But if a patient is buying your device directly, is what you’re saying, versus it being deployed in a, um, clinic or hospital.”

The level of detail and specific information required can vary significantly depending on the healthcare delivery organization (HDO) that will purchase and use the device. As Espinosa explains, “Mayo Clinic has different acquisition policies from you know, like any other different hospital, like a private hospital is going to have its own thing. Public hospitals, also known as government hospitals, will have their own procedures. So understand where this product is going and cater to what they’re going to expect.”

By tailoring their cybersecurity labeling to the specific needs and requirements of their target audience, manufacturers can ensure that their products are not only compliant with regulatory standards but also meet the expectations of the healthcare organizations that will be responsible for their implementation and use.

Cybersecurity Labeling as a Tool for Accountability

Beyond simply providing information, cybersecurity labeling can also serve as a powerful tool for holding manufacturers accountable for the security of their medical devices. As Slattery points out, “Part of the drive to push out all this information is the thought that manufacturers should not have very many problems to disclose. They should be addressing security at a solid level.”

By requiring manufacturers to disclose detailed information about their security measures and potential vulnerabilities, the labeling process creates an incentive for them to prioritize cybersecurity throughout the product development lifecycle. As Espinosa notes, “If they are disclosing saying we’re using triple DES in our system, they shouldn’t get purchased by someone. That is their fault for designing an insecure product.”

This accountability extends beyond the regulatory requirements, as HDOs are increasingly taking on the burden of liability for the security of the medical devices they purchase. As Espinosa explains, “The FDA is not taking on the burden of liability for this product. The hospital is taking on that burden of liability. So if they take in an insecure device, if they have an X-ray machine that can be hacked, and then that X-ray machine gets hacked and they get ransomware because of it, that is the hospital at liability.”

By demanding comprehensive cybersecurity labeling, HDOs can make more informed purchasing decisions and hold manufacturers accountable for the security of their products, ultimately improving patient safety and reducing the risk of costly data breaches or ransomware attacks.

Key Takeaways for Medical Device Manufacturers

• Know your information: Familiarize yourself with the MDS2 and JSP2 frameworks, as well as the specific labeling requirements set forth by the FDA and your target healthcare delivery organizations. Ensure that your engineering and documentation teams are prepared to provide the necessary information.
• Know your audience: Tailor your cybersecurity labeling to the specific needs and technical expertise of your target users, whether they are healthcare IT administrators, clinicians, or patients. Balance technical details with clear, accessible language.
• Use labeling as a tool for accountability: Embrace cybersecurity labeling as an opportunity to demonstrate the security of your medical devices and hold yourself accountable for addressing potential vulnerabilities. This transparency can be a competitive advantage in the market.

By embracing the principles of comprehensive, transparent, and context-driven cybersecurity labeling, medical device manufacturers can not only meet regulatory requirements but also build trust with their customers, improve patient safety, and position themselves as leaders in the rapidly evolving landscape of medical technology security.

Table of Contents

• Unlocking the Importance of Cybersecurity Labeling for Medical Devices
• Understanding Cybersecurity Labeling: A Primer
• The Role of Standardized Approaches: MDS2 and JSP2
• Addressing Common Misconceptions About Cybersecurity Labeling
• Balancing Transparency and Technical Complexity
• Contextualizing Cybersecurity Labeling: Understanding the Audience
• Cybersecurity Labeling as a Tool for Accountability
• Key Takeaways for Medical Device Manufacturers

How Blue Goat approaches this

Our approach to medical device cybersecurity labeling focuses on clarity, compliance, and actionable intelligence. We assist manufacturers in developing disclosure statements that meet regulatory directives and stakeholder expectations. Our experts, including CISSP and OSCP certified engineers with ex-military red team experience, guide you through the intricacies of standards like MDS2 and JSP2, ensuring your labeling accurately reflects your device's security profile. We conduct thorough security assessments and help translate complex technical details into understandable security labels for healthcare providers. Our services streamline the process of preparing documentation for regulatory submissions. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. We aim to elevate your device's security communication, fostering trust with users and regulators. Our engagement strengthens your product's market position. Learn more about our FDA Premarket Cybersecurity Services.

FAQ

What is cybersecurity labeling for medical devices?

Cybersecurity labeling for medical devices involves manufacturers providing information about security risks and mitigation strategies associated with their products. This empowers users to make informed decisions and holds manufacturers accountable for device security.

How do MDS2 and JSP2 relate to cybersecurity labeling?

MDS2 is a questionnaire detailing a product's security features, such as encryption and authentication. JSP2 provides guidance on configuring and integrating the device securely. Both standardize the communication of cybersecurity information.

Does disclosing security information make devices more vulnerable?

No, transparency through cybersecurity labeling does not inherently make devices more vulnerable. It incentivizes manufacturers to address security proactively and creates accountability, rather than relying on security through obscurity.

How does the FDA view medical device cybersecurity labeling?

The FDA, in its February 3, 2026 final guidance, requires specific cybersecurity information to be included with medical device submissions. This ensures manufacturers provide adequate details for safe and secure use of devices.

Why is it important to tailor labeling to the audience?

Tailoring labeling ensures that information is accessible and understandable to different users, from technical IT administrators to general clinicians or patients. This balance between technical depth and clarity matters for effective communication.

Does cybersecurity labeling increase manufacturer accountability?

Yes, cybersecurity labeling serves as a powerful tool for accountability. It pressures manufacturers to prioritize security throughout the product lifecycle, as detailed disclosures can impact purchasing decisions and liability.