How Can Medical Device Manufacturers Support Operational

Medical device cybersecurity has a long lifecycle. Manufacturers put much of their effort into gaining approval from the Food and Drug Administration (FDA). Following FDA guidance regarding all the security controls isn’t the law, but the agency can reject premarket submissions. These continue as the device goes to market, and operational cybersecurity is now a shared responsibility.

Hospitals and healthcare organizations are accelerating their use of medical devices. They have become critical in diagnosis and care. They do, however, increase risk, expanding the attack surface. Healthcare sits at the top of industries with the most attacks and has inherent weaknesses in its perimeter.

What’s the role of manufacturers in supporting operational cybersecurity?

Key Takeaways

• Postmarket cybersecurity requires manufacturer-provider collaboration.
• Shared responsibility for device security post-approval.
• Manufacturers provide SBOMs and patch plans.
• Healthcare organizations need accurate device inventories.
• Integrate FDA guidance into healthcare frameworks.
• Regular penetration testing benefits both parties.

Table of Contents

• Key Takeaways
• Post-Clearance: Medical Devices in Use and at Risk
• Medical Device Makers and Hospitals Working Together

Why this matters

The FDA's Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 3, 2026 final guidance) made cybersecurity documentation a gating criterion for clearance under Section 524B of the FD&C Act. Reviewers now apply this guidance to how can medical device manufacturers support operational cybersecurity? the same way they apply software lifecycle expectations from IEC 62304 and security risk-management expectations from AAMI TIR57 and ANSI/AAMI SW96:2023.

Gaps in this area are the single most common driver of first-cycle cybersecurity Additional Information (AI) requests. The FDA's FY2024 CDRH performance reports show cybersecurity is among the top deficiency categories cited in 510(k) and PMA AI letters, behind only software documentation and clinical evidence. Treating it as a checklist exercise rather than a design-controlled engineering artifact is what creates the gap.

Post-Clearance: Medical Devices in Use and at Risk

Once a medical device receives approval and is in use, that’s when risk elevates. They often become part of a network, and the reliability of it as a strong defense is out of the control of manufacturers.

What device makers have done prior to this is create an SBOM (software bill of materials) and a patching plan. If they determine there is a vulnerability, they must then immediately dispatch the update. They’ve also done tremendous testing on the integrity of the device to be cyber-secure and resilient.

All that work can be undone if the hosting party has a weak defense. Perimeter controls are notoriously ineffective. Simply having visibility across an extensive network of devices challenges most healthcare security teams.

While hacking a device is possible and could jeopardize care, most cyber criminals simply want the data healthcare holds. The PII, PHI, and other sensitive information are gold for these folks. A medical device could be a way in, which is where software vulnerabilities come into play. Manufacturers are watching those.

What happens when it’s not a software weakness? Social engineering and phishing are preferred methods for hackers. Why? Because they work. AI is supercharging these efforts, with people falling victim and exposing their credentials. If this is the path for a breach, manufacturers aren’t in the ecosystem, but they could be on the hook for the blame game.

Data breaches require notification and reasons, and if a device is part of that, it could harm a manufacturer’s reputation.

That’s why every stakeholder needs to collaborate.

Medical Device Makers and Hospitals Working Together

One of the biggest challenges in operational cybersecurity for medical devices is a disconnected landscape. The FDA has purview over approvals and can enforce penalties for cyber incidents, but they’ve not gone as far as to create collaborative groups between parties.

Since that’s likely not a priority, manufacturers and healthcare organizations should form these task forces. Ultimately, both want devices to be secure and integrated into care regimes.

By pooling resources and communicating regularly and effectively, everyone can form a more proactive stance on cybersecurity. Some key things they could put on the agenda include the following:

1. Ensure all organizations have an accurate inventory of all medical devices.

This has been a concern for some time. It’s not just the new devices purchased. There is a secondhand market for devices, and manufacturers often don’t know where they go. If they’re unaware of their location, they can’t patch or update them.

2. Integrate FDA guidance for manufacturers into healthcare cybersecurity frameworks.

See also: Why Medical Device Cybersecurity Is Nothing Like Enterprise, Navigating the Cybersecurity Landscape for MedTech, and SaMD vs SiMD: What Medical Device Manufacturers Need to Know.

Many of the best practices and directives have relevance beyond the manufacturer. Healthcare certainly has many regulations to adhere to when it comes to data security, but they often overlook the role of devices. They simply lack the expertise in most cases.

3. Develop a cadence for penetration testing.

Manufacturers and healthcare should unite on this and hire experts to perform these. Collectively, you’ll learn much more from pen testing than from anything else.

4. Enable access to SBOMs.

A SBOM is not a one-and-done. It needs to be actively updated. Having these accessible to invested parties provides transparency.

In addition to manufacturers and providers, these groups can also benefit from outside experts like our team. We focus specifically on the medical device space with services for any need. Get in touch to learn more.

How Blue Goat approaches this

Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We treat cybersecurity documentation as design-controlled engineering output, not a submission template, every artifact (threat model, SBOM, security risk assessment, penetration test, labeling) traces back to a controlled requirement and a verified result.

Our engagements deliver the full Feb 3, 2026 guidance documentation set scoped to the device's risk profile, integrated with the existing IEC 62304 software lifecycle and ISO 14971 risk file. See our medical device cybersecurity services for the full scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

FAQ

What is operational cybersecurity for medical devices?

Operational cybersecurity for medical devices addresses securing devices once they are deployed and in use within healthcare environments, extending beyond initial premarket approval. It involves ongoing management of vulnerabilities, data protection, and incident response.

How does the FDA influence postmarket device cybersecurity?

The FDA influences postmarket device cybersecurity by issuing guidance that manufacturers adhere to during premarket submissions, including cybersecurity controls. While the agency doesn’t dictate all operational aspects, its frameworks impact device design for security.

Why is an SBOM important for operational cybersecurity?

An SBOM (Software Bill of Materials) is important for operational cybersecurity as it provides transparency into device software components. This allows healthcare organizations and manufacturers to identify and address known vulnerabilities proactively.

How can manufacturers and healthcare providers collaborate on cybersecurity?

Manufacturers and healthcare providers can collaborate by sharing device inventories, integrating relevant FDA guidance into security practices, conducting joint penetration testing, and Ensure active access to updated SBOMs for deployed devices.

Does the FDA mandate collaboration between manufacturers and providers?

The FDA encourages cybersecurity best practices but does not currently mandate specific collaborative entities between manufacturers and providers for operational cybersecurity. Such collaboration is typically initiated by the involved parties.

What role do external experts play in medical device operational cybersecurity?

External experts, like cybersecurity consultants, can provide specialized knowledge and services such as penetration testing, risk assessments, and guidance on implementing secure operational practices for both manufacturers and healthcare organizations.

Related: The Rising Tide of Cyber Threats in Medical Devices: Understanding the Risks

Select all squares with stairs If there are none, click skip

About the author

Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.