Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Primer

    How Can Medical Device Manufacturers Support Operational Cybersecurity?

    Postmarket medical device cybersecurity is a shared responsibility. See how manufacturers & healthcare organizations must collaborate to reduce operational risk.

    Hero illustration for the Primer article: How Can Medical Device Manufacturers Support Operational Cybersecurity?
    Christian Espinosa, Founder & CEO

    Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

    Published February 2026 · Last reviewed May 2026

    How Can Medical Device Manufacturers Support Operational Cybersecurity?

    Medical device cybersecurity has a long lifecycle. Manufacturers put much of their effort into gaining approval from the Food and Drug Administration (FDA). Following FDA guidance regarding all the security controls isn’t the law, but the agency can reject premarket submissions. These continue as the device goes to market, and operational cybersecurity is now a shared responsibility.

    Hospitals and healthcare organizations are accelerating their use of medical devices. They have become critical in diagnosis and care. They do, however, increase risk, expanding the attack surface. Healthcare sits at the top of industries with the most attacks and has inherent weaknesses in its perimeter.

    What’s the role of manufacturers in supporting operational cybersecurity?

    Post-Clearance: Medical Devices in Use and at Risk

    Once a medical device receives approval and is in use, that’s when risk elevates. They often become part of a network, and the reliability of it as a strong defense is out of the control of manufacturers.

    What device makers have done prior to this is create an SBOM (software bill of materials) and a patching plan. If they determine there is a vulnerability, they must then immediately dispatch the update. They’ve also done tremendous testing on the integrity of the device to be cyber-secure and resilient.

    All that work can be undone if the hosting party has a weak defense. Perimeter controls are notoriously ineffective. Simply having visibility across an extensive network of devices challenges most healthcare security teams.

    While hacking a device is possible and could jeopardize care, most cyber criminals simply want the data healthcare holds. The PII, PHI, and other sensitive information are gold for these folks. A medical device could be a way in, which is where software vulnerabilities come into play. Manufacturers are watching those.

    What happens when it’s not a software weakness? Social engineering and phishing are preferred methods for hackers. Why? Because they work. AI is supercharging these efforts, with people falling victim and exposing their credentials. If this is the path for a breach, manufacturers aren’t in the ecosystem, but they could be on the hook for the blame game.

    Data breaches require notification and reasons, and if a device is part of that, it could harm a manufacturer’s reputation.

    That’s why every stakeholder needs to collaborate.

    Medical Device Makers and Hospitals Working Together

    One of the biggest challenges in operational cybersecurity for medical devices is a disconnected landscape. The FDA has purview over approvals and can enforce penalties for cyber incidents, but they’ve not gone as far as to create collaborative groups between parties.

    Since that’s likely not a priority, manufacturers and healthcare organizations should form these task forces. Ultimately, both want devices to be secure and integrated into care regimes.

    By pooling resources and communicating regularly and effectively, everyone can form a more proactive stance on cybersecurity. Some key things they could put on the agenda include the following:

    1. Ensure all organizations have an accurate inventory of all medical devices.

    This has been a concern for some time. It’s not just the new devices purchased. There is a secondhand market for devices, and manufacturers often don’t know where they go. If they’re unaware of their location, they can’t patch or update them.

    2. Integrate FDA guidance for manufacturers into healthcare cybersecurity frameworks.

    Many of the best practices and directives have relevance beyond the manufacturer. Healthcare certainly has many regulations to adhere to when it comes to data security, but they often overlook the role of devices. They simply lack the expertise in most cases.

    3. Develop a cadence for penetration testing.

    Manufacturers and healthcare should unite on this and hire experts to perform these. Collectively, you’ll learn much more from pen testing than from anything else.

    4. Enable access to SBOMs.

    A SBOM is not a one-and-done. It needs to be actively updated. Having these accessible to invested parties provides transparency.

    In addition to manufacturers and providers, these groups can also benefit from outside experts like our team. We focus specifically on the medical device space with services for any need. Get in touch to learn more.

    Related: The Rising Tide of Cyber Threats in Medical Devices: Understanding the Risks

    Related articles

    Keep reading

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.