ISO 14971: Medical Device Risk Management

In 2025, the FDA reinforced the need to merge cybersecurity into existing safety processes by updating its Cybersecurity in Medical Devices guidance. Manufacturers are expected to integrate security into their quality systems, premarket submissions, and postmarket activities, and ISO 14971 is the ideal framework to facilitate this integration.

Why Cybersecurity Belongs in ISO 14971 Risk Management

Modern medical devices are more connected than ever, integrating with hospital networks, cloud platforms, mobile apps, and even patient-owned devices. This connectivity dramatically broadens the attack surface for malicious actors. A single unmitigated vulnerability could:

• Interrupt life-sustaining therapies or diagnostics
• Expose protected health information (PHI)
• Be exploited to alter device performance in dangerous ways

The FDA explicitly treats cybersecurity risks as safety and effectiveness risks under the FD&C Act, not just “IT problems.” That means security issues such as loss of integrity, loss of availability, loss of confidentiality, and unauthorized access belong in the same risk management framework as electrical, mechanical, and usability hazards.

ISO 14971:2019 provides a ready-made structure for this. Cybersecurity fits naturally into the standard’s activities:

• Hazard identification:
  Treat threat scenarios (e.g., unauthorized remote access, ransomware, tampering with configuration) as hazards and hazardous situations.
• Risk analysis and evaluation:
  Estimate the probability and severity of cyber-initiated harms such as delayed therapy, incorrect dosage, or disclosure of PHI, and decide whether the risk is acceptable.
• Risk control:
  Define and verify technical and procedural controls (authentication, encryption, logging, hardening, network segregation) as formal risk control measures, not ad-hoc “IT settings.”
• Residual risk and benefit–risk:
  Document residual cybersecurity risk the same way you do clinical risk, and justify it in the overall benefit–risk determination.
• Postmarket surveillance:
  Feed vulnerability disclosures, incident reports, and threat intelligence back into the ISO 14971 process to update your risk management file and controls.

📌 Pro Tip from Blue Goat Cyber

Integrating cybersecurity into ISO 14971 early in development is not just about compliance—it’s a way to:

• Align with FDA expectations,
• Streamline SPDF and submission reviews, and
• Demonstrate to customers that your device’s safety, security, and performance are being managed with the same rigor from concept through postmarket.

Step-by-Step: Applying ISO 14971 to Cybersecurity

The ISO 14971 risk management process maps cleanly to medical device cybersecurity. You’re essentially treating cyber threats as another source of hazards and hazardous situations.

0. Plan Your Cybersecurity Risk Management Activities

Before diving in, define in your risk management plan how cybersecurity will be handled, including its scope, roles, methods (e.g., threat modeling, penetration testing), and how cyber risks are integrated into your SPDF and post-market processes.

1. Hazard Identification (Cyber Threat Scenarios)

Document potential cybersecurity hazards and hazardous situations that could impact safety and essential performance, such as:

• Unauthorized access to configuration or therapy settings
• Malware injection or ransomware on the device or its ecosystem
• Data tampering (e.g., altered measurements, logs, or commands)
• Denial-of-service or resource exhaustion that interrupts therapy

This step benefits from formal threat modeling (e.g., STRIDE, attack trees) and reviewing your architecture, interfaces, and SBOM.

2. Risk Analysis (Exploitability + Harm)

For each cyber hazard, assess:

• Exploitability/likelihood (consider attacker skill, exposure, existing controls)
• Potential clinical harm (therapy delay, incorrect dose, misdiagnosis, PHI exposure, etc.)

Example: a vulnerability in the wireless update mechanism could allow malicious firmware installation, potentially stopping or altering life-sustaining therapy.

3. Risk Evaluation (Acceptability Decisions)

Determine which cybersecurity risks exceed your acceptable risk criteria.

In cybersecurity, it’s common to treat even low-likelihood risks as unacceptable when the potential harm is severe (e.g., death or serious injury), especially for network-accessible or remotely exploitable issues.

4. Risk Control (Technical and Procedural Measures)

Select and implement risk control measures, such as:

• Strong, role-based authentication and access control
• End-to-end encryption for data in transit and at rest
• Network segmentation guidance and firewall rules
• Secure software update mechanisms (signed updates, rollback protection)
• Hardening measures (disabling unused services, ports, and default accounts)

Document these controls in both the risk management file and your cybersecurity labeling so users can deploy and operate the device securely.

5. Residual Risk Assessment (Including Cyber Residual Risk in Labeling)

After controls are applied:

• Re-estimate the residual cybersecurity risk
• Decide if residual risk is acceptable when weighed against clinical benefit
• Ensure that any remaining cyber risks are documented and clearly communicated in your Instructions For Use (IFU) / cybersecurity labeling, including compensating controls and user responsibilities.

6. Postmarket Surveillance and Continuous Improvement

Cyber threats evolve, so ISO 14971 risk management doesn’t stop at launch. For cybersecurity, post-production activities should include:

• Monitoring vulnerability feeds and advisories for SBOM components
• Updating SBOMs and reassessing risk when new CVEs are published
• Participating in coordinated vulnerability disclosure (CVD) programs
• Feeding field incidents and near-misses back into the risk management file and SPDF

Example: Applying ISO 14971 to a Wireless Infusion Pump

A manufacturer developing a wireless infusion pump identifies a cybersecurity hazard: unauthorized wireless commands that could change infusion parameters.

1. Hazard Identification

• Hazard: Unauthorized access to the wireless control channel.
• Hazardous situation: An attacker or unauthorized user sends commands that change the infusion rate or stop therapy.

2. Risk Analysis

• Exploitability: Medium — device uses Wi-Fi in a hospital network with moderate exposure, but is not Internet-facing.
• Potential harm: High — incorrect dosage delivery could cause serious injury or death.
• Risk estimation: Medium likelihood × high severity → unacceptable without controls.

3. Risk Evaluation

• Based on the manufacturer’s risk acceptability criteria, this risk exceeds acceptable thresholds and must be mitigated.
• Decision: Implement multiple, layered technical and procedural controls.

4. Risk Control

Implemented controls include:

• WPA3-Enterprise Wi-Fi with certificate-based mutual authentication
• Mutual device–server authentication before accepting any remote commands
• Role-based access control for clinical users vs. biomed/IT admins
• Signed firmware and command validation to prevent tampering
• Intrusion detection/alerting if repeated failed authentication attempts occur or anomalous command patterns are detected

These controls are documented in:

• The risk management file (as risk control measures), and
• The cybersecurity labeling/IFU, with concrete configuration steps for hospital IT and biomedical teams.

5. Residual Risk Assessment

After controls are implemented:

• Residual likelihood: Low, given strong authentication, encryption, and monitoring.
• Residual severity: Still High (if compromised, harm could be serious).
• Overall residual risk: Acceptable within the manufacturer’s criteria, provided the device is deployed according to the labeling (e.g., network isolation, RBAC).
• Residual risk is clearly documented in the labeling, along with operational recommendations such as network segmentation and account management practices.

6. Postmarket Surveillance

The manufacturer defines a postmarket cybersecurity plan that includes:

• Regular penetration testing for the wireless stack and update mechanism
• Continuous monitoring of SBOM components (e.g., Wi-Fi stack, crypto libraries, OS) for new CVEs
• A coordinated vulnerability disclosure (CVD) process with a public contact channel
• Procedures to release security advisories, patches, and updated labeling if risk changes

This ISO 14971–aligned approach not only addresses FDA expectations for integrating cybersecurity into risk management, but it also demonstrates to hospital procurement and security teams that the wireless infusion pump is designed, documented, and maintained to meet stringent cybersecurity and patient safety standards.

Best Practices for Cybersecurity in ISO 14971

Use ISO 14971 as the foundation for managing cybersecurity risk, not just as a compliance exercise. These practices help bridge FDA cybersecurity expectations with your existing risk processes:

• Integrate with your SPDF
  Align cybersecurity risk management with your Secure Product Development Framework (SPDF) so security is built in, not bolted on. Ensure that threat modeling, security testing, and risk reviews are formalized activities in your design and development plan, and that their outputs flow directly into the risk management file and are properly labeled.
• Use structured threat modeling
  Don’t rely on ad-hoc brainstorming. Apply a consistent threat modeling approach (e.g., data-flow diagrams plus STRIDE or attack trees) to identify attacker goals, entry points, and abuse scenarios early. Feed these threat scenarios into ISO 14971 as hazards and hazardous situations.
• Maintain a robust, living SBOM
  Track all third-party and open-source components, versions, and where they’re used. Use the SBOM for:
  • Pre-market risk analysis (e.g., crypto libraries, OS, network stacks)
  • Ongoing monitoring of new CVEs postmarket
  • Supporting your cybersecurity labeling and communication with customers
• Drive cross-functional participation
  Cybersecurity risk management isn’t just for engineers. Involve:
  • Quality and Regulatory to ensure ISO 14971 and FDA expectations are met
  • Clinical and usability experts to understand real-world harm scenarios
  • IT/security / HTM stakeholders to validate assumptions about deployment environments
• Ensure traceability and evidence
  Maintain clear links from cyber hazards → risk controls → verification tests → labeling. This traceability makes ISO 14971 reviews smoother and shows regulators and customers that cybersecurity is being managed with the same rigor as other safety risks.
• Plan for lifecycle updates
  Build in processes for re-running risk analysis when you change architecture, introduce new connectivity, or update third-party components. Tie this to postmarket surveillance so new vulnerabilities or field incidents trigger ISO 14971 updates and, when needed, updated cybersecurity labeling.

Common Pitfalls to Avoid

Even mature teams fall into patterns that undermine their cybersecurity risk management under ISO 14971. Watch out for these:

• Treating cybersecurity separately from safety risk management
  Handling cyber risk in a standalone “IT risk” track, rather than integrating it into ISO 14971, leads to two conflicting risk stories: one for safety and one for security. The FDA expects cybersecurity risks to be treated in the same manner as safety and effectiveness risks, with hazards, controls, and residual risk documented within the same framework.
• Failing to reassess risks after software updates or environment changes
  Rolling out new features, connectivity options, or component updates (OS, libraries, cloud services) without re-running risk analysis is a common gap. Every meaningful change to the architecture, SBOM, or intended use environment should trigger a cybersecurity risk review and, when needed, updated controls and labeling.
• Not disclosing known vulnerabilities in labeling
  Some manufacturers avoid mentioning known vulnerabilities or residual risks for fear of alarming customers. Regulators and hospital security teams see that as a red flag. Known issues, compensating controls, and residual risk must be clearly communicated in cybersecurity labeling so that users can manage the risk responsibly.
• Over-relying on IT security tools without clinical safety context
  Assuming firewalls, NAC, or endpoint protection will “take care of it” ignores how cyber events translate into clinical harm. For example, an aggressive network control that blocks device communications can delay or interrupt therapy. Cyber controls need to be evaluated through a clinical safety lens, not just an IT one.

A clear, integrated approach that avoids these pitfalls makes your ISO 14971 process more defensible with FDA reviewers and more credible with hospital security and procurement teams.

Partner with Blue Goat Cyber for Risk Management Excellence

At Blue Goat Cyber, we help medical device manufacturers implement ISO 14971-compliant cybersecurity risk management that satisfies FDA, EU MDR, and other global requirements. From threat modeling to SBOM development and postmarket monitoring, our experts ensure your devices are secure, compliant, and ready for market.

Don’t wait until a vulnerability becomes a recall. Contact us today to strengthen your risk management process and protect your devices and reputation.