Blue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · FDA

    NFC & RFID Security in Medical Devices: A §524B-Aligned Guide

    The complete guide to NFC and RFID cybersecurity for FDA-regulated medical devices - vulnerabilities, threat modeling, test evidence, and §524B / SPDF documentation.

    Hero illustration for the FDA article: NFC & RFID Security in Medical Devices: A §524B-Aligned Guide
    Hero illustration for the FDA article: NFC & RFID Security in Medical Devices: A §524B-Aligned Guide
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Trevor Slattery, COO at Blue Goat Cyber

    Reviewed by Trevor Slattery

    COO · Blue Goat Cyber

    Published: October 22, 2024 · Last reviewed: May 1, 2026

    Near-Field Communication (NFC) and Radio-Frequency Identification (RFID) are everywhere in modern MedTech - patient-ID wristbands, surgical instrument tracking, sterile supply consumption, implant interrogation, drug-vial authentication, and clinician-programmer pairing. They are also two of the most consistently under-tested attack surfaces in FDA premarket submissions.

    This guide consolidates Blue Goat Cyber's coverage of NFC and RFID into a single reference for medical device manufacturers preparing 510(k), De Novo, or PMA submissions under the 2026 FDA cybersecurity review posture - Section 524B of the FD&C Act, the September 2023 FDA premarket cybersecurity guidance, AAMI TIR57/TIR97, and IEC 81001-5-1.

    Why NFC & RFID Get Flagged in FDA Reviews

    Reviewers in 2026 are explicitly looking for three things on any short-range wireless interface:

    1. A threat model that treats the air interface as untrusted - every NFC/RFID interaction must be modeled as if an attacker is within range.
    2. Patient-harm linkage via ISO 14971 - what happens if a tag is cloned, replayed, or spoofed? Wrong-patient identification, wrong-dose delivery, or implant misconfiguration are textbook §524B harms.
    3. Test evidence in the SPDF - vulnerability scanning alone is not enough; reviewers want exploitation attempts, results, and SBOM-linked component triage.

    NFC vs. RFID: The Practical Differences for MedTech

    | Property | RFID (LF/HF/UHF) | NFC (subset of HF RFID, 13.56 MHz) | | --- | --- | --- | | Typical range | Centimeters to ~12 m (UHF) | < 4 cm | | MedTech use cases | Asset tracking, sterile supply, implant interrogation | Patient ID wristbands, clinician-device pairing, drug authentication | | Authentication | Often none (passive tags) | Optional (NDEF + signed records) | | Replay/cloning risk | High for low-cost tags (EM4100, T55x7) | Lower but real (Mifare Classic still in field) | | §524B relevance | Postmarket monitoring + IFU controls | Premarket threat model + access control evidence |

    Range matters enormously. UHF RFID asset trackers can be read from across a hospital corridor; NFC requires near-physical proximity. Both still fail patient-safety risk analysis if cloning leads to wrong-patient or wrong-device action.

    Top NFC Vulnerabilities Affecting Medical Devices

    1. Tag cloning (Mifare Classic, NTAG21x without PWD) - trivial with a Proxmark3 or even a smartphone. If patient identity, dose authorization, or device pairing depends on tag UID, you have a §524B-relevant flaw.
    2. Eavesdropping at extended range - directional antennas push the practical 4 cm range to 30+ cm in lab conditions. Unencrypted NDEF records are exposed.
    3. Relay attacks - proxmark-style relays defeat proximity assumptions. Particularly relevant for clinician-programmer pairing flows.
    4. NDEF injection - malformed NDEF records crash or compromise mobile companion apps. Fuzz the NDEF parser as part of mobile pen testing.
    5. Downgrade attacks - many tags negotiate down to weaker authentication when present. The threat model must enumerate the negotiated-protocol matrix.

    Top RFID Vulnerabilities Affecting Medical Devices

    1. Static UID-only authentication - EM4100 / T55x7 / HID Prox tags can be cloned in seconds. Never use as a sole authentication factor on a regulated device.
    2. Lack of mutual authentication - readers accept any tag with the right format. Implement challenge-response (e.g., DESFire EV2/EV3) where access control matters.
    3. No integrity protection on stored data - implant identifiers, drug vial counts, and consumable-usage records can be rewritten unless protected by signed records or write-locked memory.
    4. Sniffing & decoding - UHF RFID protocols (EPC Gen2) are largely cleartext. Any data on the tag should be considered public.
    5. Denial of service via jamming or kill commands - EPC Gen2 supports a "kill" command. Reviewers will ask whether unauthorized kill commands can disable critical asset tracking.

    Threat Modeling NFC & RFID for §524B

    Treat every NFC/RFID interaction as a system-level threat-model element:

    • Asset: what does the tag/reader represent? (patient identity, dose authorization, device pairing seed, sterile-supply count)
    • Trust boundary: the air interface is always a trust boundary
    • Threats (STRIDE): Spoofing (cloning), Tampering (rewrite), Repudiation (no signed records), Information Disclosure (eavesdropping), Denial of Service (jamming/kill), Elevation of Privilege (downgrade)
    • Mitigations: mutual auth, signed records, range limiting, rate limiting, audit logging, IFU controls
    • ISO 14971 linkage: what is the patient-harm scenario for each unmitigated threat?

    Test Evidence Reviewers Expect

    Your premarket submission should include - for every NFC/RFID interface:

    • A scoped pen test report covering cloning, replay, relay, and protocol-fuzzing attempts
    • SBOM entries for the NFC/RFID stack (often a third-party module - disclose the chipset firmware version)
    • VEX statements for any known CVEs in the stack
    • A traceability matrix mapping each threat-model element to a test case and a result
    • Residual risk acceptance signed by the security and clinical risk owners

    Mitigations & IFU Guidance

    Where technical mitigation is impractical (low-cost passive tags, legacy reader installations), the labeling and IFU must explicitly call out:

    • The threat (e.g., "tags can be cloned by an adversary with physical proximity")
    • The recommended operational control (e.g., "use in a controlled clinical environment; do not rely on tag UID as a sole authentication factor")
    • The healthcare delivery organization's responsibilities

    This satisfies the §524B(b)(2) "reasonable assurance" requirement when residual risk cannot be engineered out.

    How Blue Goat Cyber Helps

    We perform NFC/RFID-specific testing - Proxmark3, Flipper Zero, ChameleonMini, software-defined radio - as part of full-system medical device penetration tests. Every finding lands in your SPDF, mapped to a §524B subsection, an ISO 14971 harm, and a CAPA pathway.

    Schedule a discovery session → to scope NFC/RFID coverage for your device.

    Continue the NFC & RFID security series

    Dive deeper with these companion articles:

    Related articles

    Keep reading

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.