Published: October 22, 2024 · Last reviewed: May 1, 2026
The FDA premarket cybersecurity guidance emphasizes that medical device manufacturers must secure NFC and RFID interfaces. Key expectations include threat modeling that treats the air interface as untrusted, identifying patient harm linkages via ISO 14971 from potential NFC/RFID exploits (e.g., tag cloning, replay, spoofing), and providing specific test evidence in the Cybersecurity Bill of Materials and associated documentation. Test evidence should go beyond vulnerability scanning to include exploitation attempts and results.
Near-Field Communication (NFC) and Radio-Frequency Identification (RFID) are everywhere in modern MedTech - patient-ID wristbands, surgical instrument tracking, sterile supply consumption, implant interrogation, drug-vial authentication, and clinician-programmer pairing. They are also two of the most consistently under-tested attack surfaces in FDA premarket submissions.
This guide consolidates Blue Goat Cyber's coverage of NFC and RFID into a single reference for medical device manufacturers preparing 510(k), De Novo, or PMA submissions under the 2026 FDA cybersecurity review posture - Section 524B of the FD&C Act, the September 2023 FDA premarket cybersecurity guidance, AAMI TIR57/TIR97, and IEC 81001-5-1.
Key Takeaways
- Threat model all NFC/RFID as untrusted air interfaces.
- Link NFC/RFID vulnerabilities to ISO 14971 patient harm.
- Provide specific test evidence in premarket submissions.
- Prioritize mutual authentication and data integrity.
- Address tag cloning, replay, and eavesdropping risks.
- Labeling must mitigate unaddressable technical risks.
Table of Contents
- Key Takeaways
- Why NFC & RFID Get Flagged in FDA Reviews
- NFC vs. RFID: The Practical Differences for MedTech
- Top NFC Vulnerabilities Affecting Medical Devices
- Top RFID Vulnerabilities Affecting Medical Devices
- Threat Modeling NFC & RFID for §524B
- Test Evidence Reviewers Expect
- Mitigations & IFU Guidance
- How Blue Goat Cyber Helps
- Related FDA & cybersecurity guides
Why NFC & RFID Get Flagged in FDA Reviews
Reviewers in 2026 are explicitly looking for three things on any short-range wireless interface:
- A threat model that treats the air interface as untrusted - every NFC/RFID interaction must be modeled as if an attacker is within range.
- Patient-harm linkage via ISO 14971 - what happens if a tag is cloned, replayed, or spoofed? Wrong-patient identification, wrong-dose delivery, or implant misconfiguration are textbook §524B harms.
- Test evidence in the SPDF - vulnerability scanning alone is not enough; reviewers want exploitation attempts, results, and SBOM-linked component triage.
NFC vs. RFID: The Practical Differences for MedTech
| Property | RFID (LF/HF/UHF) | NFC (subset of HF RFID, 13.56 MHz) |
|---|---|---|
| Typical range | Centimeters to ~12 m (UHF) | < 4 cm |
| MedTech use cases | Asset tracking, sterile supply, implant interrogation | Patient ID wristbands, clinician-device pairing, drug authentication |
| Authentication | Often none (passive tags) | Optional (NDEF + signed records) |
| Replay/cloning risk | High for low-cost tags (EM4100, T55x7) | Lower but real (Mifare Classic still in field) |
| §524B relevance | Postmarket monitoring + IFU controls | Premarket threat model + access control evidence |
Range matters enormously. UHF RFID asset trackers can be read from across a hospital corridor; NFC requires near-physical proximity. Both still fail patient-safety risk analysis if cloning leads to wrong-patient or wrong-device action.
Top NFC Vulnerabilities Affecting Medical Devices
- Tag cloning (Mifare Classic, NTAG21x without PWD) - trivial with a Proxmark3 or even a smartphone. If patient identity, dose authorization, or device pairing depends on tag UID, you have a §524B-relevant flaw.
- Eavesdropping at extended range - directional antennas push the practical 4 cm range to 30+ cm in lab conditions. Unencrypted NDEF records are exposed.
- Relay attacks - proxmark-style relays defeat proximity assumptions. Particularly relevant for clinician-programmer pairing flows.
- NDEF injection - malformed NDEF records crash or compromise mobile companion apps. Fuzz the NDEF parser as part of mobile pen testing.
- Downgrade attacks - many tags negotiate down to weaker authentication when present. The threat model must enumerate the negotiated-protocol matrix.
Top RFID Vulnerabilities Affecting Medical Devices
- Static UID-only authentication - EM4100 / T55x7 / HID Prox tags can be cloned in seconds. Never use as a sole authentication factor on a regulated device.
- Lack of mutual authentication - readers accept any tag with the right format. Implement challenge-response (e.g., DESFire EV2/EV3) where access control matters.
- No integrity protection on stored data - implant identifiers, drug vial counts, and consumable-usage records can be rewritten unless protected by signed records or write-locked memory.
- Sniffing & decoding - UHF RFID protocols (EPC Gen2) are largely cleartext. Any data on the tag should be considered public.
- Denial of service via jamming or kill commands - EPC Gen2 supports a "kill" command. Reviewers will ask whether unauthorized kill commands can disable critical asset tracking.
Threat Modeling NFC & RFID for §524B
Treat every NFC/RFID interaction as a system-level threat-model element:
- Asset: what does the tag/reader represent? (patient identity, dose authorization, device pairing seed, sterile-supply count)
- Trust boundary: the air interface is always a trust boundary
- Threats (STRIDE): Spoofing (cloning), Tampering (rewrite), Repudiation (no signed records), Information Disclosure (eavesdropping), Denial of Service (jamming/kill), Elevation of Privilege (downgrade)
- Mitigations: mutual auth, signed records, range limiting, rate limiting, audit logging, IFU controls
- ISO 14971 linkage: what is the patient-harm scenario for each unmitigated threat?
Test Evidence Reviewers Expect
Your premarket submission should include - for every NFC/RFID interface:
See also: De Novo Cybersecurity Requirements: What the FDA Expects, FDA Cybersecurity Major vs Minor Deficiency: How Reviewers Grade Findings, and FDA Cybersecurity Deficiencies in PMA Submissions: AI Requests, Major Deficiencies, and Complete Response Letters.
- A scoped pen test report covering cloning, replay, relay, and protocol-fuzzing attempts
- SBOM entries for the NFC/RFID stack (often a third-party module - disclose the chipset firmware version)
- VEX statements for any known CVEs in the stack
- A traceability matrix mapping each threat-model element to a test case and a result
- Residual risk acceptance signed by the security and clinical risk owners
Mitigations & IFU Guidance
Where technical mitigation is impractical (low-cost passive tags, legacy reader installations), the labeling and IFU must explicitly call out:
- The threat (e.g., "tags can be cloned by an adversary with physical proximity")
- The recommended operational control (e.g., "use in a controlled clinical environment; do not rely on tag UID as a sole authentication factor")
- The healthcare delivery organization's responsibilities
This satisfies the §524B(b)(2) "reasonable assurance" requirement when residual risk cannot be engineered out.
How Blue Goat Cyber Helps
We perform NFC/RFID-specific testing - Proxmark3, Flipper Zero, ChameleonMini, software-defined radio - as part of full-system medical device penetration tests. Every finding lands in your SPDF, mapped to a §524B subsection, an ISO 14971 harm, and a CAPA pathway.
Schedule a discovery session → to scope NFC/RFID coverage for your device.
FAQ
What is the FDA's concern with NFC and RFID in medical devices?
The FDA is concerned about NFC and RFID interfaces being potential attack surfaces that could lead to patient harm if exploited. This includes issues like incorrect patient identification, unauthorized device modifications, or data tampering.
How does the FDA premarket cybersecurity guidance apply to NFC/RFID?
The February 3, 2026 final guidance requires manufacturers to conduct thorough threat modeling for NFC/RFID, identify patient harm scenarios, and provide strong test evidence of security controls in their premarket submissions for 510(k), De Novo, or PMA applications.
What are common NFC vulnerabilities in medical devices?
Common NFC vulnerabilities include tag cloning (especially for Mifare Classic, NTAG21x without passwords), eavesdropping on unencrypted NDEF records, relay attacks, NDEF injection, and downgrade attacks where devices negotiate to weaker authentication protocols.
What RFID vulnerabilities should be addressed for FDA submissions?
Key RFID vulnerabilities include static UID-only authentication, lack of mutual authentication, no integrity protection for stored data, sniffing cleartext protocols, and denial of service via jamming or unauthorized kill commands.
What kind of test evidence does the FDA expect for NFC/RFID?
The FDA expects scoped penetration test reports covering cloning, replay, relay, and protocol fuzzing. Manufacturers must also provide SBOM entries for the NFC/RFID stack, VEX statements for known CVEs, and a traceability matrix linking threats to test cases and results.
When should device labeling be used to mitigate NFC/RFID risks?
When technical mitigation of NFC/RFID risks is impractical (e.g., due to low-cost passive tags), labeling and Instructions For Use (IFU) must explicitly describe the threat, recommend operational controls, and outline healthcare delivery organization responsibilities.
Related FDA & cybersecurity guides
- FDA Section 524B cybersecurity requirements explained
- SBOM vulnerability management for medical devices
- VEX document guide for FDA submissions
- FDA deficiency-letter response service
- STRIDE threat modeling for medical devices
About the author
Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.
Continue the NFC & RFID security series
Dive deeper with these companion articles: