Cybersecurity for in-center hemodialysis, home hemodialysis, and peritoneal-dialysis cyclers with cloud connectivity.
Dialysis devices run a safety-critical fluid-management control loop - ultrafiltration rate, dialysate composition, and treatment-time enforcement are all writable state where a compromise can cause direct patient harm. The shift to home hemodialysis and cloud-connected PD cyclers has pushed the segment into multi-tenant cloud, mobile companion-app, and remote-prescription territory that the FDA's 2026 guidance and section 524B now scrutinize explicitly. We build premarket and postmarket cybersecurity packages tuned to the prescription-to-device path, the home/cloud telemetry backhaul, and the long deployed service life of dialysis capital equipment.
Cloud-pushed or USB-loaded prescriptions (UF rate, dialysate composition, treatment time) are safety-critical writable state - the threat model must enumerate every path and require signed, authenticated, replay-resistant delivery.
Home dialysis cyclers live on consumer-grade Wi-Fi with no IT staff - the device must be safe-by-default and the cloud backhaul must assume the home network and any paired phone are compromised.
Cloud prescription and fleet-management platforms serve multiple clinics and tens of thousands of patients - BOLA, tenant separation, and fleet-wide command abuse are the most consequential findings.
Embedded OS components inside dialysis machines routinely go EOL mid-deployment - the postmarket plan must document compensating controls and a defensible patch cadence.
Dialysis platforms combine a safety-critical fluid-management control loop with cloud-pushed prescriptions and (for home therapy) a hostile-by-default consumer Wi-Fi environment. The prescription path, the multi-tenant cloud, and the home backhaul are all in scope.
Layers shown outermost (top) to innermost (bottom). Dashed rows are part of the surrounding system but out of scope for this view.
Dialysis incidents combine documented network-stack disclosures affecting renal-replacement platforms, recurring vendor middleware and remote-service patterns, and the broader pattern of cloud-pushed-prescription architectures that section 524B and the 2026 guidance directly contemplate.
Historical incidents
The URGENT/11 VxWorks IPnet disclosure reached dialysis controllers, bedside systems, and renal-platform components alongside other implant and capital-equipment categories. The FDA Safety Communication directed manufacturers to assess and disclose exposure.
FDA Safety Communication, Oct 1 2019CISA ICSMA-19-274-01
As home hemodialysis and PD platforms have moved to cloud-pushed prescriptions and clinician portals, advisories and research have repeatedly demonstrated multi-tenant cloud authorization weaknesses (BOLA), portal account-takeover paths, and weak isolation across clinic tenants.
Vendor middleware connecting dialysis and analyzer fleets to LIS/EHR systems has a documented history of credential-custody and service-tunnel incidents; reviewers cite this pattern when assessing renal-platform postmarket plans.
Active threat scenarios
A clinician-issued prescription (UF rate, dialysate composition, treatment time) substituted or replayed on the path to the device is a direct patient-safety hazard; every hop needs authentication, integrity, and replay protection.
BOLA on prescription or treatment data exposes one clinic's patients to another and is the highest-impact recurring finding in cloud fleet platforms - tested aggressively.
Home cyclers facing a hostile home network and paired phone must refuse unsolicited inbound, authenticate outbound with mutual TLS and pinning, and degrade safely when connectivity is lost.
Embedded OS components inside hemodialysis machines reach EOL mid-deployment; absence of per-generation compensating controls is a deficiency-letter pattern.
What FDA reviewers cite
Dialysis combines a safety-critical fluid-management control loop with cloud-pushed prescriptions and the shift to home therapy - exactly the combination FDA's 2026 guidance and section 524B were written to address.
Every path that can modify a dialysis prescription - cloud, USB, manual entry - must be enumerated, signed, authenticated, and validated against IEC 60601-2-16 essential-performance bounds.
Home cyclers must be safe-by-default with no household IT support; the cloud backhaul must assume the home Wi-Fi and paired phone are compromised and the IFU must be followable by a non-technical patient.
Cloud prescription and fleet-management platforms serve multiple clinics; BOLA, tenant separation, and fleet-wide command abuse have multi-patient blast radius and need explicit testing.
Dialysis machines routinely run 10-15 years on embedded OS versions that go EOL - the postmarket plan must document the configuration matrix, compensating controls, and patch cadence.
Standards & deliverables
Six deliverables FDA and notified bodies expect across MedTech, with the dialysis / renal-specific wrinkle on each row. Use it as a scoping checklist before you brief vendors or your QA team.
| Deliverable | Status | Cadence | Standard / guidance | Dialysis / Renal note |
|---|---|---|---|---|
| SBOM + VEX Machine-readable SBOM (CycloneDX/SPDX) plus VEX feed for every CVE that touches a listed component. |
Required | Premarket + monthly refresh | FDA Cybersecurity Guidance §V · CISA SBOM minimum elements | SBOM must cover machine firmware, prescription-handling middleware, cloud platform components, and any patient-app SDKs. |
| Postmarket monitoring Continuous CVE / advisory monitoring against the SBOM, with a documented triage and disclosure path. |
Required | Continuous (≤30-day triage) | FD&C Act §524B · FDA Postmarket Cybersecurity Guidance | Postmarket plan must address EOL-OS compensating controls and the cloud-prescription path under section 524B. |
| Penetration test scope Black/grey-box testing across device, wireless interfaces, mobile apps, cloud APIs, and service tooling. |
Required | Premarket + on material change | AAMI TIR57 · FDA Premarket Cyber Guidance §VI.A.5 | Pen test scope: cloud prescription path (cloud→transport→device verification), USB/manual prescription load, multi-tenant cloud BOLA, home-network hostile-environment paths. |
| Threat model STRIDE-per-interface threat model with documented mitigations and residual-risk acceptance. |
Required | Premarket, refreshed each design change | AAMI TIR57 · FDA Premarket Cyber Guidance §V.A | Treat the home Wi-Fi and paired phone as hostile; model UF rate, dialysate composition, and treatment time as safety-critical writable state. |
| Secure update mechanism Signed firmware/software updates with rollback protection, integrity verification, and staged rollout. |
Required | Designed premarket, exercised lifecycle-long | FDA Cyber Guidance §IV · IEC 81001-5-1 | Updates need authenticated, signed, rollback-safe channels across clinic and home fleets, with patient-safety rationale documented. |
| Coordinated Vulnerability Disclosure Public CVD policy, intake channel, and SLAs for triage, fix, and customer communication. |
Required | Continuous, lifecycle-long | ISO/IEC 29147 + 30111 · Section 524B(b)(2) | CVD policy must accept reports from clinic nurses, home patients, and biomed engineers, not just security researchers. |
Machine-readable SBOM (CycloneDX/SPDX) plus VEX feed for every CVE that touches a listed component.
Continuous CVE / advisory monitoring against the SBOM, with a documented triage and disclosure path.
Black/grey-box testing across device, wireless interfaces, mobile apps, cloud APIs, and service tooling.
STRIDE-per-interface threat model with documented mitigations and residual-risk acceptance.
Signed firmware/software updates with rollback protection, integrity verification, and staged rollout.
Public CVD policy, intake channel, and SLAs for triage, fix, and customer communication.
Dialysis combines safety-critical fluid-management control with the move to home therapy and cloud-pushed prescriptions, which is exactly the combination FDA's 2026 guidance and section 524B were written to address. A compromise on the prescription path or the home backhaul can cause direct patient harm at fleet scale, and the deployed service lives are long enough that postmarket monitoring is not optional.
We scope the entire prescription chain: clinician portal, cloud signing/authentication, transport, on-device verification, and the local fallback (USB or manual entry). Every path is exercised for authentication, integrity, replay, and downgrade, and the device's behavior under tampered or malformed prescriptions is validated against the IEC 60601-2-16 essential-performance bounds. Findings tie back to specific hazard entries in the IEC 14971 risk file.
Home cyclers are designed to be safe-by-default with no expectation of household IT support. The threat model treats the home Wi-Fi, paired phone, and any household devices as untrusted; the device authenticates outbound to the cloud with mutual TLS and pinning, refuses unsolicited inbound connections, and degrades safely when connectivity is lost. The IFU and labeling document the operational assumptions clearly enough that a non-technical patient can follow them.
Yes. The cloud platform is scoped as its own system: clinic/patient tenant separation, BOLA on prescription and treatment data, fleet-wide command abuse, provider/payer authorization, and the OTA path back to the device. Findings on the cloud are tied back to the device threat model so the system view stays coherent.
CRRT shares the dialysis threat model but adds the hospital-network and ICU-integration paths. We scope CRRT alongside hemodialysis when manufacturers ship both, with CRRT-specific essential performance and ICU-monitor integration called out separately.
For a connected hemodialysis or home-dialysis platform with cloud prescription and patient app, end-to-end premarket cyber work runs 12-16 weeks. Threat modeling and SBOM front-load in weeks 1-4, pen testing across device, cloud, clinician portal, and patient app runs in weeks 4-13, and the consolidated submission package and postmarket plan close in the final weeks - all under a written clearance guarantee.
Prescription-integrity threat models, cloud fleet pen testing, and home-network hostile-environment design for in-center, home, and PD platforms.
"Blue Goat Cyber's depth of expertise was impressive. We had no in-house cybersecurity experience, and their team guided us through every step of the FDA process. The penetration testing and SBOM testing were thorough and gave us complete confidence."
Cybersecurity for in-center hemodialysis, home hemodialysis, and peritoneal-dialysis cyclers with cloud connectivity.
