Derek Yu
Principal Consultant
MedTech is in the crosshairs of healthcare cybersecurity
Cyberattacks on the healthcare sector are no longer edge-case events. They are frequent, severe, and increasingly systematic.
The evidence from past cyber incidents is clear: for MedTech companies undergoing the cloud transformation, cybersecurity is a structural concern.
Cybersecurity for connected medical devices is a recognized and regulated factor of product quality
The sensitivity of patient data and the need for uninterrupted healthcare operations make the sector a prime target for cyberattacks. Medical-grade connectivity refers to the entire infrastructure that allows medical devices, from wearable monitors to imaging systems, to securely handle data and reliably operate with high availability.
What makes this level of connectivity particularly attractive to attackers is exactly what makes it clinically valuable: devices must be always-on, interoperable across heterogeneous systems and device generations, and accessible to multiple stakeholders simultaneously. A lapse in cybersecurity cannot be tolerated until the next patch cycle because a breach or disruption interferes with patient care.
The regulatory environment reflects this seriousness. The EU Medical Device Regulation (MDR), IEC 81001-5-1, the FDA Cybersecurity Guidance, and the EU Cyber Resilience Act (CRA) together make cybersecurity a condition of market access. The MDR, FDA, and IEC 81001-5-1 remain the primary compliance anchors for medical device manufacturers. However, the CRA (in force since December 2024) extends cybersecurity requirements to connected software components, apps, and cloud services that form part of the device ecosystem, even where those components are not themselves classified as medical devices.
These regulations are in effect across most markets. The question for MedTech companies is whether their development process is robust and structured enough to meet these requirements.
Medical device cyber resilience is a lifecycle discipline
Achieving medical-grade connectivity means meeting a set of essential technical and process requirements across the full development lifecycle. Often, the most significant decision a MedTech company can make is where cybersecurity enters that process: from the beginning or deferred till later. Successful teams start early to build security muscle memory, avoid insecure technical debt, and reduce costly patchwork.
Let’s explore some key steps to achieving this.
Step 1: Determine assets and identify realistic threats
Protection begins with performing a risk assessment and deriving associated technical requirements for adequate security mitigations. Teams build a full asset inventory, document a threat model, and analyse the security risks using industry-tested methods and standards such as STRIDE, attack trees, and MITRE ATT&CK. The resulting risks drive every subsequent decision on engineering security features and intended use.
The risks of skipping Step 1:
We have worked with MedTech companies that forgo formal threat modelling during product engineering. Regulatory reviewers later highlight that the submission contains no documented analysis of risks to justify the security design choices. The time saved by skipping threat modelling was offset later by costly redesigns and delayed market entry.
Step 2: Design for tomorrow's threats today
The product's architecture design translates the threat model into the system's structural blueprint. This step entails defining security principles, establishing identity and access management (such as using Public Key Infrastructure certificates for entity authentication), determining the cryptographic mechanisms, reviewing security designs, and producing supporting documentation for internal development and compliance.
In modern cryptographic systems, this is also where cryptographic agility is built in: designing the cryptographic layer to be updatable rather than hardcoded into a single approach that future advances in quantum computing may break.
The risks of skipping Step 2:
Across multiple industries, we occasionally see a device fleet sharing a single credential for authentication. One single compromised device leads to fleet takeover. PKI-based per-device identity would have contained the breach to a single unit.
Quantum computing poses a significant challenge to current encryption standards
With recent advances, quantum computing is no longer a distant concern. In solutions that are expected to be in operation for many years, we are seeing increasing maturity in ensuring cryptographic implementations are updatable without rebuilding systems from scratch. Those often include quantum-safe alternatives aligned with emerging NIST post-quantum standards such as FIPS 203, FIPS 204, and FIPS 205.
Step 3: Implement secure business logic and manage supply chain vulnerabilities
A mature security development lifecycle cannot do without robust secure coding practices, Static Application Security Testing (SAST), and software component analysis (SCA) enforced in automated pipelines. With modern attackers targeting common libraries and components, teams should reduce their exposure to opportunistic attacks by carefully auditing third-party component use, hardening configurations, and ensuring timely patching.
The risks of skipping Step 3:
A medical device shipped with insecure default configurations that were never identified because secure coding checks and automated testing were not integrated into the development pipeline. As a result, attackers exploited weaknesses that were already publicly known at the time of release, resulting in emergency remediation, delayed deployments, and reputational damage. Automated security testing and configuration hardening would have identified the issues before production.
Step 4: Test like an attacker
Integration and testing validate the resilience of connected medical devices under real-world attack conditions. Common approaches like Dynamic Application Security Testing (DAST) help identify exploitable weaknesses during runtime, while fuzz testing continuously feeds systems with malformed or unexpected inputs to uncover crash points and edge-case failures. Penetration testing applies adversarial techniques to evaluate defensive controls from an attacker’s perspective. Together, these activities expose runtime failure modes that static analysis alone cannot detect and enable remediation before deployment.
The risks of skipping Step 4:
Fuzz testing revealed a connected patient monitor crashed on malformed data packets. This situation can be used in a denial-of-service attack on a life-critical system. If found in a test environment, it is fixable. If found in a hospital, it is a patient safety incident.
Step 5: Stay proactive to stay resilient
Security doesn't end at go-live, nor does it begin only after an incident. Connected medical systems require continuous monitoring and protection throughout their operational lifecycle. Monitoring and reacting to environment changes using SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) capabilities extend cybersecurity across both the device and its connected infrastructure. Modern solutions make use of AI-assisted anomaly detection and predefined incident response playbooks. Resilient solutions assume the worst and maintain tested disaster recovery procedures.
The risks of skipping Step 5:
Unusual outbound traffic is detected on a deployed device, but no incident response plan exists. The team hesitates between isolating the device and risking disruption to patient monitoring or taking no immediate action. The delay gives the attacker more time for lateral movement. With SIEM detection and SOAR-based playbooks, malicious traffic can be blocked and affected components contained in minutes while maintaining clinical operation.
Working with the cloud?
Watch a conversation with Dräger, the University Hospital Schleswig-Holstein, and AWS about achieving and maintaining medical-grade connectivity to and from the cloud.
Watch recordingAI raises the stakes for healthcare data security
Artificial intelligence is reshaping the economics of cyberattacks. For systems, it enables vulnerability discovery and exploitation at unprecedented scale. For people, AI-assisted phishing makes highly targeted attacks easier to produce and distribute at scale. As a result, the baseline threat level every connected MedTech system must withstand has risen significantly. Furthermore, the use of AI models processing patient data introduces their own class of attack surface: adversarial input contamination, prompt injection, and training data exposure create attack vectors that did not exist in previous device generations.
On a positive note, the defensive application of AI deserves equal emphasis. Cybersecurity is an arms race. When attackers deploy AI and defenders do not, the asymmetry becomes dangerous. AI-powered anomaly detection systems that learn normal behaviour across a device fleet can identify deviations at a speed and scale no human analyst can match. When AI is treated as part of the product security incident response team (PSIRT) from the outset, agent-based response workflows become a security operator’s key asset.
Our position on AI is clear: Reject the hype, get the basics right, and safely leverage the full potential of data and AI. In cybersecurity, this means ensuring that AI integration does not introduce new attack surfaces while systematically deploying AI capabilities in defence.
Cyber resilience is part of modern business continuity
Cybersecurity in medical-grade connectivity is complex, fast-evolving, and highly consequential. Regulatory requirements are tightening, and the threat environment is escalating. In addition, AI is reshaping both attack and defence simultaneously. The consequences of failure in this ecosystem extend beyond financial and reputational damage to real-world patient safety.
But cybersecurity is manageable when addressed systematically, from risk analysis to security operations. Organizations that navigate this environment successfully are those that go beyond regulatory compliance and treat security as a core discipline of product quality and business continuity.
Take the first step to security by design. Talk to an expert »
