Ensuring robust cybersecurity across the entire lifecycle of a medical device, while aligning with evolving regulatory expectations and standards, is no small feat. From initial design through post-market surveillance, the technical, regulatory, and operational demands are significant and continually increasing.
In Part 1 of our series on adopting a total lifecycle approach to cybersecurity in connected medical device development, we examined how cybersecurity must be strategically integrated during the early stages of development, from concept and design to secure coding and security testing. But product security doesn’t stop at development.
In this second part, we focus on the later stages of the lifecycle: regulatory submission, post-market surveillance, and ongoing risk management. These phases are critical for maintaining regulatory compliance, protecting patient safety, and ensuring long-term device security.
Pre-submission phase
Planning
This step involves crafting a detailed cybersecurity strategy that aligns with both the technical scope of the device and the applicable regulatory frameworks. The planning process should begin with a risk-based analysis of the device’s intended use, operating environment, and connectivity features to identify potential areas of exposure. Additionally, planning should establish how cybersecurity efforts will be integrated with broader product development and risk management activities, ensuring a cohesive and traceable approach throughout the lifecycle.
Development of device models for assets, threats, and mitigations
Developers must create detailed models that clearly map out device assets, potential threats, and the corresponding mitigations. For each asset identified, the potential threats must be systematically evaluated, using frameworks such as STRIDE or ATT&CK to assess attack vectors, methods, and impact. Once threats are defined, appropriate mitigations must be matched to each risk. A well-documented asset-threat-mitigation model demonstrates that the manufacturer has taken a comprehensive, risk-based approach to cybersecurity, which is a key expectation of regulators.
Requirements analysis to meet regulatory needs
Developers must also conduct a thorough analysis of cybersecurity requirements to ensure full alignment with regulatory expectations. This process involves translating the high-level guidance from authorities such as the FDA and standards like IEC 81001-5-1 into specific, actionable requirements tailored to the device in development. This includes evaluating the device's intended use, its connectivity profile, and the sensitivity of the data it handles, all of which inform the required level of cybersecurity assurance. These requirements must be formally documented and integrated into the device’s development and verification plans.
Post-market phase
Secure change management
Secure updates is the structured, risk-based approach to managing changes in IT systems, software, and processes to ensure that these changes do not introduce new vulnerabilities or compromise security, and ensure compliance with both ISO 13485 and ISO 27001 quality management system requirements. This process includes rigorous risk analysis, configuration management, and release processes, along with supplier surveillance and adherence to regulatory compliance standards. By following these practices, organizations can effectively manage changes while maintaining the integrity and security of their systems, ultimately protecting sensitive assets and minimizing risks
Periodic review of new threats
Cybersecurity threats continuously evolve, and medical device developers must stay vigilant. Regular monitoring of sources such as the CVE database and FDA advisories enables organizations to identify emerging risks that may affect their devices.
Additions to cybersecurity and safety risk analysis
As new threats are identified or updates are made to the device, manufacturers must revisit their risk assessments. Any new risks should be evaluated for their impact on both cybersecurity and patient safety, and corresponding controls should be documented.
In summary
Ensuring robust cybersecurity across the entire lifecycle of a medical device, while aligning with evolving regulatory expectations and standards, is no small feat. From initial design through post-market surveillance, the technical, regulatory, and operational demands are significant and continually increasing. For many medical device companies, managing this complexity internally can stretch resources, slow innovation, and introduce risk. As a result, we see developers increasingly recognizing the value of partnering with cybersecurity and regulatory experts.
To learn more about how we work with medtech companies to manage their cybersecurity requirements, get in touch with us today.
