Why Cybersecurity is Now a Regulatory Requirement

Connected medical devices — infusion pumps with hospital network connectivity, pacemakers with wireless monitoring, MRI systems linked to PACS, and cloud-connected diagnostic platforms — are potentially vulnerable to cyberattacks that could harm patients. Regulatory bodies have responded: the EU MDR explicitly requires cybersecurity risk management, and the FDA issued binding cybersecurity guidance in 2023 that makes pre-market cybersecurity documentation a condition of device approval.

EU MDR Cybersecurity Requirements

EU MDR (2017/745) Annex I (General Safety and Performance Requirements) includes specific requirements for devices that incorporate software or are connected to IT networks. Key requirements include: devices must be designed to minimise the risk of unauthorised access, devices must be capable of receiving security updates, and manufacturers must implement secure data transmission and storage. MDCG 2019-16 provides detailed guidance on cybersecurity for medical devices and is the primary reference for EU MDR technical file preparation.

FDA Cybersecurity Requirements (2023 Omnibus Guidance)

The FDA Consolidated Appropriations Act 2023 (Section 524B) made cybersecurity requirements legally binding for all devices that connect to the internet, a network, or another device. Manufacturers must: submit a software bill of materials (SBOM) with 510(k) and PMA submissions, demonstrate a post-market cybersecurity update plan, provide evidence of threat modelling, and show testing against known vulnerabilities. The FDA also requires a Cybersecurity Management Plan that covers the device's supported lifetime.

Threat Modelling: The Foundation of Device Cybersecurity

Threat modelling is the systematic process of identifying potential threats to a medical device's software and connectivity interfaces. The STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is widely used in medical device cybersecurity. Threat modelling outputs directly inform security architecture decisions, risk control measures, and penetration testing scope. Both the FDA and EU MDR expect evidence of systematic threat modelling in regulatory submissions.

Security Testing Requirements

Both regulators expect evidence of security testing proportionate to the device's risk profile. Required testing typically includes: static application security testing (SAST) of source code, dynamic application security testing (DAST) against the running application, network penetration testing for connected devices, fuzzing (malformed input testing) for communication interfaces, and third-party component vulnerability scanning. Test results must be documented, risks identified from vulnerabilities must be managed under ISO 14971, and residual risks must be acceptable.

Software Bill of Materials (SBOM): Now Mandatory

The FDA now requires an SBOM — a complete inventory of all software components, including third-party libraries and open-source components, with version numbers and known vulnerability status. The SBOM enables post-market vulnerability monitoring: when a new CVE (Common Vulnerabilities and Exposures) is published for a component in your SBOM, you must assess the patient safety impact and respond accordingly. Automated SBOM tools (CycloneDX, SPDX formats) are available; maintaining a live SBOM throughout the device life cycle is becoming standard practice.

Post-Market Cybersecurity Obligations

Cybersecurity is a post-market surveillance obligation, not just a pre-market activity. Manufacturers must monitor for newly discovered vulnerabilities in their software stack, respond to reported cybersecurity incidents, issue security patches and updates within defined timeframes, and communicate with customers and health authorities when significant vulnerabilities are identified. The FDA expects a coordinated vulnerability disclosure policy; in the EU, serious cybersecurity incidents may constitute reportable 'serious incidents' under MDR post-market surveillance requirements.

Conclusion

Cybersecurity is no longer an optional feature of medical device development — it is a regulatory, patient safety, and commercial imperative. Turkish medical device manufacturers with connected products who invest in systematic cybersecurity programmes will not only achieve regulatory compliance but will differentiate themselves from competitors who treat security as an afterthought.