Product Testing and Certification

Cybersecurity of Medical Devices: Safety as a Condition for Trust

29. June 2026

The digitalization of healthcare brings numerous benefits – from advanced diagnostics to remote patient monitoring. At the same time, the connectivity of medical devices introduces new cybersecurity risks. Attacks on such systems can impact not only data, but also device functionality, potentially affecting patient safety.

For this reason, cybersecurity in medical devices is no longer an additional feature, but a fundamental requirement. Both regulators and manufacturers increasingly recognize that security must be addressed holistically – throughout the entire product lifecycle, from development to deployment and maintenance.

Security starts at the design stage.

Safety starts with design

Modern approaches to medical device development are based on the principle of “security by design.” This means that security requirements are not added at the end, but are integrated into the planning, development, and testing of software from the outset.

A key reference in this area is the IEC 8100151 standard, which focuses on the cybersecurity of health software. It defines processes and activities to ensure that security measures are implemented across the entire lifecycle – from development to maintenance and vulnerability management.

Regulation and standards as a common language

In the field of medical devices, cybersecurity requirements are rapidly evolving. The European MDR regulation and similar frameworks increasingly emphasize the need for demonstrable security. Standards such as:

  • IEC 8100151 (health software),
  • IEC 62443 (industrial systems),
  • as well as other supporting standards and best practices,

are becoming key reference frameworks for manufacturers and testing organizations. Their role is to translate general regulatory expectations into concrete and verifiable activities.

However, it is important to note that standards alone do not guarantee security – what matters most is how the requirements are implemented in practice.

Challenges for manufacturers

Today, medical device manufacturers face growing demands related to:

  • documenting security measures,
  • managing cybersecurity risks,
  • testing and validating security functionalities,
  • monitoring devices throughout their post-market lifecycle.

Regulators have already begun rejecting products that fail to demonstrate adequate cybersecurity measures, highlighting the increasing importance of this area for market access.

There is also a growing need to address cybersecurity early in the development process. Many vulnerabilities do not become evident during laboratory testing but only emerge in real clinical environments, where devices operate as part of complex, interconnected systems. This requires a more systematic approach to software updates and lifecycle management of security patches.

The role of independent verification

In such an environment, independent cybersecurity assessment plays a crucial role. Through technical reviews, testing, and documentation analysis, it enables an objective evaluation of whether a device meets security requirements and whether risks are properly addressed.

Verification is not just about identifying vulnerabilities – it contributes to improving solution quality and building trust among manufacturers, regulators, and end users.

Co-creating safety in healthcare

Today, cybersecurity of medical devices is a shared responsibility – involving manufacturers, healthcare organizations, regulators, and expert institutions. Only through collaboration and a consistent approach to security can we ensure that new technologies truly contribute to safer and more effective healthcare.

Safety does not happen by itself – it is co-created.

Short:

Co-creating safety in healthcare

Cybersecurity in medical devices is no longer just an IT topic – it directly impacts patient safety and trust.

Connected medical devices bring advanced healthcare capabilities but also introduce new risks. That’s why security must be embedded from the very beginning – in design, development, and throughout the entire product lifecycle.

Standards such as IEC 8100151, along with broader cybersecurity frameworks, help manufacturers structure risk management and ensure a lifecycle-based approach to security.

The key message is simple:  security is not achieved by design alone – it is created through testing, validation, and continuous improvement.

More information:
Gregor Zakrajšek
E-mail: gregor.zakrajsek@siq.si
Tel.: +386 1 4778 034

Back to all news