Introducing Kusari Inspector: Immediate Security Insights in Pull Requests
Learn more
Back to all topics

Learning Center

Medical Device Cybersecurity

Every connected medical device today is a software product—and most of that software is assembled from open source. While that accelerates development, it also introduces hidden landmines: outdated components, incompatible licenses, and known vulnerabilities that can derail both regulatory approval and commercial transactions.

Cybercriminals are targeting the devices and the ecosystems that support them. Yet, one of the most underestimated risks in the evaluation process is the software supply chain.

Examples of Medical Device Cyberattacks and Recalls

Threat Modeling

Threat modeling ensures you're prepared to mitigate risks, reduce vulnerabilities, and avoid costly compromises. The FDA recommends threat modeling to inform and support risk analysis, including the design phases and incorporating all the device system elements. There are specific considerations the FDA suggests for the threat model, such as:

  • Identify medical device system risks and mitigations as well as inform the pre- and post-mitigation risks considered as part of the cybersecurity risk assessment
  • State any assumptions about the medical device system or environment of use (e.g., hospital networks are inherently hostile, therefore manufacturers are recommended to assume that an adversary controls the network with the ability to alter, drop, and replay packets)
  • Capture cybersecurity risks introduced through the supply chain, manufacturing, deployment, interoperation with other devices, maintenance/update activities, and decommission activities that might otherwise be overlooked in a traditional safety risk assessment process

This blog post dives into some helpful techniques for your team to consider.

Third-Party Software Risk

Third-party risk management is an important part of protecting your organization. You likely know the process of examining and mitigating risks from your vendors, contractors, partners, etc. Most third-party risk management is focused on commercial relationships where you have contracts that put requirements on your third parties and include some form of relief if they don’t meet their obligations. But how do you manage the risks of open source software when software is provided as-is and you have no vendor relationship?  

These two blogs provide expert perspectives on analyzing and addressing third-party risk in open source software.

Why SBOMs Matter in Device Safety and Market Readiness

Without a Software Bill of Materials (SBOM), these risks stay hidden until they become real-world threats—delays in approval, post-market recall exposure, or costly liability during an acquisition.

With the SBOM, you get:

  • Regulatory clarity – Helping FDA Center for Devices and Radiological Health (CDRH) assess premarket safety and effectiveness
  • Business due diligence – Allowing acquirers to surface legal, security, and operational risks
  • Faster remediation – Identifying unsupported software or risky licenses before harm occurs

    • Key Resources

    Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

    Want to learn more about Kusari?

    About KusariResourcesContactCareersCompany Logos
    © 2025 Kusari Inc. All rights reserved.
    Terms
    Privacy
    Cookies