Cybersecurity
A cybersecurity risk assessment for a medical device must do something that a general IT risk assessment does not: connect cybersecurity vulnerabilities to potential patient safety impacts. FDA expects manufacturers to understand not just that their device could be compromised, but what that compromise would mean for clinical outcomes.
Assess Your Device's Cyber RiskRisk Assessment Methodology
Threat modeling is the systematic identification of potential attack paths against a medical device or system. For FDA submissions, threat modeling demonstrates that the manufacturer has analyzed the device's attack surface and identified the cybersecurity threats that could lead to device compromise or misuse. FDA's 2023 cybersecurity guidance references threat modeling as an expected element of premarket cybersecurity documentation, and reviewers look for evidence that the threat model is comprehensive — covering network interfaces, software components, physical access paths, and the clinical environment in which the device will be deployed.
STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is the most widely applicable threat modeling framework for medical devices. STRIDE analysis systematically evaluates each component of the device architecture against each threat category, producing a structured enumeration of threats that drives the subsequent risk assessment and security control selection. We apply STRIDE in the context of the device's specific clinical use case — the consequences of a Denial of Service attack on a ventilator controller differ fundamentally from those affecting a fitness tracker, and the risk assessment must reflect that clinical context.
Vulnerability assessment evaluates the identified threats against the device's SBOM and software architecture to identify known and potential vulnerabilities. The Common Vulnerability Scoring System (CVSS) provides a standardized numerical score for vulnerability severity, enabling prioritization of remediation efforts. For medical devices, CVSS scores must be contextualized: a CVSS high-severity vulnerability in a software component that has no user-accessible attack vector in the device's deployment context presents lower residual risk than the raw CVSS score implies. Documenting this contextualization is part of the cybersecurity risk assessment that FDA reviewers evaluate.
IEC 62443, the international standard for industrial automation and control system security, provides a framework increasingly referenced in FDA guidance and adopted in medical device cybersecurity programs. The standard's Security Level (SL) targeting and security control requirements provide a structured approach to cybersecurity risk management that maps to the ISO 14971 risk management process device manufacturers already use for physical safety risks.
Not all cybersecurity risks can be completely mitigated. Residual cybersecurity risk — risk that remains after security controls have been implemented — must be documented and evaluated for acceptability in the context of the device's overall benefit-risk profile. FDA expects manufacturers to demonstrate that residual cybersecurity risks are reasonable in light of the device's clinical benefits, and to document the basis for residual risk acceptance. The cybersecurity risk management file connects the threat model, vulnerability assessment, control implementation, and residual risk documentation into a defensible record of the manufacturer's cybersecurity risk management process.
Section 524B, effective March 29, 2023, requires manufacturers of cyber devices to submit a cybersecurity plan, a software bill of materials (SBOM), and post-market monitoring capabilities. FDA can issue a Refuse to Accept (RTA) decision for submissions of cyber devices that are missing these cybersecurity elements.
A Software Bill of Materials (SBOM) is a complete inventory of all software components, libraries, and dependencies in your device. FDA requires it so that when new vulnerabilities are discovered in software components, manufacturers can quickly identify affected devices and assess patient risk — enabling effective post-market surveillance.
FDA reviewers assess whether the threat model is comprehensive, whether vulnerabilities are scored with appropriate clinical context (not just raw CVSS scores), whether security controls adequately address identified threats, and whether residual risk is documented and justified in the context of the device's clinical benefit-risk profile.
Get Started
FDA expects cybersecurity risk assessments to demonstrate clinical context, not just technical vulnerability scoring. We build cybersecurity risk files that satisfy FDA's expectation that manufacturers understand what device compromise means for patients.