Weekly Medical Device Cybersecurity Briefing - May 25

Weekly Medical Device Cybersecurity Briefing - May 25

Weekly Briefing: The High Stakes of MedTech Compliance and ProcurementThis week, we dive into the intensifying global regulatory landscape and a major shift in how hospitals buy technology. Key highlights include: * FDA Enforcement & EUDAMED Deadlines: The FDA is now in full "implementation mode" for QMSR-aligned cybersecurity, with reviewers increasingly flagging submissions that lack VEX data alongside mandatory SBOMs. Meanwhile, the EU’s EUDAMED modules become mandatory this Thursday, May 28, meaning any new device not registered can no longer be legally placed on the market. * A Shift in Procurement: New data reveals a structural shift in the market—56% of healthcare organizations have rejected a medical device due to cybersecurity concerns, up significantly from last year. We discuss why SBOMs and Coordinated Vulnerability Disclosure (CVD) programs have transitioned from "best practices" to essential commercial differentiators. * EU AI Act Relief: We break down the provisional political agreement that grants medical device manufacturers a 12-to-16-month extension for EU AI Act compliance, moving deadlines for some high-risk systems to late 2027 and 2028. * Threat Intelligence: An analysis of the March 2026 Stryker wiper attack serves as a critical case study in IT/OT boundary risks, illustrating how an enterprise IT compromise can disrupt global manufacturing and shipping operations. Stay ahead of the deadlines with our breakdown of the UK MHRA’s new draft regulations and the projected rise in AI-enabled attacks targeting the health sector in 2026.

Weekly Medical Device Cybersecurity Briefing - May 11

The provided briefing outlines a volatile cybersecurity landscape for the medical technology industry as of May 2026, characterized by increasingly sophisticated AI-driven threats and high-profile data breaches. Current data reveals that healthcare organizations are tightening procurement standards, frequently rejecting vendors who fail to provide comprehensive security documentation like Software Bills of Materials. Regulators in both the United States and the European Union are responding with stricter oversight, including mandatory incident reporting and the integration of security into quality management systems. Significant updates to international standards, specifically the pending release of IEC 62304 Edition 2, aim to modernize software lifecycle processes to include artificial intelligence and robust security activities. Manufacturers are urged to align their internal protocols with these evolving global requirements to ensure market access and patient safety. This comprehensive overview serves as a strategic roadmap for navigating the legal, technical, and operational challenges facing modern medical device development.

Digesting the new MITRE white paper on cybersecurity risk assessment for Evolving Medical Device Technologies

This report from The MITRE Corporation outlines critical cybersecurity risk managementstrategies for medical devices utilizing modern, high-tech innovations. It specifically examines the integration of cloud computing, artificial intelligence and machine learning (AI/ML), and post-quantum cryptography (PQC) within the healthcare sector. The text identifies unique threats, such as data poisoning in AI models and quantum computing attacks on traditional encryption, which could jeopardize patient safety. To counter these vulnerabilities, the authors recommend adopting resilient architectures, utilizing Software Bills of Materials (SBOMs), and establishing clear governance frameworks between manufacturers and providers. Ultimately, the document serves as a comprehensive guide for maintaining device security throughout their entire product lifecycle in a rapidly shifting technological landscape.

Understanding FDA's new Cyberdevice Inspection Guidelines

FDA released an updated compliance manual which includes a separate section on Cybersecurity. During a domestic inspection, investigators evaluate cybersecurity by reviewing whether "cyber devices" conform to the specific statutory requirements established in Section 524B(b)(2) of the FD&C Act. This podcast walks through the impact of this on medical device manufacturers and discusses areas to be aware and prepared for.

Understanding how cybersecurity weaves into FDA's new Computer Software Assurance guidance

The U.S. Food and Drug Administration (FDA) has issued a comprehensive guidance titled “Computer Software Assurance for Production and Quality System Software“ [https://www.fda.gov/regulatory-information/search-fda-guidance-documents/computer-software-assurance-production-and-quality-system-software-0] on 23rd September 2025, which presents nonbinding recommendations for validating computers and automated data processing systems used in medical device production or within the quality system. Prepared by the Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER), this document establishes a risk-based framework for Computer Software Assurance (CSA)—that specifically integrates modern concepts, including cybersecurity requirements, directly into quality assurance activities. Detailed articles can be found here https://aktriva.com/articles/cybersecurity-in-quality-fdas-guidance-on-computer-software-assurance/