What is medical device cybersecurity testing?

Medical device cybersecurity testing validates whether a connected medical device can withstand cyber threats through vulnerability testing, penetration testing and risk assessment, protecting patient data and safety while meeting regulatory requirements such as FDA and MDCG.

Which regulations and standards must medical device cybersecurity meet?

Common ones include US FDA medical device cybersecurity guidance, EU MDCG 2019-16, IEC TR 60601-4-5 and IEC 81001-5-1, covering premarket submission content, data integrity, and device lifecycle security management. Devices with wireless functionality must also comply with RED Article 3.3 / EN 18031.

Who performs medical device penetration testing?

Under the FDA process, penetration testing must be carried out by an independent third party to objectively simulate attacks, identify vulnerabilities, and provide evidence of compliance with regulatory cybersecurity requirements. Secure Vectors × Applus+ provides this service as an independent third-party laboratory.

What is a gap analysis?

A gap analysis reviews a manufacturer's existing documentation against a specific standard before formal submission to the regulator, identifying gaps and helping strengthen areas such as security requirements, threat mitigation and vulnerability testing, reducing the risk of submission rejection.

What cybersecurity documentation does an FDA 510(k) submission require?

Under FDA Section 524B, a 510(k) submission must include a complete software bill of materials (SBOM), a threat model and a penetration testing report. The most common reasons for rejection are an incomplete SBOM or missing penetration testing evidence.

Medical Device
Cybersecurity Testing

醫療器材網路安全測試與滲透測試

GLOBAL STANDARDS · LOCAL SERVICE

Secure Vectors × Applus+ Laboratories work together to help manufacturers meet medical device cybersecurity compliance requirements across different regulatory regimes. The Applus+ cybersecurity laboratory holds A2LA, PJLA and CNAS accreditation with 250+ cybersecurity specialists, dedicated to security assessments and penetration testing, backed by a global network spanning Shanghai, Spain, the US, Canada and Australia. Secure Vectors serves as your single point of contact in Taiwan for local engagement and end-to-end project delivery.

What Is Medical Device Cybersecurity?

Cybersecurity for medical devices is essential to protecting patient data and lives, and to shielding healthcare organizations from ransomware attacks. As medical devices and their connectivity evolve, cyber threats continue to develop and introduce new risks. Medical device cybersecurity risk is multifaceted, demanding up-to-date certifications and standards together with thorough cybersecurity assessment.

Effective risk management means strengthening the entire lifecycle process to identify vulnerabilities and hardening protection through rigorous penetration testing.

Why Medical Device Cybersecurity Matters

Protect patient safety — prevent compromised pacemakers or insulin pumps from failing or delivering incorrect doses
Prevent exposure of health records, identity theft and loss of patient confidentiality
Defend against ransomware attacks and keep healthcare systems operational
Meet mandatory requirements from FDA, EMA, NMPA and other authorities, avoiding recalls or bans
Obtain compliance evidence for EU, US and international market entry
Strengthen product cyber resilience and reduce post-market safety concerns

Applicable Regulations & Standards

Given the risks involved, medical device cybersecurity must be tested against rigorous international and national standards. Secure Vectors × Applus+ can support the following:

FDA US medical device cybersecurity guidance — quality system considerations and premarket submission content
MDCG 2019-16 EU medical device cybersecurity guidance — reference framework for Notified Body review
IEC TR 60601-4-5 medical device cybersecurity standard — a technical roadmap for global cybersecurity standards
IEC 81001-5-1 security lifecycle standard for health software and health IT systems
EN 18031 RED Article 3.3 wireless cybersecurity standard — required for devices with wireless functionality
Section 524B FDA 510(k) submissions must include a complete SBOM, threat model and penetration testing report

Cybersecurity Testing Process

Using FDA-required cybersecurity testing as an example, the process ensures the safety and effectiveness of medical devices and includes the following stages:

STEP 01

Security Requirements (performed by the manufacturer) — define the security objectives and controls the device must meet

STEP 02

Threat Modeling & Mitigation (performed by the manufacturer) — identify the attack surface and plan corresponding mitigations

STEP 03

Vulnerability Testing (performed by the manufacturer or an independent third party) — detect known and potential weaknesses

STEP 04

Penetration Testing (performed by an independent third party) — simulate real attacks to validate the effectiveness of protections

Core Services

Penetration Testing

Secure Vectors × Applus+ offers a broad range of penetration testing services to evaluate a system's ability to withstand attacks and unauthorized access. By simulating cyberattacks, we assess vulnerabilities across each component of a medical device and recommend security measures grounded in our expertise. Penetration testing conducted by the Applus+ expert laboratory not only strengthens a product's cyber resilience but also demonstrates compliance with the cybersecurity requirements set by regulators worldwide, such as the US FDA.

Gap Analysis

Our team can also support global manufacturers by verifying whether their products comply with the specific standards or guidelines required by regulators. We review the documentation produced by the manufacturer to determine whether it meets a given standard and to identify any gaps or potential challenges, then analyze, advise on, and help prepare the required documentation before submission to the regulator.

For FDA cybersecurity testing, for example, Secure Vectors × Applus+ offers an optional service that reviews manufacturer documentation prior to premarket submission, focusing on 1) security requirements, 2) threat mitigation, and 3) vulnerability testing — analyzing whether the defined security requirements align with the security concerns identified in the threat model, along with stated assumptions and the applicability of vulnerability testing.

Why Secure Vectors × Applus+

Local testing capability: an A2LA / PJLA / CNAS-accredited cybersecurity lab able to perform IEC 81001-5-1 and EN 18031 testing
[Save Resources] – 250+ security experts: a cross-border expert team supporting all kinds of medical device security assessments, with global lab collaboration
[Save Communication] – Single point of contact in Taiwan: Secure Vectors as the Applus+ strategic partner in Taiwan, removing cross-border communication barriers
[Save Rework] – Cybersecurity + safety in one place: connected devices don't need multiple separate bodies
[Save Rework] – Dual EU/US submission: one set of security evidence mapped to both EU MDR and US FDA review formats

Book a Free Consultation

Talk to the Secure Vectors cybersecurity testing and certification team to plan the most efficient path to compliance for your product

Book a Consultation →

Medical DeviceCybersecurity Testing