The Food and Drug Administration (FDA) has brought to light an age-old problem with medical IT systems: many are excessively vulnerable because they are based on legacy equipment from 20 or more years ago that were not built with cybersecurity in mind.In its report dated June 2025, the FDA said that for medical devices manufacturers to build Secure-by-Design products, they must include the following standards: NIST’s Federal Information Product Standards (FIPS 140-2 and 140-3), CISA cybersecurity guidelines, and industry standard routing requirements.This news from FDA was considered important because much of the news coming out FDA and the Department of Health and Human Services (HHS) during the tenure of Secretary Robert F. Kennedy Jr., has been in opposition to conventional notions about science and technology.This white paper demonstrated that the agency intends to build on some of its past work around medical device cybersecurity.“The first notable FDA guidance related to cybersecurity in medical devices was released in January 2005,” said Agnidipta Sarkar, chief evangelist at ColorTokens. “The regulation has evolved over time and has rightfully focused on building cybersecurity, considering that the number of attacks continues to rise, irrespective of increased investments.”However, Sarkar pointed out that years later, not many have clearly understood that the regulation requires cybersecurity-by-design, and not just an expensive machine. Sarkar said the regulation expects enterprises to establish visibility, control unnecessary traffic, and ensure lateral movement between zones gets controlled.“Today, this is essential and urgent,” said Sarkar. “There needs to be a clear focus on designing cybersecurity for medical devices in a manner that focuses upon breach readiness by focusing on the effect of a cyberattack on the priority of saving lives by protecting critical assets and their communications.”Russell Teague, chief strategist and CISO at Fortified Health Security, added that the FDA’s latest warning underscores an urgent, but often overlooked reality: The cybersecurity posture of medical devices begins long before those devices reach patient care settings, it begins in manufacturing of those OT devices.“The risks outlined in this report are not hypothetical,” said Teague. “They are actively shaping the resilience of our supply chains, the reliability of patient care, and the safety of our technology-dependent healthcare system.”Teague said if medical manufacturing environments remain vulnerable, the risk extends beyond device design. It impacts availability, reliability, and even national preparedness for public health emergencies. Teague added that providers risk delayed procedures because of unavailable equipment.“Payers may face rising costs tied to care delays or substitutions,” said Teague. “Health tech manufacturers must now operate with a dual responsibility: delivering innovation and ensuring security from the ground-up.”Nivedita Murthy, senior staff consultant at Black Duck, pointed out that a lot of these medical devices communicate with each other using the old protocols and to upgrade one component we need to ensure all others are upgraded to the latest secure protocol. To understand the size of this problem we just need to generate a hardware bill of materials of all components used in a medical device and look into the details on how varied it is in terms of producers and age. “With rapid advancement in digitalization including the medical industry, vendors need to remember that the old software world is gone, giving way to the new set of truths defined by AI and global software regulations,” said Murthy. “As an industry, there’s a need to unleash innovation by defining new ways to manufacture these devices keeping in mind security and technological advancements in the era of accelerating risk. Adhering to some of the standard network security best practices as also required in FIPS standards would help a long way in advancing and improving the security posture in this field.”
