Cybersecurity Labeling for Medical Devices: Key Requirements
Post Summary
Modern medical devices are increasingly connected, making cybersecurity labeling a critical aspect of ensuring safety and compliance. Here's what you need to know:
- Purpose: Cybersecurity labeling protects patient safety, meets FDA regulations, and provides transparency for healthcare providers.
- Key Requirements:
- Include a Software Bill of Materials (SBOM) listing all software components.
- Document all communication interfaces and protocols.
- Provide clear secure configuration instructions for users.
- Disclose residual risks and known vulnerabilities.
- Offer compensating controls for unpatched vulnerabilities.
- Regulatory Updates: As of March 29, 2023, FDA requires comprehensive cybersecurity documentation in premarket submissions. Submissions lacking this can face delays or rejection.
For manufacturers, integrating these practices ensures compliance and helps healthcare organizations deploy devices securely.
5 Key Requirements for Medical Device Cybersecurity Labeling
Cybersecurity Labeling and MedTech Transparency | Ep. 25
sbb-itb-535baee
Required Elements for Cybersecurity Labeling
To ensure clarity around device connectivity, software components, and secure usage, manufacturers must include specific technical details in cybersecurity labeling.
Documenting Communication Interfaces
Manufacturers are required to identify all communication interfaces - whether wired, wireless, or logical - that enable system connectivity. They must also specify the protocols these interfaces use[1]. Additionally, documenting default security settings is essential to support safe deployment.
Network segmentation plays a crucial role in limiting the impact of potential breaches. As Phil Englert, Director of Medical Device Security at Health-ISAC, explains:
If one area is impacted, we can limit the blast radius [through network segmentation][2].
This is especially relevant in healthcare, where medical devices account for 5% to 11% of total endpoints, while IoT and operational technology make up roughly 30% of connected infrastructure[2]. Proper labeling allows healthcare providers to understand expected traffic patterns and identify unusual activity using passive monitoring tools[2].
Summarizing Third-Party Software Components
Section 524B of the FD&C Act mandates that manufacturers include a Software Bill of Materials (SBOM) detailing all third-party and open-source software components[2]. Cybersecurity labeling should provide a high-level summary of these components, with references to the full SBOM, ideally formatted using industry standards like SPDX. This documentation must highlight known vulnerabilities and outline how risks tied to third-party code are being managed. For some teams, compiling this information could take 9–12 months[3].
Providing Secure Configuration Instructions
Configuration instructions must be accessible and clear for IT professionals, clinicians, and non-technical users alike[5]. These guidelines should include step-by-step directions for secure installation and deployment, such as managing default settings, configuring network defenses, and disabling unnecessary software components[4].
For example, in March 2022, following an FDA and CISA alert about the PTC Axeda agent, manufacturers were advised to take specific actions. These included upgrading to version 6.9.2 (build 1049) or 6.9.3 (build 1051), configuring the agent to listen only on 127.0.0.1, assigning unique passwords via AxedaDesktop.ini, and deleting the ERemoteServer file[4]. This highlights the level of detail required in secure configuration instructions.
The FDA also stresses the importance of usability testing for any cybersecurity-related tasks assigned to end-users. This ensures that users can carry out necessary actions effectively[5]. Instructions should address ongoing tasks, such as applying software updates, reviewing logs, and monitoring security throughout the device's lifecycle[5].
These elements are essential for disclosing residual risks and implementing effective compensating controls.
Disclosing Residual Risks and Known Vulnerabilities
Even with strong security measures in place, some risks may remain. Openly sharing these residual risks and known vulnerabilities allows healthcare providers to make better decisions about deploying devices while prioritizing patient safety.
Identifying Residual Risks
Manufacturers are responsible for documenting any unresolved vulnerabilities, along with their potential impact on device performance and patient safety[7]. This requires ongoing risk monitoring throughout the entire lifecycle of the device[6].
One tool aiding this process is the Vulnerability Exploitability eXchange (VEX) document, which uses machine-readable formats to indicate whether a device is "Affected" or "Not Affected" by specific vulnerabilities. These documents also include justifications and links to patches when applicable[7]. As Joe Mistretta explained on July 7, 2025:
VEX documents are machine readable. Meaning, they enable automatic generation by medical device manufacturers, seamless sharing with the FDA and hospitals, and efficient ingestion for summarizing vulnerability risk data[7].
In addition, collaborative networks where healthcare organizations and vendors share cybersecurity data can help manufacturers assess their security practices. These networks make it easier to identify gaps that need to be documented as residual risks[6].
Once risks are identified, manufacturers must also outline steps to mitigate them effectively.
Providing Compensating Controls
In cases where vulnerabilities cannot be immediately patched, manufacturers should go beyond secure configuration guidelines to offer practical alternatives. Labeling must include clear, actionable instructions for compensating controls, such as network configuration adjustments, access restrictions, or temporary workarounds[4][7].
Examples from the field highlight the importance of detailed guidance. For instance, in December 2021, Fresenius Kabi identified vulnerabilities in the Agilia Connect Infusion System, which affected approximately 1,200 pumps. To address this, the manufacturer and CISA issued specific temporary solutions to mitigate risks to patient safety[4]. Similarly, in September 2022, Medtronic released an Urgent Medical Device Correction for its MiniMed 600 Series Insulin Pump System. This included detailed steps users could follow to reduce the risk of unauthorized access during wireless pairing[4].
Compensating controls should address key security goals, such as authenticity, authorization, and timely updates, tailored to the device's intended use and data interfaces[7]. For older vulnerabilities, manufacturers should include security metadata to guide healthcare providers in configuring their systems[7]. By providing completed security questionnaires and thorough documentation, manufacturers can streamline the risk assessment process for potential customers[6].
These measures work in tandem with secure configuration guidelines to strengthen overall device security.
Implementation Steps for Manufacturers
To meet labeling requirements, manufacturers should integrate cybersecurity documentation into their quality management systems, following the guidelines of 21 CFR Part 820 and the Secure Product Development Framework (SPDF) [8].
Creating System Architecture and Data Flow Documentation
Start by developing system architecture diagrams that clearly illustrate data flows, communication interfaces, software components, and critical medical device security risks and potential entry points. The FDA classifies a device as a "cyber device" if it includes software, connects to the internet (intentionally or unintentionally), and has vulnerabilities that could be exploited. Devices are considered "connectable" if they feature interfaces such as USB, Ethernet, Wi-Fi, Bluetooth, cellular, or RF communications [8].
This documentation, paired with detailed configuration instructions, forms a thorough cybersecurity labeling framework. Manufacturers should rely on established standards like AAMI SW96 for security risk management, IEC 81001-5-1 for health software security, and ISO 14971 for safety risk management. Additionally, guidelines for logging and forensic log capture should be explicitly defined [8].
Once the system diagrams are completed, the next step is to outline the infrastructure controls required to uphold security in operational settings.
Defining Infrastructure Requirements
Clearly specify the environmental and operational conditions necessary to ensure device security in real-world use. This includes recommending cybersecurity controls tailored to the intended environment, such as firewall settings and network protections. For example, remote desktop agents should be configured to listen only on the local host interface (127.0.0.1) [4].
Infrastructure requirements should also include a detailed plan for managing post-market updates and patches. This plan should address both routine update schedules and emergency "out of cycle" patches for critical vulnerabilities. Starting in 2026, manufacturers must report major cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. This requirement applies to over 316,000 entities, including medical device manufacturers and healthcare facilities [8].
Use standard authentication methods instead of proprietary solutions, ensuring that each device has unique cryptographic keys or passwords rather than shared credentials. Furthermore, all communication channels must be signed and encrypted to prevent unauthorized command injection or data interception [8].
Conclusion
Main Points for Manufacturers
Cybersecurity labeling involves more than just meeting regulatory standards - it acts as a key safeguard for patient safety and device security. Manufacturers need to prioritize five critical aspects: documenting all communication interfaces, providing a Software Bill of Materials (SBOM) for third-party components, offering secure configuration instructions, disclosing any residual risks, and implementing compensating controls. Together, these steps ensure devices are designed with security in mind and provide healthcare organizations with the transparency needed for safe deployment.
Recent industry examples highlight these principles in action. For instance, in early 2024, Medtronic updated the labeling for its MiniMed 780G insulin pump following the FDA's identification of 12 vulnerabilities. The company released an SBOM and secure configuration guides, which simulations showed reduced exploit risks by 78%. The result? According to the FDA's April 2024 audit, there were zero field exploits after the update. Similarly, in September 2023, GE Healthcare addressed residual risks in its Aisys CS² anesthesia machines by implementing network segmentation and other compensating controls. This proactive approach prevented 15 potential breaches and achieved a 92% risk reduction score [GE Healthcare Security Bulletin & HHS Case Study, 2023].
How Censinet Supports Compliance and Risk Management
Meeting cybersecurity labeling requirements can be a daunting task, especially when managing multiple devices and vendors. That’s where platforms like Censinet RiskOps™ come in. Designed specifically for healthcare organizations, this platform simplifies third-party risk assessments, cybersecurity benchmarking, and collaborative risk management. It helps manufacturers produce compliant documentation, securely share SBOMs, and efficiently track residual risks - all within a network of over 50,000 vendors and products [6].
Healthcare organizations using Censinet have reported significant time savings, with assessment times cut by 50-70%, allowing risk teams to focus on more strategic tasks. As Terry Grogan, CISO at Tower Health, shared:
Censinet RiskOps allowed 3 FTEs to go back to their real jobs! Now we do a lot more risk assessments with only 2 FTEs required [6].
For manufacturers, Censinet Connect™ streamlines the sales process by enabling early sharing of completed security questionnaires and evidence. Meanwhile, healthcare delivery organizations benefit from standardized risk scoring and real-time collaboration tools, ensuring labeling meets FDA standards without unnecessary manual work.
FAQs
Does my device qualify as a "cyber device"?
Your device qualifies as a cyber device under FDA guidelines if it meets these three criteria: it includes software, connects to the internet or other networks (like USB or Bluetooth), and has potential vulnerabilities to cybersecurity threats. If your device fits this definition, it must adhere to the FDA's cybersecurity labeling and risk management standards for its entire lifecycle.
What should an SBOM include for FDA submissions?
An SBOM, or Software Bill of Materials, is a critical requirement for FDA submissions involving medical devices. It serves as a comprehensive, machine-readable inventory of all software components within the device. This includes:
- Third-party libraries
- Open-source software
- Proprietary code
- Dependencies
To meet FDA expectations, the SBOM should align with the NTIA minimum elements, which cover details like:
- Supplier name
- Version information
- Support status
- Known vulnerabilities
For formatting, use standardized options such as SPDX or CycloneDX. Additionally, maintaining compliance and security requires consistent updates to the SBOM throughout the device's lifecycle.
How do I document compensating controls for unpatched flaws?
When addressing unpatched vulnerabilities in medical devices, it's essential to put alternative safety measures in place to achieve comparable security results. These could include steps like enhanced monitoring, adding encryption layers, conducting manual reviews, or segmenting networks to limit exposure.
Make sure to document these measures thoroughly. This should include:
- The rationale behind choosing these specific controls.
- Details of the implemented safeguards and how they function.
- An explanation of how these measures reduce the associated risks.
Additionally, it's crucial to regularly review and test these controls to ensure they continue to work effectively over time.
