Medical Device Security Standards 2025: What HDOs Need to Know

Between 2010 and 2022, 285 million patient records were exposed by security issues plaguing the healthcare industry. Equally disconcerting, of the 1,193 ransomware attacks that the FBI tracked in 2023, 20.9% of them occurred in the healthcare sector. Meanwhile, as healthcare delivery organizations (HDOs) deploy more medical devices, they face increasing cybersecurity and patient health risks. For example, research has linked increased mortality rates to HDOs that experience a cyberattack or incident, often reinforcing the community distrust that the incident creates.  

In response, lawmakers, agencies, and standards organizations implemented new compliance requirements. While many of the new compliance requirements for 2025 focus on medical device manufacturers’ responsibilities, HDOs need insight into their own fleets and the potential impact that new devices will have on their overarching security posture.  

As HDOs look to purchase new devices and improve patient care, they should look for manufacturers who can prove conformance with these new requirements. 

3 Medical Device Standards or Certifications to Know for 2025

As security concerns around medical devices continue to swirl, organizations should be aware of the following standards and certifications that will become more prominent across the compliance landscape. 

U.S Food and Drug Administration (FDA): Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

Medical device manufacturers must incorporate cybersecurity as part of device safety and quality system considerations during the design and development processes. The FDA guidance notes that using a Secure Product Development Framework (SPDF) is one way to satisfy the Quality System (QS) regulation because it identifies and reduces the number and severity of vulnerabilities across the product’s life cycle. 

Manufacturers using an SPDF to manage cybersecurity risks should engage in the following risk management practices:

• Threat modeling: considering the potential way attackers could exploit the device
• Cybersecurity risk assessment: capturing the risks and controls from the threat model and the methods for scoring the risk pre- and post-mitigation
• Interoperability considerations: assessing the necessity and impact of additional security controls beneath common technology and communication protocols enabling interoperability, like Bluetooth or network protocols
• Third-party software components: documenting proprietary, third-party, and open-source components used in hardware, software, or firmware with a Software Bill of Materials
• Security assessment of unresolved anomalies: providing a list of software anomalies, including their impact on device safety and effectiveness
• Total product lifecycle (TPLC) security risk management: ongoing processes for identifying, assessing, and mitigating cybersecurity vulnerabilities as new information becomes available, like the discovery of new threats, vulnerabilities, assets, or adverse impacts

Manufacturers should implement security controls that include but are not limited to:

• Authentication
• Authorization
• Cryptography
• Code, Data, and Execution Integrity
• Confidentiality
• Event Detection and Logging
• Resiliency and Recovery
• Updatability and Patchability

ANSI/AAMI SW96:2023  Standard for medical device security—Security risk management for device manufacturers

ANSI/AAMI SW96 provides best practices and guidelines for implementing medical device security across the life cycle, augmenting and aligned with:

• International Organization for Standardization (ISO) 14971
• AAMI TIR57:2016, Principles for medical device security—Risk management
• AAMI TIR97:2019, Principles for medical device security—Postmarket risk management for device manufacturers

SW96 specifies requirements across the following risk management elements:

• Security risk analysis
• Security risk evaluation
• Security risk control
• Overall security residual risk acceptability
• Security risk management overview
• Production and post-production activities

SW96 expands on TIR57 by focusing on the intersection of security risks and safety impact. To this end, it incorporates the following requirements:

• Clause 3: defining security within the context of a medical device’s life cycle
• Clause 4: expanding on TIR57 to incorporate a supply chain risk management documentation and monitoring process 
• Clause 5: requiring manufacturers to assess reasonably foreseeable misuse, including threat actors exploiting devices in ways that intentionally or unintentionally cause harm
• Clause 9: expanding on TIR57 to specify review process requirements, including recording security risk management review results in the security risk management report and security risk management file
• Clause 10: substantially expands TIR57 by specifying activities for production and post-production, including monitoring information sources like third-party suppliers in the Software Bill of Materials (SBOM)
• Supporting Annexes: going into depth around topics discussed in SW96’s body, highlighting usability engineering’s overlap with security risk management and core threat modeling principles

Institute of Electrical and Electronics Engineers (IEEE) Medical Device Cybersecurity Certification Program

Building on its standards for wireless diabetes device security, the IEEE offers a Medical Device Cybersecurity Certification Program aligned so manufacturers can use it to support FDA compliance requirements. The IEEE 2621 certification incorporates two additional Inspection Checklists based on IEC 80001-5-1 and IEC/AAMI TIR 57 for a comprehensive approach that includes Software Security Lifecycle and Risk Management Assessment. 

Although not a standard, the IEEE explains that the conformity assessment program enables medical device manufacturers to fully meet compliance with the FDA’s Ensuring Cybersecurity of Devices mandate. 

Built into the IEE 2621 standards and the conformance assessments, manufacturers will need to prove that they implement, manage, and maintain policies, processes, and documentation for the following:

• Connected electronic product security evaluation (IEEE 2621.1): appropriate basic, enhanced-basic, or modern assurance levels over lab accreditation, certification criteria, and assurance maintenance
• Security requirements and protection profile (IEEE 2621.2): defining and addressing security threats/risks and function requirements that counter these threats and providing a protection profile
• Guidance for mobile devices (IEEE 2621.3): evaluating mobile device applications to ensure that they have the appropriate security controls and configurations that mitigate cyber risk

Asimily: Supporting HDO Pre-Purchase Risk Management 

While these standards and certifications seek to improve medical device security, HDOs no longer have the option of waiting for manufacturers to prove compliance. Certifications come with the bureaucratic red tape of compliance, and you want to improve your patients’ health outcomes sooner rather than later. With Asimily, HDOs can take medical device security into their own hands – and networks – by engaging in risk modeling and simulations prior to purchasing or deploying new devices. 

Asimily enables you to calculate the least risk associated with a device before configuration and connection, giving you a way to simulate the impact that the purchase will have on your security posture. Using this risk modeling capability, organizations can avoid installing risky device configurations since Asimily manages and shares the most secure, active configurations of devices across our customer set. With our extensive database of devices, you can see the risk that comes with any purchase of a networked device, giving you insight beyond what a manufacturer shares. You can achieve real risk insights at the simple click of a button, ensuring continuous risk mitigation. 

To learn how Asimily can help you manage your medical device fleet’s security, contact us today.