With an increasingly aging population the US, like many countries around the world, has a healthcare system under pressure. As a result, there has been a continued growth and reliance on digital health, with advancements in medtech, AI, personalized care, wearables and digital pathways.
Innovations in connected medical devices such as diagnostic imaging, surgical robots, health wearables, glucose monitoring and insulin pumps have led the U.S. Food and Drug Administration (FDA) to stress the need for stronger controls for device safety, particularly as wireless connectivity and the electronic exchange of health information become more prevalent.
In June 2025, the FDA has updated final guidance for demonstrating cybersecurity of medical devices, which aims to ensure devices are cybersecure by design and resilient to the latest threats.
In today’s blog we will discuss cybersecurity in medical devices and healthcare’s susceptibility to hidden threats within these devices. We will also explore how Keysight is helping medical device manufacturers meet the challenge of improving cybersecurity and achieving regulatory compliance. Finally, we will look at the latest trends and how device manufacturers can stay ahead of attackers.
Healthcare Systems Under Attack
Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. People’s personal and medical information has a value, and that makes it attractive for threat actors too.
According to the HIPPA journal in 2024, there were 14 data breaches involving more than 1 million healthcare records, including the biggest healthcare data breach of all time that affected an estimated 190,000,000 million individuals. Across those 14 data breaches alone, the records of 237,986,282 U.S. residents were exposed or compromised, around 69.97% of the U.S. population. All but two of the 14 data breaches were hacking incidents and 8 involved business associates of HIPAA covered entities.
Events across the healthcare sector have stressed the importance of cybersecurity to patient safety. The WannaCry ransomware affected hospital systems and medical devices across the globe, it cost the National Health Service (NHS) in the UK £92m after 19,000 appointments were cancelled. Vulnerabilities identified in commonly used third-party components, like URGENT/117 and SweynTooth, have led to potential safety concerns across a broad range of devices that are used in various clinical specialties.
Recent Cyber incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. This has led to patient harm due to delay in diagnoses and/or treatment.
Last year in the U.S. the largest healthcare data breach occurred at Change Healthcare, the BlackCat/ALPHV ransomware group accessed the network and used ransomware to encrypt files. Not only was this the largest healthcare data breach of all time it also caused more disruption than any other healthcare cyberattack due to the number of healthcare organizations that relied on Change Healthcare’s systems and the prolonged outage. The attack prevented patients from obtaining medications, and the outage caused severe disruption to healthcare providers’ revenue cycles, pushing many small practices to the brink of closure.
FDA Prescriptive Guidance on Medical Device Cyber Security
The FDA has responded to the reality that medical devices are much more connected than before and thus have a greatly expanded attack surface. Rather than leaving it up to manufacturers to decide what testing is appropriate, the FDA is much stricter and more prescriptive about the mandated cybersecurity testing and artifact submission requirements. Some of the new requirements include:
Fuzzing
Fuzzing is a fairly advanced concept, even for experienced cybersecurity practitioners, and it’s typically used to discover previously unknown vulnerabilities in protocol stack implementations. Fuzzing involves injecting intentional errors into communication streams in an effort to disrupt the Device Under Test at the other end of the connection. For medical devices, this could include protocol fuzzing tests against a Bluetooth or Bluetooth Low Energy implementation, the WiFi stack, CAN bus, and the TCP/UDP/IP stack.
Vulnerability Assessment and Chaining
This entails scanning the device on any exposed network interfaces to determine if any known vulnerability types exist in those interfaces. This could include vulnerability types such as guessable passwords, encryption flaws, susceptibility to injection attacks, API attacks, and other vulnerabilities which would expose the device to significant attacks by threat actors.
Software Composition Analysis and Accurate SBOM Generation
For many manufacturers, this may be the most difficult new hurdle. For most generated software and firmware, around 80% of the total lines of source code come from open-source libraries, and these libraries inevitably contain vulnerabilities which become publicly known either today or in the future. In line with other critical industries, the FDA is now requiring manufacturers to compile an accurate list of the software libraries used in their products, including enumeration of known vulnerabilities and mitigation procedures or proof of non-reachability. The manufacturer must also keep this Software Bill of Materials (SBOM), which lists all included software libraires, up to date with identification of newly identified vulnerabilities in those libraries as part of the revised post-market surveillance process. In addition, the manufacturer must provide a continually updated SBOM to users in a machine-readable format, typically through an online portal. Further complicating the challenge, the vast majority of medical devices utilize the ARM Cortex-M processor which is very efficient but sometimes more difficult for accurate SBOM generation.
Independent Cybersecurity Testing by a Highly Competent, Independent Lab
No longer can manufacturers do all their testing in-house. The FDA wants to be sure that a second set of eyes has examined the product, and that the external agency is very skilled in cybersecurity analysis. This mandate requires neutrality and protects patients from potential exploits which are outside the scope of attacks the manufacturer may be capable of conducting or even have imagined.
How Keysight Can Help
In concert with the enhanced FDA enhancements, Keysight has upgraded our device cybersecurity products and services to allow medical device manufacturers to proceed with confidence, enabling them to bring products to market on time and on budget. Recognizing that medical device manufacturers have a wide range of in-house cybersecurity expertise, Keysight can provide whatever blend of products and services is appropriate.
To address many of the FDA’s new requirements and minimize the chance of problematic and expensive discoveries later in the process, Keysight offers IoT Security Assessment. In a compact desktop appliance, it features protocol fuzzing for Bluetooth, Bluetooth Low Energy, WiFi, CAN bus, and TCP/UDP/IPv4 and v6. We’re also excited about the recent introduction of our on-prem SBOM generation capability. All of these features offer complete REST API support for workflow integration, so your sensitive firmware need never leave your site for development testing including SBOM generation. And for post-market compliance, Keysight also offers an SBOM management and publication capability so that users can be automatically updated with accurate information on new releases.
Keysight also brings a wide range of cybersecurity testing capabilities via both our in-house and partner network. For high-assurance validation of critical devices, Keysight offers some of the most advanced testing capabilities on the planet. We have state-of-the-art advanced fault injection and side channel analysis tools, and are trusted by the most sophisticated smartphone, automotive, and semiconductor companies to ensure their products are resilient to attacks from even the most sophisticated attackers. We have ISO17025 certified labs and offer services on multiple continents to help our customers in diverse fields bring compliant products to market. We’ve also integrated a network of partners for medium assurance testing which is more cost-effective and appropriate for some devices; you can decide which type of engagement is appropriate for you.
Enhancing our cybersecurity validation capabilities for medical devices is in line with our commitment to helping our customers bring the best products to market on schedule and on budget. Our medical customers have used our power drain analysis, RF testing, and high frequency digital measurement tools for decades, and now Keysight is your partner for both electronic and cybersecurity validation for medical devices.
So, if you’re ready to take the next step in innovation acceleration and patient safety, let us know – we’re here for you.
