Strong medical device cybersecurity can be a market differentiator, experts say
SAN DIEGO — Medtech companies should go beyond regulatory requirements when strengthening the cybersecurity of their medical devices to set them apart from their competitors, according to experts who spoke at the 2025 MedTech Conference on Monday.They noted that hospitals and other organizations are willing to pay extra to ensure that devices are better guarded against potential vulnerabilities and cybersecurity threats, even as FDA has become more stringent with its cybersecurity requirements.
“I like to say there's a little bit more stick, a little less carrot right now from FDA... A little less please and thank you, and a little bit more now and even faster,” said Michelle Jump, CEO of MedSec, who moderated a panel on medical device cybersecurity.
She noted that in the past FDA used guidances, that are not legally binding, to encourage manufacturers to ensure their connected devices followed good cybersecurity practices. However, under section 3305 of the 2022 Food and Drug Omnibus Reform Act, Congress included a provision that gave the agency explicit authorities to require manufacturers to follow good medical devices cybersecurity practices.
“We now have cybersecurity law, that’s the stick that has replaced the carrot of guidances,” said Jump. “It’s led to lots of shock, lots of kerfuffle and anxiety, because people developed these products 10 years ago, they’re still on the market, they need to put it in for a submission and they’re getting all these questions about cybersecurity that they’ve never had before.”
Under the law, Jump noted FDA wants manufacturers to better manage postmarket cybersecurity vulnerabilities and commit to addressing issues within specific timelines. She also said the agency wants them to maintain reasonable assurance of cybersecurity throughout the product’s lifecycle, address critical vulnerabilities as soon as possible, maintain a coordinated vulnerability disclosure program, and provide a software bill of materials (SBOM).
Jump said that instead of seeing the requirements as more burdens, companies should see them in the context of how they can best serve their customers, how it can lead to more sales, and how they are better representative of what the medtech industry can offer. She noted that according to a recent survey by the Health Information Sharing and Analysis Center (H-ISAC), three quarters of hospitals said that FDA’s new requirements are influencing their procurement decisions.
“[Cybersecurity] is now the gatekeeper to the market to be quite honest with you,” she added.
Jump further noted that the survey found that 83% of hospitals integrate cybersecurity standards directly into their request for proposals (RFP), almost half have declined purchases due to cybersecurity concerns, and 79% say they are willing to pay premium pricing for advanced protection. She also noted that 75% of hospitals said they have increased their medical device security budgets in the past year, 41% said they would be willing to pay up to 15% more for enhanced security, but only 17% say they feel confident in their attack detection capabilities.
Joel Cardella, director of product security at Stryker, agreed with Jump’s assessment and warned that hospital networks, especially smaller hospitals, tend to be very open and vulnerable and medical device companies should play their part to ensure their products are protected. He asked manufacturers to think beyond their regulatory requirements and about how they can help hospitals protect themselves from such vulnerabilities.
Cardella said that stronger cybersecurity characteristics will ultimately make their products more attractive to customers and emphasized it could be the business differentiator that puts them above their competition.
Andy Sargent, senior director for IT and product security at SpaceLabs, noted that financially, it’s not feasible for medical device manufacturers to take responsibility for updating the cybersecurity of the products and it must be a shared responsibility where manufacturers are upfront that they will support the device up to a certain point. After that, he said it will become the responsibility of the customer.
“[Cybersecurity] is not going to go away... it is definitely going to become more burdensome on all of us, and not just us as medical device manufacturers but us as an ecosystem,” said Sargent. “We are a critical infrastructure no matter where you go globally from a regulatory environment, so based on that alone, we're going to have to share that burden and that responsibility.”
×
Welcome to the new RAPS Digital Experience
We have completed our migration to a new platform and are pleased to introduce the updated site.
What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.
We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.
We welcome your feedback. Please let us know how we can continue to improve your experience.