◆ FDA 2023 · EU MDR · IEC 81001-5-1 · AAMI TIR57

Medical Device Cybersecurity Testing & Compliance

Penetration testing (VAPT), SBOM generation, threat modeling, and FDA-ready cybersecurity documentation for medical devices — from connected Class II hardware to AI-powered SaMD. NexorTest delivers the cybersecurity evidence regulators demand.

FDA

2023 Guidance Ready

SBOM

CycloneDX / SPDX

VAPT

Hardware + Software

IEC

81001-5-1 Compliant

FDA 2023 Final Guidance

Premarket Cybersecurity

EU MDR / IVDR

MDCG 2019-16 Cybersecurity

📋

IEC 81001-5-1

Health Software Security

🛡️

AAMI TIR57 / SW96

Security Risk Management

📦

AAMI TIR57 / SW96

Security Risk Management

Why It Matters Now

FDA Now Refuses Submissions Without Cybersecurity Evidence

Since October 1, 2023, the FDA has authority to refuse to accept premarket submissions for “cyber devices” that lack the required cybersecurity documentation — including SBOM, threat modeling, and penetration testing evidence.

EU MDR Notified Bodies are increasingly requiring IEC 81001-5-1 compliance evidence for software-heavy devices. Missing cybersecurity documentation is now one of the most common causes of delayed or rejected submissions.

FDA can refuse 510(k), De Novo, and PMA submissions missing cybersecurity documentation since October 2023
SBOM required in machine-readable format (CycloneDX or SPDX) for all "cyber devices"
EU MDR Notified Bodies expect IEC 81001-5-1 compliance for CE certification of software devices
Post-market: FDA expects coordinated vulnerability disclosure program and patch management
Any device connecting to internet, networks, or containing software may be a "cyber device" under FDA definition

⚠️ FDA Cybersecurity Requirements (Oct 2023)

1. Cybersecurity Management Plan

Vulnerability identification & remediation process for post-market phase

2. Security Architecture Documentation

Device diagram with connections, data flows, and security controls

3. Cybersecurity Risk Assessment

Threat modeling per AAMI TIR57 / ANSI AAMI SW96 / STRIDE

4. Cybersecurity Testing Evidence

Pen test report, vulnerability scan results, V&V test protocols

5. SBOM (Software Bill of Materials)

Machine-readable CycloneDX or SPDX format with all components

Cybersecurity Services

Complete Medical Device Cybersecurity Testing Portfolio

From vulnerability assessment to FDA-ready documentation — every cybersecurity deliverable your premarket submission requires, generated by specialists who understand both security and medical device regulation.

🔴

Vulnerability Assessment & Penetration Testing (VAPT)

Comprehensive security testing covering the full attack surface of your medical device: network services, software stack, hardware interfaces (USB, JTAG, debug ports), wireless protocols (Bluetooth, Wi-Fi, ZigBee), authentication mechanisms, and web/mobile companion applications. Black-box, grey-box, and white-box testing methodologies available.

📦

SBOM Generation & Management

Software Bill of Materials generation in FDA-mandated machine-readable formats: CycloneDX JSON/XML and SPDX. Full inventory of manufacturer-developed, third-party, and open-source components. Version tracking, license identification, known vulnerability (CVE) mapping, and end-of-support date documentation per NTIA standards.

🗺️

Threat Modeling (AAMI TIR57 / SW96)

Structured threat modeling using AAMI TIR57, ANSI AAMI SW96 (FDA-referenced 2024), and STRIDE methodology. Attack surface identification, threat actor characterization, vulnerability likelihood and exploitability assessment, and risk scoring aligned to FDA and IEC 62443 frameworks. Deliverable: Threat Model Report for submission.

📋

IEC 81001-5-1 Assessment

Gap assessment and compliance evidence generation against IEC 81001-5-1 (Health Software Security Lifecycle), the primary cybersecurity standard for medical device software per MDCG 2019-16. Assessment covers security requirements, secure design review, threat analysis, vulnerability management, and security testing verification required by EU Notified Bodies.

📄

FDA Premarket Cybersecurity Documentation

Complete FDA 510(k), De Novo, and PMA cybersecurity documentation package per FDA 2023 Final Guidance: Cybersecurity Management Plan, Security Architecture Document, Risk Assessment Report (threat model), Testing Evidence Report (VAPT results), and SBOM. Submission-ready format, tested against FDA reviewer expectations.

🛡️

Post-Market Cybersecurity Surveillance

Ongoing vulnerability monitoring program for deployed medical devices: CVE tracking for all SBOM components, coordinated vulnerability disclosure (CVD) program setup, patch impact assessment, security update documentation, FDA MedWatch cybersecurity reporting, and EU EUDAMED vigilance reporting for security incidents.

Threat Landscape

Medical Device Cybersecurity Threats We Test Against

Our VAPT methodology covers the full spectrum of threats that FDA and Notified Bodies expect to see tested in premarket submissions — from network attacks to physical hardware exploitation.

🔑 Authentication Weaknesses

Default and hardcoded credentials, weak password policies, lack of multi-factor authentication, session token vulnerabilities, privilege escalation pathways.

💾 Data Confidentiality Attacks

Unencrypted data transmission (PHI, patient data), weak encryption key management, insecure data storage on device, memory extraction from firmware.

🌐 Network & Protocol Attacks

Open ports & unprotected network services, man-in-the-middle (MitM) attacks, insecure wireless protocols (BLE, Wi-Fi), DICOM/HL7 vulnerabilities in medical protocols.

💿 Firmware & Software Attacks

Unsigned firmware updates (firmware injection), buffer overflows and memory corruption, vulnerable third-party software components (CVEs), insecure boot process.

🔧 Physical Interface Exploitation

Debug port access (JTAG, UART, USB), hardware tampering to extract firmware, side-channel attacks, unauthorized physical access to device internals.

🔗 Supply Chain & Software Risks

Vulnerable open-source components (Log4j-style), outdated third-party libraries, compromised development toolchain, missing security patches, end-of-life software dependencies.

Standards & Guidance

Cybersecurity Standards We Work To

Our methodology is built on the specific regulatory frameworks that FDA, EU MDR Notified Bodies, and global regulators reference and require.

FDA
2023

FDA Final Cybersecurity Guidance (2023)

Premarket Submissions — Cyber Devices

The FDA’s 2023 Final Guidance establishes binding requirements for “cyber devices” in premarket submissions: 5-element cybersecurity documentation, mandatory SBOM in CycloneDX/SPDX format, and coordinated vulnerability disclosure. NexorTest generates all required documentation aligned to this guidance. Effective October 1, 2023 — submissions without compliant cybersecurity evidence may be refused.

IEC
81001-5-1

IEC 81001-5-1 (Health Software Security)

Security Activities in the Product Lifecycle

Adapted from IEC 62443-4-1 specifically for medical device software. Covers security-by-design requirements: threat analysis, secure coding, security testing, vulnerability management, and end-of-life policies. Referenced by MDCG 2019-16 and increasingly required by EU Notified Bodies for CE certification of software-heavy and connected medical devices. NexorTest provides full IEC 81001-5-1 gap assessment and implementation support.

AAMI
TIR57

AAMI TIR57 & ANSI AAMI SW96

Medical Device Security Risk Management

AAMI TIR57 extends ISO 14971 with cybersecurity-specific risk management methodology including threat actor modeling, attack surface analysis, and security risk scoring. Its successor ANSI AAMI SW96 was referenced in FDA’s March 2024 draft guidance updates. NexorTest uses AAMI TIR57/SW96 methodology for threat modeling deliverables in FDA premarket submissions, ensuring alignment with FDA reviewer expectations.

IEC
62443

IEC 62443 Industrial Security Series

Foundation for IEC 81001-5-1

IEC 62443 (originally for industrial control systems) forms the foundation of IEC 81001-5-1. IEC 62443-4-1 defines the Secure Development Lifecycle (SDL) framework including security requirements, threat modeling, vulnerability assessment, and penetration testing. IEC 62443-4-2 defines component security requirements. NexorTest applies IEC 62443 methodology for connected medical device and SaMD cybersecurity assessments, particularly relevant for hospital-networked devices.

SBOM for FDA

Software Bill of Materials: What FDA Requires

Since October 2023, SBOM is mandatory in FDA premarket submissions for cyber devices. NexorTest generates regulatory-grade SBOMs in the exact format FDA expects.

📦 What SBOM Must Include

Per FDA 2023 guidance and NTIA standards: all software components (manufacturer-developed, third-party, open-source), component name and version, supplier information, software license type, software level of support, and end-of-support (EOS) dates for each component. Missing EOS dates is a common FDA query trigger.

🔧 SBOM Formats Accepted by FDA

FDA accepts SBOMs in two machine-readable formats: CycloneDX (OWASP standard, JSON or XML) and SPDX (Linux Foundation standard). Human-readable formats (spreadsheets, PDFs) do not satisfy the FDA's requirement for machine-readable SBOM. NexorTest generates both CycloneDX and SPDX format SBOMs aligned to NTIA minimum elements.

⚠️ CVE Mapping & Vulnerability Tracking

Beyond generation, NexorTest maps each SBOM component against the NVD (National Vulnerability Database) CVE registry to identify known vulnerabilities at time of submission. This enables the FDA risk assessment discussion in your submission — demonstrating you have assessed and mitigated known vulnerabilities in your software supply chain.

Our Methodology

Cybersecurity Testing Process & Deliverables

Our structured 5-phase methodology ensures comprehensive coverage and generates all deliverables required for FDA 510(k), De Novo, PMA, and EU MDR cybersecurity documentation.

Scoping & Architecture Review

Device intake, technical specification review, architecture diagram analysis, software component inventory, network interface mapping, and test scope definition aligned to FDA guidance requirements.

SBOM Generation & CVE Analysis

Automated SBOM extraction from device firmware/software, manual verification and enrichment, CVE mapping against current NVD database, license compliance check, and end-of-support date identification for all components.

Threat Modeling

Attack surface mapping, threat actor characterization (AAMI TIR57 threat agent taxonomy), STRIDE analysis of device functions, vulnerability likelihood and exploitability scoring, risk prioritization matrix aligned to patient safety impact.

Vulnerability Assessment & Penetration Testing

Automated vulnerability scanning, manual penetration testing across identified attack surfaces (network, wireless, hardware interfaces, firmware, authentication), exploit attempt documentation, and severity classification per CVSS.

FDA Submission Documentation Package

Compilation of all 5 elements required by FDA 2023 guidance into a submission-ready package: Cybersecurity Management Plan, Security Architecture Document, Risk Assessment (Threat Model), Testing Evidence Report, and SBOM. IEC 81001-5-1 compliance assessment report for EU MDR.

Frequently Asked Questions

Medical Device Cybersecurity Questions Answered

What exactly does FDA require for cybersecurity in a 510(k) submission in 2025/2026?

Under the FDA’s 2023 Final Guidance (effective October 1, 2023), a “cyber device” 510(k) submission must include 5 elements: (1) Cybersecurity Management Plan — describing how you will monitor, identify, and address post-market vulnerabilities; (2) Security Architecture document — device diagram showing all external connections, data flows, and cybersecurity controls; (3) Cybersecurity Risk Assessment — threat modeling using AAMI TIR57, ANSI AAMI SW96, or STRIDE methodology; (4) Testing Evidence — penetration testing and vulnerability scanning reports demonstrating you tested your security controls; and (5) SBOM in machine-readable CycloneDX or SPDX format. The FDA can refuse to accept submissions lacking this documentation.

Does my medical device need cybersecurity testing if it doesn't connect to the internet?

The FDA’s “cyber device” definition is broader than internet-connected devices. A device is a “cyber device” if it: (a) includes software validated, installed, or authorized by the sponsor, AND (b) has the ability to connect to the internet OR contains technological characteristics that could be vulnerable to cybersecurity threats. USB ports, Bluetooth, Wi-Fi, Ethernet, or even removable media can qualify. If your device has any digital interface or runs software, you should assume FDA cybersecurity requirements apply and engage NexorTest for a scoping assessment to confirm.

How is medical device VAPT different from standard IT security testing?

Medical device VAPT requires specialists with both cybersecurity expertise and medical device regulatory knowledge. Key differences: (1) scope includes hardware interfaces (JTAG, UART, debug ports) not typically tested in IT assessments; (2) testing must be non-destructive to avoid device damage; (3) wireless testing covers medical-specific protocols (BLE, Zigbee, 802.15.4) alongside Wi-Fi; (4) risk scoring considers patient safety impact (severity of potential patient harm from an exploit) not just data confidentiality; (5) deliverables must align to FDA guidance format and include patient safety context; (6) testers must understand IEC 62304 software safety classification to assess software attack impact. Standard IT security firms without medical device expertise rarely produce FDA-acceptable deliverables.

What is IEC 81001-5-1 and is it required for CE marking under EU MDR?

IEC 81001-5-1 is the primary cybersecurity standard for medical device software under EU MDR. While not a mandated harmonized standard under EU MDR, MDCG 2019-16 guidance references it as the approach for demonstrating cybersecurity compliance with GSPR Annex I requirements. From 2024, EU Notified Bodies are routinely requesting IEC 81001-5-1 compliance evidence during technical documentation review for software-heavy devices. Non-compliance is becoming a frequent source of CE certification delays or additional information requests (AIRs). NexorTest’s IEC 81001-5-1 assessment produces a gap report and compliance evidence package that addresses this Notified Body expectation.

Can NexorTest help with cybersecurity for SaMD (Software as a Medical Device)?

Yes. SaMD has specific cybersecurity requirements that overlap with general medical device requirements but add software-specific considerations. For SaMD, NexorTest covers: cloud/server infrastructure security assessment (API security, data encryption at rest/transit), mobile application security (OWASP Mobile Top 10), AI/ML model security (adversarial inputs, model extraction), continuous monitoring requirements for adaptive algorithms, SBOM for cloud dependencies, and FDA predetermined change control plan (PCCP) cybersecurity sections. SaMD cybersecurity documentation is required in FDA 510(k), De Novo, and EU MDR technical documentation for software-only devices.

How long does a complete cybersecurity testing engagement take?

A standard medical device cybersecurity engagement for a connected Class II device typically takes 4-8 weeks: scoping and architecture review (3-5 days), SBOM generation and CVE analysis (3-5 days), threat modeling (5-7 days), VAPT execution (5-10 days), and report compilation/QA (3-5 days). Complex devices with multiple communication interfaces, large software stacks, or AI/ML components may require 10-14 weeks. Rush/expedited programs are available for time-critical FDA submissions. NexorTest provides a project timeline estimate during the initial scoping call at no charge.

Secure Your FDA Submission Today

Don’t risk a refused submission over missing cybersecurity documentation. Get your free medical device cybersecurity assessment and understand exactly what your submission needs.