Surgical and medical devices, plus AI is complex because regulations for this technology exist in different buckets, not one comprehensive rulebook. These buckets include healthcare privacy/security, cybersecurity, device safety, product compliance, etc. The various regulation types to be aware of and the reasons why each is relevant are essential when managing risk.
Healthcare privacy and security regulations: This is the starting point. In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Security Rule are the regulations that spell out expectations around the management and protection of electronic protected health information (PHI). While not directly a medical device regulation, HIPAA covers medical devices any time PHI is created, stored, transmitted, or integrated with other systems by a device. HIPAA knowledge is essential for IT professionals to know at a high level. This is especially true as it relates to implementing administrative, technical, and physical safeguards for device-connected systems like the safeguard categories (access control, audit logging, transmission security, incident response, etc. ), so you can show these systems were not the weakest link in the HIPAA environment because they were built without foundational enterprise security principles.
Medical device safety and cybersecurity regulations: Second in line are the medical device safety and cybersecurity regulations. In the United States, the Food and Drug Administration (FDA) regulates medical devices as safety-critical products. For many years, the medical device industry has struggled to find clarity from the FDA on how cybersecurity concerns are evaluated as part of device approvals. It has become clearer in recent years that cybersecurity is a recognized patient safety risk by the FDA. Cyber risk is an explicit expectation in both pre-market regulatory submissions as well as post-market guidance from the FDA, with expectations to continuously monitor, manage vulnerabilities, and coordinate disclosure. IT teams supporting regulated medical devices need to understand how security controls, patching practices, network architecture, and other decisions can impact the FDA position, regulatory status, and manufacturer obligations.
International medical device regulations: A third category is the increasing amount of international medical device regulations with explicit expectations for medical device cybersecurity. In the European Union, the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) requirements for manufacturers include cybersecurity as part of the risk management and clinical safety expectations. Similar to the U.S. FDA, MDR/IVDR regulations require organizations to be able to demonstrate that known and foreseeable cybersecurity risks are identified, mitigated to an acceptable level, and monitored throughout the device lifecycle. For IT professionals in international environments, this means being aware of how cybersecurity decisions can impact regulatory approvals, audits, and market access.
Cybersecurity standards and frameworks: Cybersecurity standards and frameworks, while not often legally required, are a big influence on many of the regulators and audit requirements. Standards like IEC 62304 (medical device software), IEC 81001-5-1 (cybersecurity for health software), ISO 14971 (risk management), the NIST Cybersecurity Framework (CSF), and others are referenced or expected by regulators and auditors who verify HIPAA, device safety, international compliance, and device cybersecurity requirements. It is extremely useful for IT professionals to know how these standards map to practical technical controls that are implemented. While many auditors ask about what controls were implemented, they also frequently ask to see how risk decisions were made and documented.
Post-market surveillance and incident reporting: Finally, most of these regulations have some kind of post-market surveillance and incident reporting requirements. This includes detecting, assessing, and reporting cybersecurity events in a manner that could reasonably impact patient safety. Vulnerability disclosure programs, security researcher coordination, and even timelines for reporting to regulators when an event reaches a certain level of risk or severity, are all important for IT professionals to be aware of because they are often involved directly with the detection, investigation, containment, and evidence preservation for these events.
Procurement and third-party risk: With procurement requirements growing more stringent, it is important for IT professionals to be aware of the cybersecurity due diligence and evaluation that hospitals are expected to do for medical devices before buying a product, and periodically throughout its lifecycle in their environment. Understanding of a software bill of materials, patching commitments, end-of-life policies, and general vendor response capabilities are all a part of this, as IT professionals will often act as the intermediary between clinical stakeholders, procurement teams, and manufacturers.
Review Your AI Security and Risk Posture
Review Your CoPilot Security Position
Read more AI (Artificial Intelligence) Risk Insights
