FDA calls for cybersecurity-by-design of medical devices, mentioning shortcomings of past systems and promoting greater manufacturing and regulatory frameworks.

Cybersecurity weaknesses in older medical devices are a renewed concern at the U.S. Food and Drug Administration (FDA) which is embarking on encouraging manufacturers to utilize what it terms secure by design.

In one of the reports published in June 2025, the FDA emphasized that numerous kinds of medical equipment continue using obsolete devices that are more than 20 years old and were never designed with the security of the cyber section in mind. To provide a solid defense, the agency suggests the incorporation of such standards as FIPS 140-2/140-3 of NIST and CISA standards.

According to experts, such soft spots go beyond the devices. Russell Teague of Fortified Health Security stated, Cybersecurity of medical devices starts at the manufacturing stage adding that defects may impact national preparedness and even the safety of the patients.

Agnidipta Sarkar of ColorTokens pointed out that laws today require cybersecurity-by-design and not merely expensive hardware. He wrote that enterprises have to achieve visibility, limit the traffic that is not of utmost importance, and inhibit lateral network penetration so that critical issues do not arise.

Senior consultant Nivedita Murthy further contributed that security is compromised by interoperability problems. She urged the idea of innovation based on AI and implementing the new standards to modernize the combined medical ecosystem.

At the same time, with 2025 approaching two decades after the FDA issued its first cybersecurity recommendations on medical equipment, the regulator seems serious about helping to make patients safer and healthcare systems more resilient with stronger cybersecurity requirements.

The message is getting clear as threats become more sophisticated: the protection of digital foundations of the medical devices is no longer an option; it is a necessity.