• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Patching Problems? Securing Medical Device Software Postmarket

by Joseph M. Saunders, Founder and CEO, RunSafe Security 01/28/2025 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Joseph M. Saunders, Founder and CEO, RunSafe Security

Medical device manufacturers face a conundrum. To meet recent FDA requirements, which were initially introduced a little over a year ago, they now need to quickly provide postmarket updates and patches for their devices to address cybersecurity vulnerabilities and ensure their ongoing safety and effectiveness.

However, medical device manufacturers know all too well that patching takes significant time and engineering resources, is difficult to accomplish for Class II and Class III medical devices, and often interrupts development plans when a vulnerability arises unexpectedly.

The reality is, the healthcare industry remains one of the most targeted critical infrastructure sectors each year. And while patching is important to secure devices postmarket, there needs to be more to the story to give software manufacturers a leg up over would-be attackers.

What the FDA Guidance Calls For

The FDA recommends that manufacturers should have a “plan for the rapid testing, evaluation, and patching of devices deployed in the field.” For cyber devices, this plan is required as part of the premarket submission process. Software manufacturers need to be able to demonstrate their ability to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits.

While the focus on testing, vulnerability identification, and patching hits the right notes for secure software development, medical device manufacturers can take their security a step further, meeting FDA requirements more efficiently while also adding mitigations up front to protect devices.

Patching’s Perfect Complement

While patching focuses on resolving security issues after the fact, there are promising new opportunities to make patching more efficient and to deploy software protections that can defend a medical device in the field even before a patch is available. 

One approach is to adopt security solutions that provide runtime exploit prevention. This security technology is embedded within software applications to allow an already deployed device to defend itself against attack. 

Runtime exploit prevention is able to protect devices from attacks like malware, code injection, backdoors, zero-day vulnerabilities, and memory-based attacks.

While runtime exploit prevention doesn’t eliminate the need to patch, it is immensely helpful in medical device scenarios where time is of the essence and applications are frequently difficult to update. Preventing exploits at runtime significantly reduces the severity and risks of unpatched vulnerabilities, providing much needed protection within an application itself.

Benefits of Proactive Security

There are several benefits to using proactive security solutions like runtime exploit prevention.

  1. Strengthen Premarket Submissions: By using solutions that prevent exploits at runtime, manufacturers can demonstrate as part of their cybersecurity management plan how they are implementing security that goes beyond just patching to provide immediate protection to devices, eliminating the timeframe from vulnerability disclosure to patch that leaves devices open to exploit. Runtime solutions allow device manufacturers to demonstrate how they are lowering risk in devices postmarket with the ability to prevent exploitation of future vulnerabilities and zero days.
  2. Smooth Out the Patching Process: When medical devices have runtime technology applied, manufacturers can take a more measured approach to patch management. First, manufacturers can assess a vulnerability’s severity and evaluate whether their existing protection measures prevent exploitation. If the vulnerability cannot be exploited due to these protections, manufacturers have more flexibility in their patching timeline since the devices remain secure. Manufacturers can align security updates with planned software upgrades, group multiple patches together, and reduce the overall frequency of updates required. This approach is particularly beneficial for Class II and III medical devices, as it maintains security while making the update process more efficient and less disruptive to healthcare operations. Rather than rushing emergency fixes, manufacturers can schedule patches strategically, leading to a more stable and manageable update process.
  3. Reduce FDA Re-approvals: Another challenge to quickly patching devices is the need to go through lengthy FDA re-approvals to apply patches to fielded devices. By having protections in place that allow you to minimize the frequency of patching updates, you won’t have to complete as many FDA re-approvals, which add cost and timeline to the release of new versions.
  4. Increase Medical Device Software Resilience: Vulnerabilities in medical devices continue to rise each year, and connectivity to broader healthcare systems increases the potential damages from an attack. Additionally,  medical devices often have long lifespans, making them difficult to secure. Introducing runtime software protections helps defend the entire healthcare ecosystem, increase resilience against emerging threats, and secure devices throughout their lifespans.

Looking Ahead

While patching is an important part of medical device security, it doesn’t have to be as onerous of a process as it is today. By considering proactive security solutions, medical device manufacturers can complement the patching process, be better equipped to meet existing and new compliance requirements, deliver devices that are more resilient to attack, and ultimately protect the patients and healthcare providers who rely on their devices.


About Joseph M. Saunders

Joseph M. Saunders is the founder and CEO of RunSafe Security, a pioneer of cyberhardening technology for embedded systems deployed across critical infrastructure. He leads a team of former U.S. government cybersecurity specialists who know how attackers think about problems, how they weaponize attacks and how they choose targets.

A 25-year veteran of many leadership roles, Joe is on a personal mission to transform cybersecurity by challenging outdated assumptions and disrupting the economics that motivate hackers to attack.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Medical Device

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |