Software as a Medical Device
Second Edition
81 Regulatory Affairs Professionals Society
References
All references checked and verified 28 October 2025.
1 International Organization for Standardization. ISO 14971:2019
Medical devices–Application of risk management to medical devices.
Published December 2019. Accessed 17 September 2025. https://www.
iso.org/standard/72704.html
2 Section 3305 of the Omnibus–Ensuring Cybersecurity of Medical
Devices, amending the Federal Food, Drug, and Cosmetic Act (FD&C
Act) by adding section 524B, Ensuring Cybersecurity of Devices (section
3305). 117th cong. Accessed 17 September 2025. https://www.congress.
gov/117/bills/hr2617/BILLS-117hr2617enr.pdf
3 Ghafur S, et al. A retrospective impact analysis of the WannaCry cyber-
attack on the NHS. NPJ Digital Medicine. Published online 2 October
2019. Accessed 17 September 2025. doi.org/10.1038/s41746-019-0161-
6. https://www.nature.com/articles/s41746-019-0161-6
4 Ralston W. The untold story of a cyberattack, a hospital, and a
dying woman. WIRED. Published online 11 November 2020.
Accessed 17 September 2025. https://www.wired.co.uk/article/
ransomware-hospital-death-germany
5 Carroll, M. Patient’s death linked to cyber attack on NHS, hospital trust
says. Sky News. Published online 25 June 2025. Accessed 17 September
2025. https://news.sky.com/story/patient-death-linked-to-cyber-attack-
on-nhs-hospital-trust-says-13388485
6 European Union Agency for Cybersecurity. ENISA threat landscape:
Health sector. Published July 2023. Accessed 17 September 2025.
https://www.enisa.europa.eu/publications/health-threat-landscape
7 Microsoft. US Healthcare at risk: Strengthening resiliency against ran-
somware attacks. Published 2024. Accessed 17 September 2025. https://
www.microsoft.com/en-us/security/security-insider/threat-landscape/
US-healthcare-at-risk-strengthening-resiliency-against-ransomware-
attacks
8 Regulation (EU) 2017/745 of the European Parliament and of the
Council of 5 April 2017 on medical devices, amending Directive
2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No
1223/2009 and repealing Council Directives 90/385/EEC and 93/42/
EEC. Published 5 May 2017. Accessed 17 September 2025. https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745
9 Regulation (EU) 2017/746 of the European Parliament and of the
Council of 5 April 2017 on in vitro diagnostic medical devices and
repealing Directive 98/79/EC and Commission Decision 2010/227/EU.
Published 5 May 2017. Accessed 17 September 2025. https://eur-lex.
europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0746
10 Medical Device Coordination Group. MDCG 2019-16 Rev.1 Guidance
on cybersecurity for medical devices. Published July 2020. Accessed
17 September 2025. https://health.ec.europa.eu/document/download/
b23b362f-8a56-434c-922a-5b3ca4d0a7a1_en?filename=md_cybersecu-
rity_en.pdf
11 International Medical Device Regulators Forum. Software as a medical
device: Possible framework for risk categorization and corresponding
considerations. Published 18 September 2014. Accessed 17 September
2025. https://www.imdrf.org/documents/software-medical-device-possi-
ble-framework-risk-categorization-and-corresponding-considerations
12 American National Standards Institute, Association for the
Advancement of Medical Instrumentation. ANSI/AAMI SW96:2023
Standard for medical device security–Security risk management for
device manufacturers. Published 2022. Accessed 17 September 2025.
https://array.aami.org/doi/book/10.2345/9781570208621
13 International Electrotechnical Commission. IEC 81001-5-1:2021
Safety, security and effectiveness in the implementation and use of
connected medical devices or connected health software–Part 5:
Security–Sub-Part 5-1: Security–Activities in the product lifecycle.
Published 2021. Accessed 17 September 2025. https://www.iso.org/
standard/76097.html
14 National Institute of Standards and Technology. NIST SP 800-218
Secure software development framework V1.1: Recommendations
for mitigating the risk of software vulnerabilities (SSDF). Published
February 2022. Accessed 17 September 2025. https://nvlpubs.nist.gov/
nistpubs/SpecialPublications/NIST.SP.800-218.pdf
15 Food and Drug Administration. Cybersecurity in medical devices:
Quality system considerations and content of premarket submissions.
Issued 27 June 2025. Accessed 17 September 2025. https://www.fda.gov/
media/119933/download
16 Food and Drug Administration. eSTAR program. Current as of 3
December 2025. Accessed 30 December 2025. https://www.fda.gov/
medical-devices/how-study-and-market-your-device/estar-program
17 Open Web Application Security Project. Top 10 web application
security risks. Accessed 17 September 2025. https://owasp.org/
www-project-top-ten/
18 Common Attack Pattern Enumeration and Classification. Accessed 17
September 2025. https://capec.mitre.org/
19 MITRE. Common Weakness Enumeration. Accessed 17 September
2025. https://cwe.mitre.org/
20 Fischer C, Hamming N. White Paper–IEEE PHD cybersecurity
standards roadmap. IEEE PHD Cybersecurity Standards Roadmap.
Published online 30 April 2019. Accessed 17 September 2025. https://
ieeexplore.ieee.org/document/8703258
21 MITRE. Playbook for Threat Modeling Medical Devices. Published
online 30 November 2021. Accessed 17 September 2025. https://www.
mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-
Medical-Devices.pdf
22 International Medical Device Regulators Forum. Principles and practices
for medical device security. Published 18 March 2020. Accessed 17
September 2025. https://www.imdrf.org/sites/default/files/docs/imdrf/
final/technical/imdrf-tech-200318-pp-mdc-n60.pdf
23 Food and Drug Administration. Off-the-shelf software use in
medical devices [guidance]. Issued 11 August 2023. Accessed 14
November 2025. https://www.fda.gov/regulatory-information/
search-fda-guidance-documents/shelf-software-use-medical-devices
24 International Medical Device Regulators Forum. Principles and practices
for software bill of materials for medical device cybersecurity. Published
13 April 2023. Accessed 17 September 2025. https://www.imdrf.org/
documents/principles-and-practices-software-bill-materials-medical-de-
vice-cybersecurity
25 Shimony E. Group policies going rogue. Cyberark. Published online 6
June 2020. Accessed 17 September 2025. https://www.cyberark.com/
resources/threat-research-blog/group-policies-going-rogue.
26 Food and Drug Administration. Postmarket management of cybersecu-
rity in medical devices [guidance]. Issued 28 December 2016. Accessed
17 September 2025. https://www.fda.gov/media/95862/download
27 International Medical Device Regulators Forum. Principles and practices
for the cybersecurity of legacy medical devices. Published 11 April
2023. Accessed 17 September 2025. https://www.imdrf.org/documents/
principles-and-practices-cybersecurity-legacy-medical-devices
28 International Organization for Standardization. ISO 81001-1:2021
Health software and health IT systems safety, effectiveness and security
Part 1: Principles and concepts. Published March 2021. Accessed 17
September 2025. https://www.iso.org/standard/71538.html
29 National Electrical Manufacturers Association. ANSI/NEMA
HN 1-2019 Manufacturer disclosure statement for medi-
cal device security. Published 8 October 2019. Accessed 17
September 2025. https://www.nema.org/standards/view/
manufacturer-disclosure-statement-for-medical-device-security
Second Edition
81 Regulatory Affairs Professionals Society
References
All references checked and verified 28 October 2025.
1 International Organization for Standardization. ISO 14971:2019
Medical devices–Application of risk management to medical devices.
Published December 2019. Accessed 17 September 2025. https://www.
iso.org/standard/72704.html
2 Section 3305 of the Omnibus–Ensuring Cybersecurity of Medical
Devices, amending the Federal Food, Drug, and Cosmetic Act (FD&C
Act) by adding section 524B, Ensuring Cybersecurity of Devices (section
3305). 117th cong. Accessed 17 September 2025. https://www.congress.
gov/117/bills/hr2617/BILLS-117hr2617enr.pdf
3 Ghafur S, et al. A retrospective impact analysis of the WannaCry cyber-
attack on the NHS. NPJ Digital Medicine. Published online 2 October
2019. Accessed 17 September 2025. doi.org/10.1038/s41746-019-0161-
6. https://www.nature.com/articles/s41746-019-0161-6
4 Ralston W. The untold story of a cyberattack, a hospital, and a
dying woman. WIRED. Published online 11 November 2020.
Accessed 17 September 2025. https://www.wired.co.uk/article/
ransomware-hospital-death-germany
5 Carroll, M. Patient’s death linked to cyber attack on NHS, hospital trust
says. Sky News. Published online 25 June 2025. Accessed 17 September
2025. https://news.sky.com/story/patient-death-linked-to-cyber-attack-
on-nhs-hospital-trust-says-13388485
6 European Union Agency for Cybersecurity. ENISA threat landscape:
Health sector. Published July 2023. Accessed 17 September 2025.
https://www.enisa.europa.eu/publications/health-threat-landscape
7 Microsoft. US Healthcare at risk: Strengthening resiliency against ran-
somware attacks. Published 2024. Accessed 17 September 2025. https://
www.microsoft.com/en-us/security/security-insider/threat-landscape/
US-healthcare-at-risk-strengthening-resiliency-against-ransomware-
attacks
8 Regulation (EU) 2017/745 of the European Parliament and of the
Council of 5 April 2017 on medical devices, amending Directive
2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No
1223/2009 and repealing Council Directives 90/385/EEC and 93/42/
EEC. Published 5 May 2017. Accessed 17 September 2025. https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745
9 Regulation (EU) 2017/746 of the European Parliament and of the
Council of 5 April 2017 on in vitro diagnostic medical devices and
repealing Directive 98/79/EC and Commission Decision 2010/227/EU.
Published 5 May 2017. Accessed 17 September 2025. https://eur-lex.
europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0746
10 Medical Device Coordination Group. MDCG 2019-16 Rev.1 Guidance
on cybersecurity for medical devices. Published July 2020. Accessed
17 September 2025. https://health.ec.europa.eu/document/download/
b23b362f-8a56-434c-922a-5b3ca4d0a7a1_en?filename=md_cybersecu-
rity_en.pdf
11 International Medical Device Regulators Forum. Software as a medical
device: Possible framework for risk categorization and corresponding
considerations. Published 18 September 2014. Accessed 17 September
2025. https://www.imdrf.org/documents/software-medical-device-possi-
ble-framework-risk-categorization-and-corresponding-considerations
12 American National Standards Institute, Association for the
Advancement of Medical Instrumentation. ANSI/AAMI SW96:2023
Standard for medical device security–Security risk management for
device manufacturers. Published 2022. Accessed 17 September 2025.
https://array.aami.org/doi/book/10.2345/9781570208621
13 International Electrotechnical Commission. IEC 81001-5-1:2021
Safety, security and effectiveness in the implementation and use of
connected medical devices or connected health software–Part 5:
Security–Sub-Part 5-1: Security–Activities in the product lifecycle.
Published 2021. Accessed 17 September 2025. https://www.iso.org/
standard/76097.html
14 National Institute of Standards and Technology. NIST SP 800-218
Secure software development framework V1.1: Recommendations
for mitigating the risk of software vulnerabilities (SSDF). Published
February 2022. Accessed 17 September 2025. https://nvlpubs.nist.gov/
nistpubs/SpecialPublications/NIST.SP.800-218.pdf
15 Food and Drug Administration. Cybersecurity in medical devices:
Quality system considerations and content of premarket submissions.
Issued 27 June 2025. Accessed 17 September 2025. https://www.fda.gov/
media/119933/download
16 Food and Drug Administration. eSTAR program. Current as of 3
December 2025. Accessed 30 December 2025. https://www.fda.gov/
medical-devices/how-study-and-market-your-device/estar-program
17 Open Web Application Security Project. Top 10 web application
security risks. Accessed 17 September 2025. https://owasp.org/
www-project-top-ten/
18 Common Attack Pattern Enumeration and Classification. Accessed 17
September 2025. https://capec.mitre.org/
19 MITRE. Common Weakness Enumeration. Accessed 17 September
2025. https://cwe.mitre.org/
20 Fischer C, Hamming N. White Paper–IEEE PHD cybersecurity
standards roadmap. IEEE PHD Cybersecurity Standards Roadmap.
Published online 30 April 2019. Accessed 17 September 2025. https://
ieeexplore.ieee.org/document/8703258
21 MITRE. Playbook for Threat Modeling Medical Devices. Published
online 30 November 2021. Accessed 17 September 2025. https://www.
mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-
Medical-Devices.pdf
22 International Medical Device Regulators Forum. Principles and practices
for medical device security. Published 18 March 2020. Accessed 17
September 2025. https://www.imdrf.org/sites/default/files/docs/imdrf/
final/technical/imdrf-tech-200318-pp-mdc-n60.pdf
23 Food and Drug Administration. Off-the-shelf software use in
medical devices [guidance]. Issued 11 August 2023. Accessed 14
November 2025. https://www.fda.gov/regulatory-information/
search-fda-guidance-documents/shelf-software-use-medical-devices
24 International Medical Device Regulators Forum. Principles and practices
for software bill of materials for medical device cybersecurity. Published
13 April 2023. Accessed 17 September 2025. https://www.imdrf.org/
documents/principles-and-practices-software-bill-materials-medical-de-
vice-cybersecurity
25 Shimony E. Group policies going rogue. Cyberark. Published online 6
June 2020. Accessed 17 September 2025. https://www.cyberark.com/
resources/threat-research-blog/group-policies-going-rogue.
26 Food and Drug Administration. Postmarket management of cybersecu-
rity in medical devices [guidance]. Issued 28 December 2016. Accessed
17 September 2025. https://www.fda.gov/media/95862/download
27 International Medical Device Regulators Forum. Principles and practices
for the cybersecurity of legacy medical devices. Published 11 April
2023. Accessed 17 September 2025. https://www.imdrf.org/documents/
principles-and-practices-cybersecurity-legacy-medical-devices
28 International Organization for Standardization. ISO 81001-1:2021
Health software and health IT systems safety, effectiveness and security
Part 1: Principles and concepts. Published March 2021. Accessed 17
September 2025. https://www.iso.org/standard/71538.html
29 National Electrical Manufacturers Association. ANSI/NEMA
HN 1-2019 Manufacturer disclosure statement for medi-
cal device security. Published 8 October 2019. Accessed 17
September 2025. https://www.nema.org/standards/view/
manufacturer-disclosure-statement-for-medical-device-security