The medical device ecosystem is trapped in a cycle of secrecy. However, the regulatory pressure, AI-driven transparency and ethical hacking can force a reckoning. The cycle of secrecy is not always malicious – it is often cultural, sometimes logistical, and occasionally strategic.
There is a quiet rhythm to how vulnerabilities surface in the medical device world. Not with alarms, but with hindsight. A recall notice. A patch advisory. And when silence becomes the default, transparency feels like disruption.
The US Cybersecurity & Infrastructure Security Agency (CISA)’s evolving stance on coordinated vulnerability disclosure (CVD) reflects a shift in tone. It is no longer enough to react. The call is to anticipate, to engage, to disclose with dignity. As one cybersecurity lead put it, “Transparency is not a weakness—it is a signal that you are paying attention.” That signal matters. Especially in healthcare, where trust is not just reputational — it is existential.
Vulnerable applications and operating systems are the targets of most attacks, with threat actors increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. This reality has been brought into sharp focus by a series of major cyberattacks on the healthcare sector.
In 2023, over 60% of medical device vulnerabilities were discovered by external researchers, not manufacturers’ product security functions. Yet, the industry’s default response remains: “Do not ask, do not tell.”
Ransomware attacks on major healthcare systems, such as Change Healthcare in February 2024 and Ascension Health in May 2024, have demonstrated the devastating impact of these threats. These incidents were not just data breaches; they caused widespread operational disruption, affecting prescription services, payment systems and electronic health records across the country. Such attacks expose the fragility of the healthcare ecosystem and highlight the cascading risks posed by a single point of failure within a complex, interconnected network.
The FDA and other global regulators are now directly addressing these escalating threats with legally enforceable cybersecurity requirements. While the FDA has long encouraged cybersecurity as a good practice, it now mandates that manufacturers of cyber devices meet specific conditions in their premarket submissions.
The European Union’s Medical Device Regulation (EU MDR) establishes a rigorous framework for post-market surveillance (PMS) and post-market clinical follow-up (PMCF). This system treats the sale of a medical device not as a conclusion, but as the beginning of a continuous, proactive process. Manufacturers are mandated to create a feedback loop to monitor, analyze and document a device’s safety and performance throughout its entire lifecycle.
This includes providing a Software Bill of Materials (SBOM) to inventory all software components, a plan to monitor and address potential post-market vulnerabilities and a system for making updates and patches available. This marks a clear pivot from voluntary guidelines to enforceable rules, fundamentally changing the premarket responsibility of manufacturers.
A Global Shift Toward Transparency
Global trends show a clear move toward a more transparent and collaborative approach. For example:
- In Japan, the Information-technology, Promotion Agency (IPA) serves as the contact organization, while the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) serves as the coordinating organization.
- Now medical devices become more connected to the internet and hospital networks. They face increased cybersecurity risks that may affect safety and effectiveness. The US Cybersecurity and Infrastructure Security Agency recommends minimizing network exposure, blocking internet access and isolating control system networks behind firewalls and from business systems.
- Generative AI systems reduce repetitive, time-consuming tasks and have already improved efficiency at the FDA, enabling scientists to complete work in minutes instead of days.
This growing global consensus reinforces that transparency and proactive vulnerability management are becoming the standard of care.
Still, within many organizations, the sentiment remains: if it is not broken, why fix it? This is not always wrong. Legacy systems carry decades of clinical validation. Risk aversion is not negligence. But when vulnerabilities do come to light, the response must be more than containment. It must be a conversation.
In light of this, Coordinated Vulnerability Disclosure (CVD) is no longer a fringe concept but a foundational element of a secure product lifecycle. While its definition can vary, the European Union Agency for Cybersecurity (ENISA) describes it as a process that ensures vulnerabilities are publicly revealed only once a fix or mitigation has been developed. This ensures a responsible approach that protects patients while providing necessary information. Notably, even when formal CVD is not legally required, risk reporting remains a common ethical baseline for disclosure.
In these moments, the boundaries of responsibility become visible. Who knew what, when? Who acted, how? Who informed, and who remained silent? The regulatory frameworks are beginning to reflect this complexity. The FDA’s Safe Harbor provisions offer a carrot, not a stick—encouraging manufacturers to disclose without fear of punitive backlash (per the FDA, no penalties for manufacturers who disclose and patch within 30 days). Other jurisdictions are watching, learning, adapting. The knowledge base is growing, shaped by incidents across continents and sectors. Each breach, each recall, each advisory, adds a layer to the global understanding of what post-market vigilance truly means.
There is a recent, yet familiar, story of a hospital IT team discovering a vulnerability in a diagnostic system. They reported it. The manufacturer hesitated. The hospital patched around it. Eventually, the issue was resolved. But the trust had frayed. “We were not asking for perfection,” the hospital lead said. “We were asking to be heard.”
Coordinated vulnerability disclosure is not a silver bullet. It is a scaffold – a way to ensure that silence is not the first response, and that transparency does not arrive too late. It requires humility, clarity and a willingness to engage across domains. Not everyone will embrace it immediately. Not every system will adapt smoothly. But the direction is clear. As the landscape evolves, so must our conversations. Not to assign blame, but to share insight. Not to disrupt, but to prepare. And perhaps, in doing so, to build a future where transparency is not a risk – but a strength.
Editor's note: For further insights on this topic, read Jayakumar Sundaram's Journal article, “Coordinated Vulnerability Disclosure in Medical Device Manufacturing,” ISACA Journal, volume 5, 2025.
