Medical Devices#
Reference of medical device categories, the major manufacturers, the standards governing them, and the cyber- risk surface (legacy OS, network exposure, and the FDA / EU MDR regulatory frame). Useful for hospital pentest, IR engagements, and OT-style asset inventory in healthcare.
For healthcare data formats and codes see Healthcare Codes. For ICS adjacency see ICS / SCADA / OT. For OS / firmware analysis see Reverse Engineering.
Device categories#
Category |
Examples |
|---|---|
Implantable |
Pacemakers, ICDs, neurostimulators, insulin pumps, cochlear implants. Wireless updates via MICS / Bluetooth. |
Infusion |
IV infusion pumps, syringe pumps, PCA pumps; networked. |
Imaging |
CT / MRI / X-ray / ultrasound / PET / mammo; large workstations + DICOM servers. |
Monitoring |
Patient monitors, telemetry, central stations; ECG, SpO2, BP. |
Anesthesia |
Anesthesia workstations + ventilators. |
Surgical robotics |
Da Vinci (Intuitive), Mako (Stryker), Versius (CMR). |
Lab / IVD |
Hematology, chemistry analyzers; LIS-connected. |
PoC diagnostics |
Glucometers, bedside testing. |
Endoscopy / endotool |
Endoscopes + insufflators + processors. |
Dialysis |
Hemo + peritoneal; networked. |
Radiation oncology |
Linacs (Varian, Elekta) + treatment planning. |
Sterilisation |
Autoclaves, washer-disinfectors. |
Pharmacy automation |
Pyxis, Omnicell drug-dispensing cabinets. |
Health-IT |
EHR, PACS, RIS, LIS, CPOE; the data plane. |
Wearables / consumer |
Apple Watch, Fitbit, Garmin (now FDA-cleared atrial fib). |
Major manufacturers#
Vendor |
Country |
Notes |
|---|---|---|
Medtronic |
US (Ireland) |
Implantable cardiac, neuro, insulin pumps; #1 by revenue. |
Johnson & Johnson |
US |
MedTech div; surgical robots (Monarch), Ethicon. |
Abbott / St Jude Med |
US |
Cardiac, glucose (Libre), neuro. |
Boston Scientific |
US |
Cardiac, neuro, endo. |
Stryker |
US |
Orthopedic implants + Mako robot. |
Zimmer Biomet |
US |
Orthopedic. |
Roche Diagnostics |
CH |
IVD analyzers. |
Siemens Healthineers |
DE |
Imaging + IVD. |
GE HealthCare |
US |
Imaging + monitoring + ultrasound. |
Philips Healthcare |
NL |
Imaging + monitoring + IntelliVue. |
Canon Medical |
JP |
Imaging. |
Hitachi Healthcare |
JP |
Imaging. |
Hologic |
US |
Mammo. |
Varian (Siemens) |
US |
Radiotherapy linacs. |
Elekta |
SE |
Radiotherapy. |
Intuitive Surgical |
US |
Da Vinci robot. |
Smith+Nephew |
UK |
Ortho. |
|
DE |
Infusion + dialysis. |
Baxter |
US |
Infusion (Spectrum), dialysis, hospital products. |
ICU Medical |
US |
Infusion (Plum 360, Sapphire). |
Becton Dickinson (BD) |
US |
Medication management (Pyxis), syringes, lab. |
Hologic / Welch Allyn |
US/Hill-Rom |
Vital signs. |
Hill-Rom (Baxter) |
US |
Beds + monitoring. |
Stryker (acq Vocera) |
US |
Communication. |
Mindray |
CN |
Patient monitors + IVD; cost-competitive. |
Drager |
DE |
Anesthesia + ventilators. |
Mortara (Baxter) |
US |
ECG. |
Welch Allyn (Hill-Rom |
) US |
Vital signs. |
DePuy (J&J) |
US |
Ortho. |
Olympus |
JP |
Endoscopy. |
Karl Storz |
DE |
Endoscopy. |
Health-IT (EHR / PACS / LIS)#
Product |
Vendor |
Notes |
|---|---|---|
Epic |
Epic |
Largest US EHR; ~30% market share; MyChart patient portal. |
Cerner / Oracle Healt h |
Oracle |
#2 US; bought by Oracle 2022. |
Meditech |
Meditech |
Hospital EHR. |
Allscripts / Veradigm |
Veradigm |
Mid-market EHR. |
Athenahealth |
Athena |
Cloud EHR. |
eClinicalWorks |
eCW |
Ambulatory EHR. |
NextGen |
NextGen |
Ambulatory EHR. |
McKesson Paragon |
McKesson |
Hospital. |
NHS Spine / SystmOne |
TPP / Cerner |
UK NHS systems. |
Doctolib |
FR/DE |
EU practice management. |
Aidoc / Viz.ai |
Aidoc / Viz |
AI imaging analysis. |
GE Centricity |
GE |
PACS / RIS. |
Sectra PACS |
Sectra |
PACS. |
Carestream PACS |
Carestream |
PACS. |
Agfa HealthCare PACS |
Agfa |
PACS. |
DCM4chee, Orthanc |
OSS |
OSS DICOM servers. |
LabWare LIMS |
LabWare |
Lab. |
Sunquest |
CliniSys |
Lab IS. |
Standards / protocols#
Standard |
Notes |
|---|---|
DICOM |
Digital Imaging and Communications in Medicine; ISO 12052; the standard for medical imaging exchange. NEMA-developed. |
DICOMweb |
REST + JSON over HTTP for DICOM. |
HL7 v2.x |
Pipe-delimited messaging; the legacy standard; v2.5+ widespread. |
HL7 v3 / CDA |
XML-based. |
HL7 FHIR |
REST + JSON; the modern interop standard; mandated by US ONC interop rules. |
LOINC |
Lab + clinical observation codes. |
SNOMED CT |
Comprehensive clinical terminology; IHTSDO. |
ICD-10 / ICD-11 |
WHO disease codes. |
CPT |
AMA procedure codes. |
RxNorm |
US drug code. |
NDC |
National Drug Code. |
USCDI |
US Core Data for Interoperability. |
IHE Profiles |
Integrating the Healthcare Enterprise framework. |
PIX / PDQ |
Patient Identifier Cross-Reference / Patient Demographics Query. |
XDS |
Cross-Enterprise Document Sharing. |
mDC |
Medical Device Communication. |
IEEE 11073 |
Medical device communication standards (PHD profiles). |
ISO 13485 |
Quality management for medical devices. |
ISO 14971 |
Risk management for medical devices. |
IEC 62304 |
Medical device software lifecycle. |
IEC 62366 |
Usability engineering. |
IEC 60601 |
Electrical safety. |
IEC 80001 |
Risk management for IT-networks with medical devices. |
Regulatory frameworks#
Region |
Notes |
|---|---|
US FDA Class I/II/III |
21 CFR Part 820 QSR; Class III pre-market approval. |
US FDA SaMD / 510(k) |
Software as a Medical Device; 510(k) clearance pathway. |
US FDA Cybersecurity |
Section 524B (PATCH Act 2022), new devices must include SBOM, coordinated disclosure, and security update process. |
HIPAA |
Patient health info privacy + security. |
HITECH |
Breach notification. |
21st Century Cures |
Information blocking + interop. |
EU MDR (2017/745) |
EU Medical Devices Regulation (replaced MDD). |
EU IVDR (2017/746) |
EU In Vitro Diagnostic Regulation. |
NIS2 |
EU critical-infrastructure cyber for healthcare. |
GDPR |
Health data is special-category (Art 9). |
UK MHRA |
UK regulator post-Brexit. |
JP PMDA |
Japan medical device authority. |
PMDA / Cures |
Various national regulators. |
Cyber-risk highlights#
Risk |
Notes |
|---|---|
Legacy OS |
Many devices run Windows XP / 7 / Server 2003-2008 long past EoL; airgap or segment. |
Hard-coded creds |
Common; vendor-disclosed via FDA Communications. |
Unsigned firmware |
Some devices accept unsigned updates. |
Unencrypted DICOM |
Default DICOM has no auth; PACS often exposed unauth. |
Bluetooth / MICS |
Implantable devices (Medtronic CareLink) have had auth flaws (CVE-2018-8870, MedSec / Muddy Waters disclosures). |
Wireless infusion |
Many pumps support WPA2 + cleartext config (BD Alaris, Smiths Medical). |
Insider abuse |
Drug-dispensing carts (Pyxis / Omnicell) are physical / digital hybrids. |
Ransomware |
Healthcare is the #1 ransomware target sector (Change Healthcare 2024, Ascension 2024, NHS 2017 WannaCry). |
EHR data theft |
PHI is high-value on dark markets (multi-decade liability). |
Common research / tooling#
Tool |
Notes |
|---|---|
MedISAO / H-ISAC |
Threat-sharing for healthcare. |
FDA MedWatch + MAUDE |
Adverse event database. |
FDA Cybersecurity Adv |
CWEs / SBOMs / advisories. |
ICS-CERT MedCERT advi sories |
CISA medical-device advisories. |
medical-device-securi |
ty mailing lists FDA MITRE healthcare playbook. |
Wireshark + DICOM dis sector |
PACS analysis. |
dcm4che / dcm4chee to olkit |
DICOM testing. |
Orthanc + dcmtk |
DICOM server / CLI tools. |
Mitre Med-CWE |
Healthcare-specific CWE list. |
Manufacturer Disclosu |
r e Statements (MDS²) HIMSS-distributed. |
Operator notes#
Authority, never test on production medical devices without written authority from biomedical engineering and the device-vendor; downtime on a pump or vent can kill someone.
MAUDE is gold for understanding device failure modes; many incidents reported there are cyber-relevant.
Hospital network segmentation, typical hospitals have 5-10x more medical devices than IT endpoints; asset inventory + VLAN segmentation is the lowest-hanging control.
DICOM is the OT of imaging, treat PACS like any other unauth field-bus.
Patch lag, average med-device patch cadence is 90-180 days; some never; segment hard.
Vendor coordinated disclosure is mandatory under FDA 524B as of 2023; many device CVEs now flow through ICS-CERT.
PHI breach reporting: HIPAA 60-day window; OCR fines.
Biomed dept is the right partner; security alone can’t touch most devices.