Mitigating the Risk of Cyber Attacks in Remote Patient Care with IEEE SA Cybersecurity Standards

In the age of digital health, connected medical devices are transforming patient care. From insulin pumps and glucose monitors to smart inhalers and wearable ECGs, these devices deliver real-time data, enable remote monitoring, and improve clinical outcomes. However, as connectivity increases across devices, so does the risk of cyber attacks. For engineers tasked with designing these devices, security by design is more imperative than ever for compliance.

The Expanding Threat Landscape

Cybersecurity threats targeting connected medical devices are growing in frequency and sophistication.¹ These devices often operate in complex environments, rely on wireless communication, and store sensitive patient data. A single vulnerability can compromise both device functionality and patient safety and privacy.

Consider a scenario in which a hacker exploits a vulnerability in a Bluetooth-enabled insulin pump. The attacker could alter dosage settings or disable alerts, putting the patient at serious risk. Such vulnerability issues are made possible due to the increased entry points from devices,² leaving those who use clinician-recommended technologies for care susceptible to attacks.

Additionally, connected medical devices can collect sensitive personal data, including protected health information and payment details. When this data is exposed outside of secure healthcare systems, it raises significant privacy concerns and opens the door for cyber attackers to exploit the information for malicious purposes. With a 2022 FBI Report³ noting that 53% of devices have a known critical vulnerability, the growing interconnectedness of devices, and the quantity of cyberattacks impacting the healthcare industry, privacy concerns have become a significant issue.

These are not theoretical concerns. In recent years, the U.S. Food and Drug Administration (FDA) has issued multiple safety communications⁴ warning of cybersecurity vulnerabilities in medical devices.

For engineers, the challenge lies in balancing innovation with risk mitigation. Devices must be compact, power-efficient, and user-friendly, yet secure enough to withstand evolving cyber threats. This balancing act calls for a structured, standards-based approach.

IEEE 2621™: A Standards-Based Solution

The IEEE Standards Association (IEEE SA) introduced the IEEE 2621™ series of standards⁵ to address these challenges. This family of standards currently provides a framework for evaluating and certifying the cybersecurity of connected diabetes devices, with plans to expand to other device categories in the future.

IEEE 2621 aligns with national and international cybersecurity strategies, including the U.S. Food and Drug Administration’s (FDA’s) pre-market and post-market guidance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and Section 524B of the Federal Food, Drug, and Cosmetic Act. It also incorporates best practices from IEC 80001-5-1 and AAMI TIR57.

The standard was developed through a collaborative effort involving manufacturers, clinicians, regulators, and cybersecurity experts. This multidisciplinary approach ensures that the standard addresses real-world threats while remaining practical for implementation.

Inside the IEEE 2621 Framework

IEEE 2621 provides functional requirements for wireless security evaluations. It outlines how to assess device resilience against common attack vectors such as unauthorized access, data interception, and firmware manipulation.

The standard emphasizes a lifecycle approach to cybersecurity. It encourages engineers to embed security considerations from the earliest stages of product development through deployment and maintenance. Key components include:

• Authentication and authorization: Ensuring only trusted users and systems can access the device
• Data integrity and confidentiality: Protecting patient data from tampering and unauthorized disclosure
• Secure firmware updates: Verifying the authenticity and integrity of software updates
• Incident response planning: Preparing for and mitigating the impact of security breaches.

By following IEEE 2621, engineers can design devices that not only meet regulatory expectations but also earn the trust of healthcare providers and patients.

Certification: From Compliance to Competitive Advantage

Cybersecurity readiness is much more than a simple value add. In today’s regulatory environment, demonstrating readiness is an essential requirement. The IEEE Medical Device Cybersecurity Certification Program⁶ developed under the IEEE Conformity Assessment Program (ICAP), offers manufacturers a clear, standardized path to validate the cybersecurity posture of their connected medical devices.

This program is built around the IEEE 2621™ series of standards defining functional requirements for wireless diabetes device security. However, the certification framework is designed to scale across a broader range of connected medical technologies. It provides a structured, third-party assessment process that aligns with FDA expectations and global regulatory trends.

The Certification Process

The certification program follows a rigorous, multi-phase process designed to ensure both technical robustness and regulatory alignment:

1. Pre-assessment and gap analysis—Manufacturers begin with a pre-assessment phase, where ICAP experts evaluate the device’s current cybersecurity controls against the IEEE 2621 standard. This step identifies gaps early in the process, allowing teams to make targeted improvements before formal testing begins.
2. Formal testing and evaluation—Accredited third-party laboratories conduct comprehensive testing using the IEEE 2621 Test Plan and Checklists. These tools ensure consistency, repeatability, and transparency in the evaluation process. Tests cover authentication, encryption, secure firmware updates, data integrity, and more.
3. Standardized reporting and documentation—Upon successful evaluation, manufacturers receive a Certification Report and Certificate of Conformity. These documents are formatted to support regulatory submissions, including FDA premarket filings. The standardized format reduces ambiguity and accelerates the review process.
4. Ongoing surveillance and lifecycle support—Certification is not a one-time event. The program supports ongoing surveillance and re-certification to ensure continued compliance as devices evolve through software updates or hardware revisions.

Why Certification Matters

For electrical engineers and compliance teams, the certification program offers several strategic advantages:

• Accelerated regulatory approval—Certification aligns with FDA cybersecurity guidance and supports Section 524B of the Federal Food, Drug, and Cosmetic Act. This alignment can streamline pre‑market submissions and reduce time-to-market.
• Risk reduction and liability mitigation—Manufacturers reduce the risk of post-market recalls, security breaches, and associated legal exposure by validating cybersecurity controls through an independent third party.
• Market differentiation and trust—Certification signals to healthcare providers, procurement officers, and patients that a device meets rigorous cybersecurity standards. It enhances brand credibility and can serve as a competitive differentiator in a crowded market.
• Engineering efficiency—The certification framework provides engineers with a clear roadmap for design and testing. It reduces guesswork, minimizes rework, and ensures that security is integrated from the ground up.
• Global scalability—The program is designed to harmonize with global standards, making it easier for manufacturers to meet compliance requirements across multiple jurisdictions.

The Ultimate Goal: Secure, Compliant Innovation

The IEEE Medical Device Cybersecurity Certification Program is more than a compliance tool; it’s a catalyst for innovation. By embedding security into the design and validation process, manufacturers can bring safer, more innovative devices to market faster. For engineers, it offers a structured, standards-based approach to solving one of the most complex challenges in modern medical device development.

Choosing certification isn’t just about checking a box. It’s about building trust, protecting patients, and future-proofing your products in a rapidly evolving threat landscape.

Standards Integration

IEEE 2621 doesn’t exist in a vacuum. Other medical device-related workstreams from IEEE SA are also part of the conversation that integrate cybersecurity measures to protect patient privacy, ensure the integrity of medical data, and facilitate the interoperability of connected devices.

• The IEEE 11073 Standards Committee⁷ collaborates with other global standards organizations to address the need for an openly defined, independent standard for controlling information exchange among connected personal health devices (PHDs) and the systems used to manage and control them (e.g., cell phones, personal computers, health gateways, etc.).
• Another relevant IEEE SA activity is the Zero Trust Cybersecurity for Health Technology Tools, Services, and Devices Industry Connections Program.⁸ It is a global community of technology stakeholders developing recommendations for a suite of new zero-trust network access (ZTNA) standards that integrate commercial and open‑source products to showcase robust security features of Zero Trust Architecture (ZTA) when applied to enterprise IT
  use cases.
• The recently published IEEE/UL 2933™-2024, Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS – Trust, Identity, Privacy, Protection, Safety, Security⁹ is a TIPPSS framework for clinical (IoTs) data and device interoperability with healthcare systems including electronic health records (EHR), electronic medical records (EMR), other clinical IoT devices, in-hospital devices, and future devices and connected healthcare systems.

By harmonizing with these frameworks, IEEE 2621 supports global compliance efforts. Engineers working on products intended for international distribution can leverage the standard to meet diverse regulatory requirements without duplicating effort.

Looking Ahead

The IEEE 2621 series is just the beginning. Future iterations and other standards will expand to cover a broader range of medical devices, including cardiovascular implants, neurostimulators, and wearable diagnostics. The need for robust, scalable cybersecurity standards will only grow as the healthcare ecosystem becomes more interconnected, making way for entry points that have yet to be secured.

For engineers, this evolution presents both a challenge and an opportunity. Those who embrace cybersecurity as a core design principle will not only ensure compliance but will also drive innovation, protect patients, and strengthen their organization’s competitive position.

Connected medical devices are reshaping healthcare, but they also introduce new risks. Cybersecurity is now a critical component of product compliance, and engineers play a central role in securing the future of digital health. By adopting standards like IEEE 2621, leveraging certification programs, and embedding security into every phase of development, engineers can build devices that are not only innovative but also safe, secure, and compliant.

The path forward is clear. Put security by design at the forefront. Then, align with global standards. Finally, lead the charge in building a safer, smarter, and patient-focused healthcare environment.

To learn more about the IEEE 2621 series of standards and other standards securing connected medical devices, please visit the IEEE Standards Association website¹⁰ to see our latest news, including standards development and releases, as well as current and future webinars.

We always welcome volunteers to join our efforts, including our Medical Device Cybersecurity Certification Program. Together, we can shape the future of medical devices and create a secure and innovative healthcare environment that can help patients on their health journey and providers in search of devices they can trust to provide care.

Endnotes

1. “Healthcare’s Growing Threat Landscape,” ISACA website, February 3, 2025.
2. “FDA reports potential cybersecurity risk with insulin pump system,” American Hospital Association website, September 20, 2022.
3. “Private Industry Notification, Federal Bureau of Investigation, Cyber Division,” September 12, 2022.
4. “US FDA identifies cybersecurity risks in certain patient monitors,” Reuters, January 30, 2025.
5. “Addressing the Need for Protecting Cybersecurity in Connected Diabetes Devices,” IEEE Standards Association, July 28, 2022.
6. “IEEE Medical Device Cybersecurity Certification Program,” IEEE Standards Association.
7. “Personal Health Devices WG,” IEEE Standards Association.
8. “Zero Trust Cybersecurity for Health Technology Tools, Services, and Devices,” IEEE Standards Association.
9. “IEEE/UL Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS—Trust, Identity, Privacy, Protection, Safety, and Security,” IEEE Standards Association. 
10. “Raising the World’s Standards,” IEEE Standards Association home page.