IEC 62443 for Medical Device Manufacturers: What You Need to Know
If you're building a connected medical device, you've probably seen IEC 62443 referenced in FDA guidance documents, customer security questionnaires, or competitor marketing. It's becoming the de facto cybersecurity standard for medical devices — but it wasn't written for medical devices specifically, and that's where manufacturers get confused.
This post breaks down what IEC 62443 is, which parts apply to your device, and how it fits into your FDA submission.
What Is IEC 62443?
IEC 62443 is a series of standards originally developed for industrial automation and control systems (IACS). It covers cybersecurity across the entire lifecycle — from design and development through deployment, maintenance, and decommissioning.
The FDA doesn't mandate IEC 62443 compliance. But their premarket cybersecurity guidance repeatedly references it as an acceptable framework for demonstrating that you've addressed cybersecurity systematically. When an FDA reviewer asks "what standards did you follow?" — IEC 62443 is a strong answer.
The standard is split into four series:
- Series 1 (General): Terminology, concepts, and models
- Series 2 (Policies & Procedures): Security management system requirements for asset owners and service providers
- Series 3 (System): Security requirements at the system level — zones, conduits, and security levels
- Series 4 (Component): Security requirements for individual components and products
For medical device manufacturers, Series 4 is the most directly relevant — specifically IEC 62443-4-1 (secure development lifecycle) and IEC 62443-4-2 (component security requirements).
IEC 62443-4-1: Secure Development Lifecycle
This part defines the process requirements for developing secure products. It's not about what your device does — it's about how your engineering team builds it. Key requirements include:
- Security by design: Security requirements defined early in the development process, not bolted on at the end
- Threat modeling: Systematic identification of threats and attack surfaces (STRIDE, TARA, attack trees)
- Secure coding practices: Code review, static analysis, and coding standards that prevent common vulnerability classes
- Security testing: Penetration testing, fuzz testing, and vulnerability scanning as part of the development cycle
- Patch management: A defined process for addressing vulnerabilities discovered after release
- Configuration management: Secure defaults, hardening guides, and documented security configurations
If you're preparing for an FDA submission, documenting your compliance with IEC 62443-4-1 demonstrates that your team has a mature, repeatable security process — not just a one-time pentest before submission.
IEC 62443-4-2: Component Security Requirements
This part defines the technical security capabilities your device needs to have. It organizes requirements into seven foundational categories:
1. Identification and Authentication Control
- Unique device identity
- User authentication before granting access
- Strength of authentication mechanisms (passwords, certificates, biometrics)
2. Use Control
- Authorization and access control (who can do what)
- Least privilege enforcement
- Session management and timeout
3. System Integrity
- Communication integrity (data hasn't been tampered with in transit)
- Protection against malicious code
- Input validation
4. Data Confidentiality
- Encryption of data at rest and in transit
- Key management
- Protection of sensitive configuration data
5. Restricted Data Flow
- Network segmentation
- Firewall and filtering capabilities
- Control of information flow between security zones
6. Timely Response to Events
- Audit logging
- Monitoring capabilities
- Alerting on security-relevant events
7. Resource Availability
- Denial-of-service protection
- Backup and recovery capabilities
- Graceful degradation under attack
Each requirement is mapped to a Security Level (SL) from 1 to 4, where SL-1 protects against casual or unintentional violations and SL-4 protects against state-sponsored attacks. Most medical devices target SL-2 or SL-3.
How IEC 62443 Maps to FDA Expectations
The FDA's premarket cybersecurity guidance doesn't use IEC 62443 terminology directly, but the overlap is significant:
| FDA Expectation | IEC 62443 Equivalent |
|---|---|
| Threat modeling | 4-1: Threat modeling requirement |
| SBOM (Software Bill of Materials) | 4-1: Configuration management |
| Cybersecurity testing | 4-1: Security verification and validation |
| Authentication and access control | 4-2: Identification and authentication |
| Encryption | 4-2: Data confidentiality |
| Secure update mechanism | 4-1: Patch management, 4-2: System integrity |
| Post-market monitoring | 4-1: Security update management |
If you structure your cybersecurity documentation around IEC 62443, you'll naturally address most of what the FDA is looking for. The gaps are typically FDA-specific requirements like clinical risk assessment and patient impact analysis — which IEC 62443 doesn't cover since it wasn't written for healthcare.
Common Mistakes Manufacturers Make
Trying to certify to the entire standard
IEC 62443 is massive. You don't need to implement every part. Focus on 4-1 (your development process) and 4-2 (your device's security capabilities). Series 2 and 3 are more relevant to facility operators and system integrators — not device manufacturers.
Treating it as a checklist
IEC 62443-4-1 is a process standard. You can't just check boxes — you need to demonstrate that your team actually follows the practices. FDA reviewers will ask for evidence: threat models, code review records, test results, vulnerability tracking.
Ignoring the Security Level assignment
Your device doesn't need to meet SL-4 across the board. The appropriate Security Level depends on the threat environment your device operates in and the clinical risk of a security breach. An implantable cardiac device and a hospital room temperature sensor have very different risk profiles. Over-engineering security adds cost and complexity; under-engineering it gets your submission rejected.
Not mapping findings to clinical impact
IEC 62443 uses standard CVSS-style severity ratings. The FDA wants to see clinical impact — how does this vulnerability affect patient safety? A medium-severity network vulnerability might be critical if it allows modification of drug dosage parameters. Your documentation needs to bridge this gap.
How We Help
When we perform a penetration test, our report maps findings to both IEC 62443 requirements and FDA premarket cybersecurity expectations. This gives you a single document that addresses both frameworks — useful for your FDA submission and for customers who require IEC 62443 compliance evidence from their device vendors.
Ready to secure your device?
Our penetration tests are designed specifically for FDA premarket and post-market requirements.