Cybersecurity for AI-Enabled Medical Devices: Ensuring Safety, Compliance and Trust

Artificial Intelligence (AI) is reshaping healthcare, powering a new generation of AI-enabled medical devices that improve diagnostics, personalise treatment and enhance patient outcomes. Yet as these devices become more intelligent and interconnected, they also introduce new cybersecurity challenges that can directly affect patient safety and regulatory compliance.

The EU Artificial Intelligence Act (AIA), together with the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Medical Devices Regulation (IVDR), places strong emphasis on cybersecurity and data integrity. The latest MDCG 2025-6 guidance highlights that AI systems used within medical devices must meet both sets of requirements, ensuring safety, robustness, and cybersecurity throughout the device lifecycle.

The Intersection of AI, Medical Devices, and Cybersecurity

AI’s ability to learn from large volumes of data brings enormous clinical value but also creates new attack surfaces. If an algorithm is compromised, the output could lead to misdiagnosis or inappropriate treatment. Data breaches may expose sensitive patient information, while manipulated training data can degrade model accuracy or even embed hidden vulnerabilities across entire fleets of devices.

The MDCG 2025-6 FAQ underscores that cybersecurity, accuracy and robustness are essential parts of the risk-management process for AI-enabled medical devices. Manufacturers must demonstrate not only safety and performance under the MDR/IVDR but also compliance with AI-specific requirements under the AIA, particularly around data governance, model transparency, and resilience against manipulation.

Core Cybersecurity Requirements for High-Risk AI Medical Devices

Devices that incorporate high-risk AI systems must implement comprehensive, lifecycle-wide cybersecurity measures aligned with both medical-device and AI regulations.

1. Continuous Risk Management

Manufacturers are expected to perform ongoing, iterative risk assessments that address availability, integrity, confidentiality and patient safety. Risk-management plans must evolve with emerging threats, updated software, or adaptive AI behaviour. This proactive approach ensures that cybersecurity remains a living component of the device’s quality-management system.

2. Secure Design and Development

Security must be embedded from the concept stage. Early-stage threat modelling helps identify potential vulnerabilities before they become systemic. Secure-coding standards, data-protection controls and encrypted communications are vital to protecting both patient data and algorithmic integrity. Role-based access controls further prevent unauthorised use or tampering.

3. Managing AI-Specific Vulnerabilities

AI introduces unique risks that go beyond traditional software threats. Adversarial attacks can trick models into producing false results; data poisoning can corrupt training sets; and model-extraction can expose proprietary algorithms. The AIA requires that high-risk systems remain accurate, robust and cybersecure, meaning manufacturers must actively mitigate these threats through careful data management, validation and monitoring.

4. Rigorous Testing and Validation

Before market placement, manufacturers should conduct comprehensive security testing, including penetration testing, vulnerability scanning and resilience testing. The results must be documented in the device’s technical file to support regulatory review and demonstrate conformity with both the MDR/IVDR and AIA requirements.

5. Post-Market Monitoring and Incident Response

Cybersecurity responsibilities do not end at product launch. Ongoing post-market surveillance ensures that deployed devices remain secure throughout their lifecycle. A well-defined incident-response plan covering detection, containment, communication and recovery is critical for minimising disruption. Regular software and firmware updates are also required to address newly identified vulnerabilities.

How Periculo Strengthens Your Cybersecurity Posture

At Periculo, we specialise in securing AI-enabled medical devices and digital health solutions. Our services cover the entire compliance and security lifecycle:

• Medical Device Penetration Testing – simulating real-world cyberattacks.

• Risk Assessments – structured frameworks for identifying and mitigating risks.

• ISO 27001 Compliance Support – implementing robust ISMS frameworks.

• Incident Response Planning – ensuring fast recovery and minimal disruption.

With a strong track record in healthtech cybersecurity, Periculo helps manufacturers meet regulatory requirements while protecting patient safety and trust.

Cybersecurity is no longer a box-ticking exercise; it is fundamental to regulatory compliance, patient safety, and market success. As the EU AI Act comes into force from 2026 for high-risk AI systems, manufacturers must be prepared to demonstrate not only functional performance but also robust protection against cyber-threats.

By integrating cybersecurity from the earliest design stage and maintaining vigilance throughout the device lifecycle, manufacturers can achieve compliance with the AIA, MDR and IVDR while reinforcing trust with clinicians, regulators and patients alike.

In an era where healthcare depends increasingly on intelligent devices, resilience against cyber-threats is not simply best practice, is a prerequisite for safe and ethical innovation.