Medical device cybersecurity guidance: what does it change for PKI?

TL;DR: Health Canada’s pre-market medical device cybersecurity guidance pushes manufacturers to secure device connections, encrypt data, and build access controls and testing into development before products reach the market, according to DigiCert. The practical shift is that device trust now depends on lifecycle governance, not post-deployment patching.

NHIMG editorial — based on content published by DigiCert: Health Canada Guidance for Medical Device Cybersecurity is a Welcome Development

Questions worth separating out

Q: How should healthcare teams govern connected medical device identity?

A: Treat connected medical devices as managed identities with their own lifecycle.

Q: Why do connected medical devices need PKI instead of shared credentials?

A: PKI gives each device a verifiable, revocable identity that backend systems can trust without relying on shared secrets.

Q: What breaks when medical device security is only checked after release?

A: Post-release checks miss the point where trust is first established.

Practitioner guidance

• Inventory every device-to-backend trust relationship Map each connected medical device to the servers, EHR systems, tablets, and cloud services it can reach.
• Bind device identity to PKI lifecycle controls Issue unique certificates per device class or instance, then define renewal, rotation, revocation, and retirement procedures alongside product release and field service workflows.
• Embed security testing into verification and validation Add device-specific abuse cases to validation plans, including unauthorised configuration changes, backend authentication failures, and data exposure in transit.

What's in the full article

DigiCert's full blog covers the implementation detail this post intentionally leaves for the source:

• How the guidance maps to secure authentication for medical devices connecting to backend systems.
• Why the article recommends PKI and digital certificates for device trust and encrypted transport.
• Which device design and validation steps manufacturers should include in product security testing.
• How manufacturers and healthcare operators can think about monitoring for emerging device risks.

👉 Read DigiCert's guidance on Health Canada medical device cybersecurity →

Medical device cybersecurity guidance: what does it change for PKI?

Explore further

View Full Forum →  |  NHI Foundation Course →