TL;DR: Health Canada’s pre-market medical device cybersecurity guidance pushes manufacturers to secure device connections, encrypt data, and build access controls and testing into development before products reach the market, according to DigiCert. The practical shift is that device trust now depends on lifecycle governance, not post-deployment patching.
NHIMG editorial — based on content published by DigiCert: Health Canada Guidance for Medical Device Cybersecurity is a Welcome Development
Questions worth separating out
Q: How should healthcare teams govern connected medical device identity?
A: Treat connected medical devices as managed identities with their own lifecycle.
Q: Why do connected medical devices need PKI instead of shared credentials?
A: PKI gives each device a verifiable, revocable identity that backend systems can trust without relying on shared secrets.
Q: What breaks when medical device security is only checked after release?
A: Post-release checks miss the point where trust is first established.
Practitioner guidance
- Inventory every device-to-backend trust relationship Map each connected medical device to the servers, EHR systems, tablets, and cloud services it can reach.
- Bind device identity to PKI lifecycle controls Issue unique certificates per device class or instance, then define renewal, rotation, revocation, and retirement procedures alongside product release and field service workflows.
- Embed security testing into verification and validation Add device-specific abuse cases to validation plans, including unauthorised configuration changes, backend authentication failures, and data exposure in transit.
What's in the full article
DigiCert's full blog covers the implementation detail this post intentionally leaves for the source:
- How the guidance maps to secure authentication for medical devices connecting to backend systems.
- Why the article recommends PKI and digital certificates for device trust and encrypted transport.
- Which device design and validation steps manufacturers should include in product security testing.
- How manufacturers and healthcare operators can think about monitoring for emerging device risks.
👉 Read DigiCert's guidance on Health Canada medical device cybersecurity →
Medical device cybersecurity guidance: what does it change for PKI?
Explore further
Pre-market security is the only viable control point for medical device identity. Once a device is deployed into clinical or consumer use, the trust boundary becomes distributed across hospitals, networks, patients, and backend systems. That means secure identity, encryption, and access control have to be established before release, not discovered after incident response begins. For practitioners, the implication is that product security and identity governance are inseparable in regulated healthcare environments.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
A question worth separating out:
Q: Who is accountable for medical device cybersecurity in healthcare?
A: Accountability is shared across device manufacturers, regulators, healthcare IT, and operational users, but manufacturers carry the responsibility to build security into the product. Hospitals and clinicians still need controls for deployment, access, and monitoring. Effective governance assigns ownership across the full device lifecycle.
👉 Read our full editorial: Health Canada medical device cybersecurity guidance raises PKI stakes