Recent U.S. Food and Drug Administration (FDA) guidance recognizes that today’s medical devices face a host of cyberthreats. Medical device manufacturers, in turn, face the need to assess and mitigate cyber risks. By combining the cyber risk framework of the National Institute of Standards and Technology (NIST) with the existing International Organization for Standardization (ISO) 14971 Safety Risk Management (SRM) process, manufacturers can leverage proven best practices to make their devices safer and more effective. The cyberthreat to medical devices is based on two factors. First, increasingly faster and more efficient processors now enable full operating systems to run on small implant devices. Previously, only dedicated firmware could have been used. Second, modern hardware can readily connect to networks using wired and wireless protocols. Both factors offer markedly increased capability for patients, physicians, caregivers, and healthcare technology management (HTM) professionals, at the cost of opening unforeseen and unintended doorways into a device. Opening unintended doorways can compromise medical devices in three major areas of cybersecurity: confidentiality, integrity, and availability. Confidentiality refers to preserving authorized restrictions on information access and disclosure, including means for protecting patient privacy and corporate proprietary information. Integrity means guarding against improper information modification or destruction and includes ensuring information nonrepudiation and authenticity. Availability is ensuring timely and reliable access to and use of information. As embedded medical devices grow in complexity and ability, an end-to-end cybersecurity framework is needed to ensure that they achieve the confidentiality, integrity, and availability required for successful operation. Cybersecurity concerns have factored into medical device design for some time, but additional attention has been focused on the topic by recent FDA communications, including a recent guidance document and a safety communication. These documents, however, lack clear instructions on what needs to be considered and tested—a comprehensive standard could be years away. To ensure safety and effectiveness and reduce exposure to liability, device manufacturers need to be proactive in defining and applying cybersecurity controls for their medical devices. The problem facing medical device development teams is complex; it involves securing a device against an ever-growing number of cybersecurity threats while balancing usability, performance, and safety. A viable approach Applying Cyber Risk Management To Medical Device Design