Endpoint Security
,
Governance & Risk Management
,
Healthcare
Device Makers Get Details on Design, Labeling and Submission Requirements
The Food and Drug Administration has published new final guidance on the cybersecurity controls for new medical devices. The new document, which replaces previous guidance issued in September 2023, provides FDA’s latest recommendations for cybersecurity device design, labeling and the information most device makers must now include in their premarket submissions to the agency.
See Also: Gartner Report | Magic Quadrant for SD-WAN
The new guidance – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – reflects the FDA’s expanded authority over medical device cybersecurity that Congress granted the agency through an omnibus funding bill signed into law by then President Joe Biden in December 2022.
That bill amended the longtime Federal Food, Drug and Cosmetic Act by adding Section 524B – Ensuring Cybersecurity of Devices, which contains an array of cybersecurity requirements that manufacturers must include in the premarket submissions of products that meet the definition of a “cyber device,” such as a product that can connect to the internet (see: Exclusive: FDA’s Device Cyber Leader on New Law’s Impact).
“Unless you’re making tongue depressors out of solid wood, your product likely qualifies as a cyber device. That means your design controls, risk management files and premarket submissions need to reflect this new reality.”
– Kevin Fu, professor, Northeastern University, and director, Archimedes Center for Health Care and Medical Device Cybersecurity
Under that expanded authority, the FDA can automatically reject medical device premarket submissions that don’t include specific cybersecurity details required by the agency.
“The approach FDA has taken is to incorporate changes that resulted from the updates to the FD&C Act, specifically section 524B,” which went into effect in October 2023, said Axel Wirth, chief security strategist at security firm MedCrypt.
“This includes, for example, a fairly broad definition of a ‘cyber device.’ Further, FDA clarifies what specific cybersecurity information is required for premarket submissions for such ‘cyber devices.’ In many cases, these are not necessarily new requirements but clarify FDA’s expectations to provide more specificity in the cybersecurity information submitted for market approval,” he said.
While many of the FDA’s core recommendations remain consistent with the agency’s previous guidance, “the 2025 document introduces ‘mandatory elements,'” Wirth said.
Among them are mandate for software bills of materials and post-market vulnerability management plans, as well as explicit guidance on how manufacturers need to demonstrate “reasonable assurance of cybersecurity,” as part of their premarket submissions, he said.
FDA Statement
A FDA spokesperson in a statement provided to Information Security Media Group said the new guidance comes as cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. “Cyber incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of the larger system,” the statement said.
“The FDA’s commitment to strengthening medical device cybersecurity and safeguarding the public health remains a top priority for the agency, especially in the face of these ever-evolving threats and more frequent intrusions to U.S. healthcare infrastructure.”
The final guidance provides the FDA’s recommendations on cybersecurity device design, labeling and the documentation that the FDA recommends be included in premarket submissions for devices with cybersecurity risk. “These recommendations are intended to promote consistency, facilitate efficient premarket review and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” the statement said. “This guidance also addresses the FDA’s recommendations regarding section 524B of the FD&C Act for cyber devices.”*
While the new guidance’s recommendations aim to help device makers meet the agency’s premarket device requirements, the FDA’s document notes that its recommendations can also generally apply to other categories of other products.
The includes certain classes of devices “whether or not” they are exempt from 501(k) premarket review, and also combination products, such as “drug-device and biologic-device” products when the device part of the combined product presents cybersecurity considerations, such as a software function, firmware and programmable logic, the FDA said.
“These recommendations are intended to promote consistency, facilitate efficient premarket review and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” the FDA said.
Providing More Clarity
Some experts say the new guidance merges into one document the agency’s current thinking and expectations when it comes to addressing device cybersecurity, including complying with premarket submission cyber requirements.
“The latest FDA guidance is a unification of the 2023 premarket guidance and the select updates, which clarified the FDA’s application of the elements included in 524B, which granted FDA statutory authority for cybersecurity of medical devices,” said Phil Englert, vice president of medical device cybersecurity at the Health Information Sharing and Analysis Center.
“This newly released guidance combines those two documents into a single cohesive guidance document,” he said.
Kevin Fu, a professor at Northeastern University and director of its Archimedes Center for Health Care and Medical Device Cybersecurity, said the FDA’s new guidance clarifies that cybersecurity is explicitly part of “safety and effectiveness determinations” of a medical device.
“Debug ports, engineering interfaces and dormant wireless modules now clearly bring a product under the definition of a ‘cyber device.’ This was previously implied, but it is now explicit,” he said.
“That gives clarity to manufacturers on a regulatory scope. A manufacturer’s software update process, access control mechanisms and even default system configurations are now part of the regulatory evaluation,” he said.
With many of the recent changes, restructuring and layoffs within the federal government, including at the U.S. Department of Health and Human Services, the new document also sends an important signal to the medical device and healthcare delivery community at large, some experts said.
“I’m encouraged to see the FDA continuing to lead among U.S. government agencies on cybersecurity,” said security researcher Billy Rios, cofounder of QED Secure Solutions, a firm that performs assessments of medical devices and other systems, including military fighter jets and bombers.
“The new statutory authorities are firmly in place, and the FDA has shown it’s willing to use them. Manufacturers should take note and make sure they understand the agency’s expectations,” Rios said.
But administration budget cuts and reorganizations have affects resources throughout the federal government, and the FDA and its medical device cybersecurity related efforts have not gone unscathed in the overhaul, Fu said.
“Manufacturers are reporting longer wait times and slower feedback, likely due to staffing reductions and organizational shifts,” he said.
“With the departure of several key FDA cybersecurity experts, I’m concerned about the agency’s capacity to scale in time to protect national security when, not if, the next cyberattack or nationwide healthcare disruption occurs,” said Fu, who served as a special adviser at the FDA during the COVID-19 pandemic.
“Congress should double or triple FDA’s medical device cybersecurity budget to counter the growing threats.”
In his current work helping manufacturers navigate FDA’s cybersecurity expectations, “I’ve seen how early attention to design controls, update processes and documentation can prevent costly delays during FDA review and reduce long-term post-market risk,” he said.
“In practical terms, unless you’re making tongue depressors out of solid wood, your product likely qualifies as a cyber device. That means your design controls, risk management files and premarket submissions need to reflect this new reality.”
Updated on June 27, 2025 8:30pm UTC to include FDA’s statement to ISMG.
