Medical devices are increasingly connected to hospital networks, mobile apps, and other systems. The connectivity also brings new cybersecurity risks. In response, the FDA now requires manufacturers to build security into every stage of a device’s lifecycle. Under the 2022 Food and Drug Omnibus Reform Act (FDORA), Section 524B of the Federal Food, Drug, and Cosmetic Act took effect on March 29, 2023. This law and the FDA’s June 2025 final guidance tie device cybersecurity directly to safety and effectiveness. In practice, the FDA can deny clearance for devices lacking basic security, and it is now a prohibited act to omit cybersecurity processes.
FDA’s updated guidance (June 27, 2025) supersedes earlier drafts. It outlines recommendations (nonbinding but strongly urged) for design controls, documentation, and testing. Key themes are defense-in-depth and transparency: for example, manufacturers must continuously monitor for new threats and share plans to address them. The guidance essentially makes cybersecurity a core part of a device’s quality system.
FDA Cybersecurity Key Guidance for Medical Devices
The FDA Cybersecurity 2025 Guidance for Medical Devices is;
Total Product Lifecycle (TPLC)
Security must be embedded throughout the entire product lifecycle, from initial design to post-market updates. The guidance treats the entire “medical device system” (device + hospital networks + update servers) as the security boundary. FDA realizes that no device can be assumed fully secure, so manufacturers must practice continuous security risk management. FDA recommends using a Secure Product Development Framework (SPDF) and conducting threat modeling, secure coding, encryption, and testing from day one. In short, cybersecurity can’t be an afterthought; it is a QS regulation design control requirement.
Premarket Submission Requirements
Starting March 29, 2023, any device meeting the definition of a “cyber device” (one that contains software, connects to the internet or other network, and can be vulnerable to cyber threats) must include detailed cybersecurity information in its 510(k), De Novo, PMA, or other submission. The submission should document how the device meets the new FDORA requirements, including security planning, architecture, and risk mitigations. The FDA’s guidance specifically adds a new section on Section 524B, spelling out what cyber devices must demonstrate. In effect, inadequate cybersecurity documentation can delay or block device clearance.
Software Bill of Materials (SBOM)
Manufacturers must provide a comprehensive SBOM listing of every software component (commercial, open-source, and off-the-shelf) in the device. The SBOM is required by Section 524B and helps identify and track known vulnerabilities in each component. For example, if a flaw is discovered in an open-source library, the FDA and manufacturers use the SBOM to quickly find affected devices. Every SBOM entry should include metadata (version, supplier, license) for accurate tracking. Crucially, SBOMs must be updated over time as the device evolves.
Risk Management and Secure Design Controls
FDA expects a risk-based approach consistent with ISO 14971. Manufacturers should perform formal threat modeling and risk analyses throughout development. Security risk management must be integrated into the quality system: the guidance states, “security risk management should be an integrated part of a manufacturer’s entire quality system, addressed throughout the TPLC”. In practice, this means written procedures for design validation, encryption/authentication, access controls, supply chain security (supplier controls), and change management. For example, evolving firmware or cryptography must follow NIST/CISA best practices to avoid exposing devices late in development.
Postmarket Vulnerability Management
FDA requires manufacturers to have a routine plan for finding, addressing, and disclosing vulnerabilities. Section 524B(b) mandates that a submission include “a plan to monitor, identify, and address, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits”. In other words, companies must continuously scan for new risks, release patches in a timely fashion, and inform users. Guidance documents (e.g., Postmarket Management of Cybersecurity in Medical Devices) provide detailed recommendations for coordinated vulnerability disclosure. In practice, the FDA suggests labeling updates “controlled” or “uncontrolled” risk, disclosing critical issues (often within 30 days), and providing software fixes or mitigations quickly. These activities should be part of the device’s Quality System (21 CFR 820) procedures.
Documentation and Labeling
Every cybersecurity effort must be documented. Premarket submissions should include SBOMs, threat models, test plans/results, and traceability matrices linking components to potential vulnerabilities. FDA also recommends device labeling that discloses connectivity features, intended update/support lifetimes, and contact info for security issues. For example, manufacturers are encouraged to state how long they will provide security patches. Essentially, the FDA treats cybersecurity as a quality-system deliverable: records of training, audits, and risk assessments are expected just like any other design control.
Why Cybersecurity Guidance Matters for Medical Devices
The following are the reasons why cybersecurity is important for healthcare devices.
Patient Safety
Cybersecurity for medical devices can directly harm patients. For instance, the 2017 WannaCry ransomware outbreak affected hospitals worldwide, and a 2020 attack on a German hospital forced staff to divert patients, delaying critical care. FDA warns that device malfunctions or shutdowns due to malware could lead to injury or death. By enforcing strong cybersecurity controls, the guidance helps prevent breaches that could corrupt device data, disable life-saving functions, or cause urgent recalls.
Device Effectiveness
Modern devices rely on connectivity and software updates to function properly. FDA notes that networked devices can lose effectiveness if hacked or unpatched. For example, infusion pumps, pacemakers, or imaging systems with internet links could be compromised by attackers. By ensuring devices have secure default settings, robust access controls, and update mechanisms. The guidance helps maintain efficacy. This is increasingly important as devices become interoperable in healthcare networks.
Regulatory Compliance
The updated guidance implements new legal requirements from FDORA. Section 524B explicitly ties cybersecurity to the FDA’s mission of safety/effectiveness. Noncompliance is now itself a violation: failing to maintain cybersecurity procedures is a prohibited act under Section 301(q) of the FD&C Act. In practice, this means manufacturers must treat cybersecurity on par with electrical or mechanical safety. The FDA can refuse or withdraw approval if a device fails these requirements. Recent enforcement shows the stakes: gaps in device security have led to liability under fraud statutes. In short, meeting the guidance isn’t just good practice; it is now a de facto regulatory mandate.
Recommendations for Patients and Providers
Below are the recommendations for patients and providers that help to keep your medical devices secure.
Keep devices updated
You should always install manufacturer updates or patches promptly. The FDA advises patients to ensure their device software is current, as updates often include critical security fixes.
Watch for unusual behavior
You must monitor your devices for glitches or unexpected messages. If a device acts strangely (e.g., weird alarms, data errors), report it immediately to your healthcare provider or the manufacturer. Never try to fix complex issues yourself or let experts handle them.
Ask questions at appointments
When visiting doctors or clinics, inquire about device risks and protections. For example, ask “What cybersecurity measures are in place for my implant or home device?” or “How long will my device receive software support?” Clinicians and vendors should be able to explain the safety features and update schedule of any connected medical equipment.
Register your device
Ensure your device is registered with the manufacturer so you can receive security notifications and recalls promptly.
Report problems
If you suspect a security issue has harmed you or someone else, seek medical attention and report the issue via the FDA’s MedWatch program. Transparency helps the industry learn and improve.
By integrating these practices into design, regulatory submissions, and user guidance, the FDA’s 2026 cybersecurity framework aims to keep devices reliable and protect patients in an era of growing cyber threats.
