Key Takeaways
- The FDA released updated, non‑binding cybersecurity guidance (“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”) that supersedes its June 2025 version and is intended to complement existing postmarket guidance.
- The guidance frames cybersecurity risk management as a core element of device safety and effectiveness, referencing ISO 13485 and urging manufacturers to adopt a risk‑based approach throughout the product lifecycle.
- Recommended controls span secure design (authentication, authorization, cryptography, confidentiality, event detection/logging, resiliency/recovery, updatability/patchability), transparency to users, threat modeling, and ongoing cyber risk assessments.
- Although the guidance is advisory, the FDA signals that it reflects statutory obligations, and non‑compliance could attract scrutiny under broader federal cybersecurity initiatives.
- Manufacturers should align their premarket submissions with the guidance, monitor forthcoming rulemaking (e.g., CISA’s Cyber Incident Reporting for Critical Infrastructure Act), and maintain robust cybersecurity programs to mitigate evolving threats.
Overview of FDA Guidance
The Food and Drug Administration issued an update to its cybersecurity guidance earlier this year, replacing the June 2025 document. Titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” the guidance is designed to supplement the FDA’s existing postmarket cybersecurity advice and the “Content of Premarket Submissions for Device Software Functions.” While the recommendations are non‑binding, the FDA encourages medical device companies to review the guidance to ensure their practices meet the agency’s expectations and to help satisfy their statutory obligations concerning device safety and effectiveness.
Context Within Federal Cybersecurity Efforts
The FDA’s update is part of a broader wave of federal cybersecurity initiatives. In March, the White House released its Cyber Strategy for America, outlining six pillars that build on prior national approaches. Across agencies, the administration has pursued cyber‑related rulemaking and enforcement, exemplified by the Justice Department’s continuation of the Civil‑Cyber Fraud Initiative and the Department of Defense’s final rule implementing the Cybersecurity Maturity Model Certification program. These actions signal a coordinated push to raise cybersecurity resilience across critical sectors, including healthcare.
FDA’s Position on Cybersecurity Risk Management
The guidance formally states that cybersecurity risk management is essential to ensure that medical devices remain safe and effective throughout their lifecycle. To operationalize this, the FDA incorporates the ISO 13485 risk management framework by reference, showing how its principles can be applied to device security. Rather than prescribing specific technical controls, the document identifies a set of cybersecurity controls that manufacturers should evaluate as part of their premarket submissions, leaving implementation details to the companies’ risk‑based judgments.
Secure Design and Architecture Recommendations
During the design phase, the FDA advises manufacturers to assess the existing system, identify potential cybersecurity risks, and embed “secure by design” principles. Key recommendations include implementing controls related to authentication, authorization, cryptography, confidentiality, event detection and logging, resiliency and recovery, and updatability/patchability. Companies should also evaluate whether their architecture mitigates deployment risks, protects supply‑chain integrity, safeguards customer data, and addresses the consequences of noncompliance with the guidance. By addressing these areas early, manufacturers aim to reduce exploitable flaws before devices reach the market.
Cybersecurity Transparency to Users
Transparency is highlighted as a critical component of trust‑building. Manufacturers should provide device users with clear information about the device’s cybersecurity controls, potential risks to the medical device system, and other relevant details that enable users to address known or potential cybersecurity threats. Implementing transparency policies empowers end users to assess the strengths and weaknesses of a manufacturer’s security posture and make informed purchasing decisions, thereby fostering a collaborative approach to risk mitigation.
Threat Modeling as a Lifecycle Activity
The FDA recommends that manufacturers conduct threat modeling that encompasses identifying security objectives, risks, and vulnerabilities across the entire medical device system. This process should define countermeasures to prevent, mitigate, monitor, or respond to threat effects throughout the device’s lifecycle. By analyzing the system from a bad actor’s perspective—modeling how an attacker could exploit vulnerabilities—companies can prioritize defenses and allocate resources where they are most needed.
Cyber Risk Assessments and Residual Risk Management
Ongoing cyber risk assessments are another cornerstone of the guidance. Manufacturers are urged to assess security controls and residual risks both intentionally and unintentionally introduced. These assessments should occur throughout the device’s lifecycle, involving vulnerability identification, protective measure implementation, attack detection, and incident response and recovery. By treating risk assessment as a continuous activity, companies can adapt to evolving threats and maintain compliance with FDA expectations.
Looking Ahead: Federal Monitoring and Rulemaking
The guidance anticipates that federal agencies will continue to monitor cyber‑related threats, issue further guidance, engage in rulemaking, and pursue enforcement actions when companies inadequately address cybersecurity concerns. Medical device manufacturers—and operators in any of the 16 critical infrastructure sectors—should watch for developments stemming from the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Staying informed about upcoming regulations will help firms align their compliance programs with emerging federal expectations.
Author Contributions
The article was authored by Tyler R. Bridegan, a partner at Womble Bond Dickinson who advises on privacy, cybersecurity, and technology compliance; Taylor Ey, a partner focusing on privacy and data security intersecting with consumer protection and digital advertising; and Jennifer German, counsel specializing in regulatory matters affecting FDA‑regulated industries. Their combined expertise informs the analysis of the FDA’s cybersecurity guidance and its implications for medical device manufacturers.
Note: This summary does not necessarily reflect the views of Bloomberg Industry Group, Inc., its publishers, or its owners.