With the goal of robust security controls amid emerging and potentially hazardous threats, the US Food and Drug Administration (FDA) has updated final guidance for demonstrating cybersecurity of medical devices in premarket submissions.
The guidance document, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, was released on 26 June. It covers design, labeling and documentation that should be included in premarket submissions of devices with cybersecurity risks to the Center for Devices and Radiological Health (CDRH) or the Center for Biologics Evaluation and Research (CBER).
It also clarifies security recommendations for cyber devices under the amended Food, Drug & Cosmetic Act (FD&C Act) section 524B, including procedures, tracking software bill of materials to show the origin of components (off-the-shelf or open source), and safely managing product updates.
FDA stressed the need for robust controls to ensure device safety due to the greater integration of wireless products and electronic exchange of health information.
“In addition, cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact,” FDA wrote in the new guidance document. “Cyber incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally.”
The June 2025 document replaces final guidance of the same name issued in 2023 (RELATED: FDA premarket cybersecurity guidance clarifies SBOM requirements, Regulatory Focus, 28 September 2023). A draft guidance suggesting updates on cyber devices was issued in 2024, followed by a comment period (RELATED: FDA proposes updates to device cybersecurity guidance, Regulatory Focus 13 March 2024). The 2023 guidance had replaced the agency’s 2014 guidance on medical device cybersecurity.
The guidance was updated due to the rapidly evolving landscape and the need for precautions throughout the total product lifecycle (TPLC), FDA noted.
“The changes since the 2014 guidance are intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the TPLC, and to more clearly outline FDA’s recommendations for premarket submission information to address cybersecurity concerns,” the agency wrote.
The guidance applies to devices with a software function, but it is not limited to devices that are network-enabled or have other connective capabilities. It applies to submissions of a wide range of premarket applications, including 510(k), de novo, and premarket approval. It also applies to devices that are 510(k)-exempt.
Commenting about the June 2025 guidance on the LinkedIn social media platform, Leonard (Leo) Eisner and other medical device consultants advised industry to pay special attention to Section VII of the new guidance, which covers recommendations for cyber devices under the FD&C Act Section 542B.
“It now clearly defines a ‘cyber device’ under the December 2022 FD&C Act amendment and lays out manufacturers’ obligations, with additional cybersecurity requirements to medical devices, whereas the draft simply referenced Section 524B without its own chapter,” noted Eisner, who is based in Portland, OR.
A “cyber device” includes products that contain software or are software, per the guidance.
“FDA also considers the ‘ability to connect to the internet’ to include devices that are able to connect to the internet, whether intentionally or unintentionally, through any means (including at any point identified in the evaluation of the threat surface of the device and the environment of use),” the agency added.
The agency was asked in comments on the draft guidance to clarify the definition of devices connected to the internet (RELATED: Stakeholders request tweaks to FDA’s device cybersecurity guidance, Regulatory Focus, 15 May 2024).
The agency provided the following examples of internet connectivity in section VII of the final guidance:
• Network, server, or cloud service provider connections
• Radio-frequency communications (e.g., Wi-Fi, cellular, Bluetooth, Bluetooth low energy)
• Magnetic inductive communications
• Hardware connectors capable of connecting to the internet (e.g., USB, Ethernet, serial port)
Premarket submissions for cyber devices must include documentation to support cybersecurity, including plans and procedures for monitoring vulnerabilities and timing for releases of updates and patches. Manufacturers should be vigilant about threat modeling and cyber risk assessment throughout the TPLC.
“In general, changes that may impact cybersecurity and may require premarket submission could include changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms,” FDA wrote.
FDA defines a “medical device system” as the device and connected systems, including healthcare facility networks, other devices, and software update servers.
“Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems,” FDA explained.
As a result, multiple devices could be compromised simultaneously, with “severe impacts for multiple patients.”
“Depending on the device risk and use environment, a multiple-device compromise may have severe impacts for multiple patients, either through impact to the device itself and/or to healthcare facility operations (e.g., multiparameter bedside monitors all restarting at once, leaving all monitors connected to the same network no longer monitoring patient vitals and staffing levels not able to monitor all patient vitals),” the agency wrote.
Manufacturers should consider the larger system in which their device operates and the risks of harm to multiple patients in cybersecurity incidents.
“FDA recognizes that medical device cybersecurity is a shared responsibility among interested parties throughout the use environment of the medical device system, including healthcare facilities, patients, healthcare providers, and manufacturers of medical devices,” the guidance states.
-By Regulatory Affairs Professionals Society(RAPS)