FDA draft guidance requires ‘built-in’ cybersecurity for medical devices

The Food and Drug Administration on June 27 published its final guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The 64-page document replaces an earlier 2023 version and spells out—in far greater detail—the evidence manufacturers must include when they file 510(k), De Novo, PMA or other market-entry applications for any internet-connected “cyber device.”  

Why it matters

Hospitals remain a top ransomware target, and vulnerable devices—from infusion pumps to MRI scanners—can provide hackers a back door into clinical networks. FDA now makes clear that a device can’t be considered safe and effective unless it is also cyber-secure. Failure to comply could delay clearances or trigger costly remediations once a product is on the market.  

The details

• Scope: A “cyber device” is any product that (1) contains software, (2) can connect to the internet (even unintentionally) and (3) has features that could be exploited.
• Secure Product Development Framework: FDA endorses a cradle-to-grave development model—threat modeling, risk assessment and penetration testing must happen before submission and continue throughout the device’s life cycle.
• Mandatory plans and artifacts
  • A cybersecurity management plan that outlines how the manufacturer will monitor and patch vulnerabilities post-launch.
  • A software bill of materials (SBOM) listing every proprietary, open-source or third-party component that is kept current and delivered in machine-readable form.
  • Documentation of security controls—authentication, encryption, logging, recovery, etc.—and evidence they were tested and met acceptance criteria.
  • Labeling: User manuals must spell out recommended security configurations, network requirements and step-by-step update procedures.

Between the lines

• Regulatory enforcement: These requirements are rooted in Section 524B of the Food, Drug and Cosmetic Act, created by Congress in late 2022. While FDA had been exercising “enforcement discretion,” reviewers can now reject files that lack the new cyber artifacts.
• Shift from ‘bolt-on’ to ‘built-in’: The agency repeats that security must be embedded in design controls, not patched after complaints roll in—words that could give hospital buyers leverage to demand stronger assurances up front.
• SBOM ripple effects: A continuously updated SBOM means providers can rapidly identify which devices rely on a newly disclosed vulnerable library—potentially shrinking the window between disclosure and mitigation.  

What’s next

• Submissions are soon: Sponsors planning filings later this year will have to show they meet the June 27 guidance or explain why an alternate approach is equivalent.
• Procurement pressure: Group purchasing organizations are expected to make SBOMs and patch-cadence metrics a standard bid requirement.
• Future rulemaking: FDA says it “may promulgate additional requirements” under 524B(b)(4), hinting that today’s checklist could grow if threat actors stay ahead of defenders.  

Go deeper

Download the full guidance (PDF) from FDA’s site and read Appendix 1 for the agency’s recommended control set.