Skip to main content

FDA Cybersecurity Requirements for Medical Devices

1. Why FDA Cybersecurity Requirements Matter

In the United States, the Food and Drug Administration (FDA) is responsible for ensuring the safety and effectiveness of medical devices. With the increasing connectivity of these devices, cybersecurity has become a critical component of patient safety.

The Consolidated Appropriations Act, 2023 amended the Federal Food, Drug, and Cosmetic (FD&C) Act by adding Section 524B, "Ensuring Cybersecurity of Devices." This section creates a legal mandate for manufacturers of internet-connected medical devices (termed "cyber devices") to implement robust cybersecurity measures and demonstrate them to the agency as part of their premarket review.

Failure to provide the required cybersecurity information will result in the FDA refusing to accept the submission.

Official Texts & Guidance
FDA MilestoneLegal BasisDate
Consolidated Appropriations Act enactedFDORA § 33052022-12-29
Section 524B requirements become effectiveFD&C Act § 524B2023-03-29
Previous Premarket Guidance PublishedSuperseded2023-09-27
Current Premarket Guidance PublishedFDA Guidance2025-06-27

Relationship to other regulations

RegulationHow it interacts with FDA Requirements
EU MDR / IVDRThe FDA's rules are the US counterpart to the cybersecurity requirements in the EU's Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). While the legal structures differ, the core principles of secure-by-design, risk management, and lifecycle support are closely aligned.
HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) focuses on protecting patient health information. FDA cybersecurity rules focus on the safety and effectiveness of the device itself. The two are complementary: a secure device is essential for protecting the data it processes.

2. Scope – Which Products Are Covered?

The requirements of Section 524B apply to any "cyber device" for which a premarket submission (e.g., 510(k), PMA, De Novo) is made.

2.1 Definition of a "Cyber Device"

A cyber device is any device that meets all three of the following criteria (FD&C Act § 524B(c)):

  1. Includes software (including firmware or programmable logic).
  2. Has the ability to connect to the internet.
  3. Contains any technological characteristics that could be vulnerable to cybersecurity threats.

The FDA interprets the "ability to connect to the internet" very broadly. A device is in scope if it can connect, whether intentionally or unintentionally, through any means at any point in its lifecycle.

2.2 Examples of Connectivity

The following features would bring a device into the scope of being a "cyber device" (FDA Guidance Sec. VII.B):

  • Direct network, server, or cloud connections (e.g., Ethernet, Wi-Fi).
  • Radio-frequency communications (e.g., Cellular, Bluetooth, BLE).
  • Magnetic inductive communications (e.g., used by some programmers for implants).
  • Hardware connectors that could be used to connect to the internet (e.g., USB, serial port), even if only used for servicing.

3. FDA Requirements & How to Implement Them

The requirements of Section 524B of the FD&C Act are broad, tasking manufacturers with creating plans, implementing processes, and providing evidence of security. The FDA's official guidance, "Cybersecurity in Medical Devices," provides the detailed interpretation and expectations for meeting these requirements.

The obligations can be broken down into two main categories: the overarching governance and lifecycle processes, and the specific security capabilities that must be designed into the device.

3.1 Cybersecurity Governance & Lifecycle Requirements

This table outlines the core organizational and process-related requirements mandated by the FDA. These are foundational to ensuring security is considered throughout the total product lifecycle.

Obligation & Legal BasisManufacturer ActionsImplementation Guides
Cybersecurity Management Plan
FD&C Act § 524B(b)(1)
FDA Guidance Sec. VI.B
Create and submit a plan to monitor, identify, and address postmarket vulnerabilities in a reasonable time, including a process for coordinated vulnerability disclosure.Vulnerability Disclosure
Patch Cadence
Secure Product Development Framework (SPDF)
FD&C Act § 524B(b)(2)
FDA Guidance Sec. V
Design, develop, and maintain the device according to a Secure Product Development Framework (SPDF) that encompasses security risk management, security architecture, and security testing.Threat Modeling
CI/CD Hardening
Software Bill of Materials (SBOM)
FD&C Act § 524B(b)(3)
FDA Guidance Sec. V.A.4
Provide a complete Software Bill of Materials (SBOM) for the device, including all commercial, open-source, and off-the-shelf software components and their dependencies.SBOM & VEX
Labeling & Transparency
FD&C Act § 502
FDA Guidance Sec. VI.A
Provide comprehensive labeling that allows users to understand and manage cybersecurity risks, including instructions for secure configuration and an SBOM.User Documentation

3.2 Device Security Capabilities

This table outlines the key technical security controls the FDA expects to be implemented in a medical device. The specific controls are detailed in Appendix 1 of the FDA's guidance.

Obligation & Legal BasisEngineering TasksImplementation Guides
Authentication
FDA Guidance Appx. 1
Implement cryptographically strong methods to verify the identity of users and devices, and to ensure the authenticity and integrity of all data and commands.Unique Device Identity
Key Provisioning
Authorization
FDA Guidance Appx. 1
Enforce a principle of "least privilege," ensuring that authenticated users and systems can only access the specific data and functions necessary for their role.Secure Configuration
Cryptography
FDA Guidance Appx. 1
Use industry-standard, state-of-the-art cryptographic algorithms and protocols for all security functions, including secure key management and storage.Key Provisioning
Code, Data, & Execution Integrity
FDA Guidance Appx. 1
Protect against unauthorized modification of software, firmware, and configuration data using techniques like secure boot and cryptographically signed firmware.Secure Boot
Secure Configuration
Confidentiality
FDA Guidance Appx. 1
Protect the confidentiality of any data whose disclosure could lead to patient harm, such as credentials or sensitive device settings, using strong encryption.Data Privacy
Event Detection & Logging
FDA Guidance Appx. 1
Securely log all security-relevant events, such as login attempts, configuration changes, and network anomalies, to enable forensic analysis.Security Logging
Resiliency & Recovery
FDA Guidance Appx. 1
Design the device to be resilient to cyber attacks and to provide a method to safely recover to a known good state after a security event.Secure Configuration
Secure Updates
FD&C Act § 524B(b)(2)
FDA Guidance Appx. 1
Provide a mechanism to deliver cryptographically authenticated and validated software and firmware updates to devices in a secure and timely manner.OTA Updates

4. Assessment & Conformance

The FDA assesses a manufacturer's compliance with cybersecurity requirements during the premarket review process. Unlike EU regulations that may use Notified Bodies, the FDA itself is the sole assessor. The process is direct and enforcement is strict.

Assessment StepDescriptionKey Takeaway for Manufacturers
1. Premarket SubmissionThe manufacturer submits all required cybersecurity evidence as part of the 510(k), PMA, or De Novo package. This includes the documentation outlined in the tables above.The burden of proof is on the manufacturer. The submission must be complete and demonstrate a "reasonable assurance of cybersecurity."
2. FDA Triage & ReviewThe FDA first checks if the submission is administratively complete. If the required cybersecurity information is missing, the submission is rejected immediately. If complete, it proceeds to a substantive review.An incomplete cybersecurity package is not a minor deficiency; it is a showstopper. The review will not even begin.
3. "Refuse to Accept" (RTA)This is the primary enforcement tool. If the required information is missing, incomplete, or inadequate, the FDA issues an RTA letter, stopping the review clock.The manufacturer must resolve all deficiencies noted in the RTA letter before the review can resume. This can cause significant delays.
4. Substantive ReviewThe FDA's technical reviewers assess the provided evidence against the requirements of the law and the recommendations in the guidance document.The FDA will scrutinize the threat model, risk assessment, testing results, and the overall security architecture.
5. The Role of Consensus StandardsThe FDA recognizes "consensus standards" like ANSI/UL 2900-2-1.While conformance is voluntary, designing a product in accordance with a recognized standard is a streamlined way for manufacturers to provide strong evidence that their device meets the FDA's expectations.