Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Hero illustration for the Fundamentals article: Medical Device Code, Data, and Execution Integrity
    Blog · Fundamentals

    Medical Device Code, Data, and Execution Integrity

    Updated November 16, 2024 The latest FDA medical device cybersecurity update from the Food and Drug Administration (FDA) covers many security controls.

    Hero illustration for the Fundamentals article: Medical Device Code, Data, and Execution Integrity
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: September 18, 2024 · Last reviewed: May 1, 2026

    Updated November 16, 2024

    Direct answer

    Medical device code, data, and execution integrity are crucial security controls highlighted by the FDA's February 3, 2026 final guidance. Code integrity ensures software remains authentic and unaltered, while data integrity confirms the accuracy and reliability of information throughout its lifecycle. Execution integrity verifies both code and data during real-time operation, demonstrating adherence to FDA premarket submission requirements and creating a resilient cybersecurity posture for medical devices by mitigating cyber risks.

    The latest FDA medical device cybersecurity update from the Food and Drug Administration (FDA) covers many security controls. Along with specific guidelines, the agency has also provided practical recommendations. This article will review the code, data, and execution integrity security controls.

    Key Takeaways

    • Code integrity: authentic, unaltered software.
    • Data integrity: accurate, reliable information.
    • Execution integrity: real-time verification.
    • FDA guidance emphasizes strong integrity controls.
    • Critical for premarket submission compliance.
    • Mitigates cyber risks in medical devices.

    Table of Contents

    Why this matters

    Integrity violations are a primary root cause of cyberattacks in medical devices, posing significant risks to patient safety, data privacy, and device functionality. Compromised code can lead to unauthorized modifications, data breaches, or device malfunctions, directly impacting patient care. The FDA's 'Cybersecurity in Medical Devices' Final Guidance, dated February 3, 2026, emphasizes the critical need for strong integrity controls, making them a cornerstone of premarket submission requirements. Manufacturers must demonstrate that devices are protected against unauthorized manipulation of code, data, and execution states. Adherence to standards like IEC 80001-1, ISO 27001, and AAMI TIR57 guides the implementation of these controls, ensuring that medical devices are resilient against evolving cyber threats. Prioritizing code, data, and execution integrity protects patients and prevents costly post-market remediations or regulatory penalties.

    Integrity Violations and Cybersecurity Risk

    According to the FDA, integrity issues are the root cause of many cyberattacks. These include stored code, stored and operational data, or the execution state. As a result, this risk should be part of your medical device cybersecurity strategy.

    There are three integrity categories to consider in security controls: code integrity, data integrity, and execution integrity.

    What Is Code Integrity?

    Code integrity ensures that software code stays unaltered and trustworthy throughout its lifecycle. Ensuring code integrity is pivotal in maintaining the security of a medical device. It has three components:

    • Code signing allows users to validate the authenticity and integrity of software code via digital signatures within the code. It creates a unique identifier that can be traced back to the software publisher.
    • Hash functions: Hashes generate a distinct value for every piece of code. By comparing these before and after execution, developers can locate any modifications.
    • Digital certificates: Certificate authorities (CAs) contain the software owner’s public key to sign the code virtually.

    FDA guidance on code integrity includes:

    • Using authentication firmware and software
    • Enabling cryptography authenticated firmware and software updates
    • Assuring that validation occurs before execution based on digital signatures
    • Disabling unauthorized access to test and debug ports

    What Is Data Integrity?

    Data integrity in software development describes all the processes you should use to ensure data accuracy, reliability, and validity through its lifecycle. Regarding medical device cybersecurity, the emphasis on data integrity involves both incoming and external source data.

    Medical devices create and receive a lot of data necessary for their effectiveness. The FDA wants to ensure no data is modified during transit or at rest. They suggest that all incoming data go through a validation process.

    Other tips include validating data ranges and applying the proper configuration outputs for data integrity.

    What Is Execution Integrity?

    See also: When to Hire a Device Security Consultant vs. Build In-House, Cybersecurity Is Now a QMS Requirement, and Why Medical Device Cybersecurity Is Nothing Like Enterprise.

    The third area of integrity is the execution environment. Execution integrity describes maintaining verification of code and data once the medical device software begins to execute. It’s the real-time component of integrity security controls.

    FDA guidance for medical device cybersecurity recommends industry-accepted best practices, such as host-based intrusion prevention systems. The FDA also recommends that medical device manufacturers thoroughly review the design of all code-parsing external data, whether automated or manual.

    How Can Medical Device Companies Instill Integrity?

    These three areas of integrity run parallel with many of the other FDA mandates and recommendations. Code integrity falls under creating a software bill of materials (SBOM). It’s a requirement of the FDA now while also being a best practice to defend against cyberattacks.

    Data integrity should be a pillar of your cybersecurity strategy. Ensuring you have verification tools in place and traffic segmentation creates an even safer environment.

    Execution integrity falls under the two areas of premarket submissions:

    • Tracking and addressing cybersecurity issues after the device is in use
    • Implementing internal procedures to find vulnerabilities and correct them

    A culture of proactive cybersecurity principles must be created to follow integrity guidelines. While integrity validations are not a mandate of the FDA, they provide value in adhering to some of the requirements for your premarket submission.

    Book a strategy session with our experts today for more help and insights on medical device cybersecurity guidelines. We can support premarket submissions, strategy development, pen testing, and vulnerability assessments. Contact us now.

    How Blue Goat approaches this

    Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We treat cybersecurity documentation as design-controlled engineering output, not a submission template, every artifact (threat model, SBOM, security risk assessment, penetration test, labeling) traces back to a controlled requirement and a verified result.

    Our engagements deliver the full Feb 3, 2026 guidance documentation set scoped to the device's risk profile, integrated with the existing IEC 62304 software lifecycle and ISO 14971 risk file. See our medical device cybersecurity services for the full scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

    FAQ

    What is code integrity in medical devices?

    Code integrity ensures medical device software remains authentic and unaltered throughout its operational lifecycle. It involves practices such as code signing, hash functions, and digital certificates to validate software reliability and trustworthiness.

    How does the FDA view data integrity?

    The FDA emphasizes that data integrity ensures the accuracy, reliability, and validity of all data used by a medical device. This includes validating incoming data, applying proper configuration outputs, and protecting data during transit and at rest.

    Why is execution integrity important for medical devices?

    Execution integrity is vital because it verifies code and data once the medical device software begins to execute. This real-time validation helps maintain the security of the execution environment, often leveraging host-based intrusion prevention systems.

    Does the FDA mandate integrity validations?

    While the FDA's February 3, 2026 final guidance provides strong recommendations for integrity validation, these validations also aid in meeting other mandatory premarket submission requirements. Implementing them contributes to a strong cybersecurity posture and regulatory compliance.

    Related: The Rising Tide of Cyber Threats in Medical Devices: Understanding the Risks

    About the author

    Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. FDA medical device cybersecurity- U.S. FDA
    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.