Updated July 13, 2025
Last month, the U.S. Food and Drug Administration (FDA) finalized its medical device cybersecurity guidance. The document, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” institutes new requirements across the industry.
The latest publication supersedes the 2023 FDA publication. The FDA cybersecurity guidance does not constitute regulations. Instead, it’s nonbinding recommendations. However, stakeholders should heed their suggestions.
What Does the Guidance Cover?
The direction includes the entire lifecycle of a medical device, focusing on design, labeling, and documentation for premarket submissions.
The type of device is not isolated to those that are network-enabled or connected to the internet. It applies to applications for 510(k), De Novo, and premarket approval. Devices that are 510(k) exempt are also included.
What Changes Does the Document Make in Comparison to the 2023 Guidance?
There are several updates to the language from 2023.
Clarification Under 524B
It clarifies security recommendations relating to medical devices that fall under section 524B of the Food, Drug, & Cosmetic Act (FD&C). Those involve procedures regarding security and tracking of the software bill of materials (SBOM) to outline the origins of code used in the product.
Section VII of the document now defines a “cyber device” under the 2022 FD&C Act, providing the obligations and requirements for manufacturers. The previous draft only referenced it. A “cyber device” now describes products containing software or actual software.
This section also explains what “internet-enabled” means:
- Network, cloud, or server connections
- Radio-frequency communications (e.g., Wi-Fi, Bluetooth, or cellular)
- Magnetic inductive communication
- Hardware connectors able to connect to the internet (e.g., Ethernet, serial port, USB)
Medical Device System Definition
The FDA stated that a “medical device system” is a device and the connected system. This would involve healthcare networks, other devices, and servers that update software.
It’s an important callout because much of the risk in today’s environment is the result of increased connectivity. If there’s a compromise at the network level, it’s not one device that becomes impacted. It could be multiple ones, endangering patients across a facility.
Device Changes and Cybersecurity Impact
Manufacturers must also be vigilant and on top of “changes” to their devices and the cybersecurity implications. Examples include modifications to encryption, authentication, new connectivity functionality, or updates to processes within the software.
Explicit Reference to SW96
ANSI/AAMI SW96 is a recognized standard for security risk. Yet the industry’s adoption of it has been slow. The 2025 guidance now specifically calls it out, acting as a prompt for manufacturers to implement it. At the crux of SW96 is the best practice to embed cybersecurity pillars via design controls, threat modeling, and risk assessments.
Demonstrating Reasonable Assurance of Cybersecurity
In the 2023 document, reasonable assurance referred to the safety and effectiveness of the device. In 2025, the guidance is more explicit about demonstrating it. As the FDA reviews premarket submissions, the agency could conclude the device isn’t meeting this mark. Critical to this is manufacturers applying the 12 required cybersecurity documents in the eSTAR De Novo submission workflow.
Why Did the FDA Update Guidance?
The FDA reported it was necessary as the industry and cyber threats are rapidly evolving. They also wanted to stress the total product life cycle (TPLC) framework. Since the recommendations are part of the premarket submission, the requirements should prompt manufacturers to be secure by design and capable of mitigating cybersecurity risks from the start.
Questions About the 2025 Guidance?
Navigating the FDA cybersecurity guidance for medical devices can be tricky. We can help. We’re experts in the field and have helped stakeholders ensure they are meeting requirements and creating a secure-by-design culture.
Get started with a no-cost consultation today.