Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · FDA

    Reports: FDA to Scrutinize Medical Device Cybersecurity

    The Food and Drug Administration (FDA) has prioritized medical device cybersecurity in recent years.

    Hero illustration for the article: Reports: FDA to Scrutinize Medical Device Cybersecurity
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: February 16, 2026 · Last reviewed: May 1, 2026

    Direct answer

    The FDA will likely scrutinize medical device cybersecurity more intensely in 2026, shifting focus beyond premarket submissions to include postmarket performance and operational effectiveness. This increased oversight is driven by the rising complexity of devices, the integration of AI, and the escalating threat of cyberattacks. Manufacturers anticipate increased cybersecurity spending and will need to demonstrate the real-world efficacy of their security measures.

    The Food and Drug Administration (FDA) has prioritized medical device cybersecurity in recent years. They issued new guidance in 2023 and then again earlier this year. With cyberattacks increasing and products becoming more complex, they’re a target for hackers.

    The healthcare industry has long been a favorite victim of cybercriminals. Medical devices offer them greater opportunity and a larger attack surface.

    So, what will the FDA focus on in 2026?

    Key Takeaways

    • FDA oversight will expand to postmarket cybersecurity effectiveness.
    • AI integration heightens security risks, requiring new FDA focus.
    • Manufacturers face increased cybersecurity spending and scrutiny.
    • Cybersecurity must become a core, strategic business function.
    • Penetration testing and continuous monitoring are vital.
    • Maintain an updated SBOM and strong incident response plans.

    Table of Contents

    Why this matters

    The FDA's Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (Feb 3, 2026 final guidance) made cybersecurity documentation a gating criterion for clearance under Section 524B of the FD&C Act. Reviewers now apply this guidance to reports the same way they apply software lifecycle expectations from IEC 62304 and security risk-management expectations from AAMI TIR57 and ANSI/AAMI SW96:2023.

    Gaps in this area are the single most common driver of first-cycle cybersecurity Additional Information (AI) requests. The FDA's FY2024 CDRH performance reports show cybersecurity is among the top deficiency categories cited in 510(k) and PMA AI letters, behind only software documentation and clinical evidence. Treating it as a checklist exercise rather than a design-controlled engineering artifact is what creates the gap.

    From Pre-Market Submissions to Operational Execution

    The FDA publications on cybersecurity have focused on the pre-market submission. It added requirements for an SBOM (software bill of materials) and for manufacturers to have plans for detecting vulnerabilities and fixing them.

    The pre-market submission remains critical, as manufacturers must deliver everything required to receive approval. The FDA has also implemented an RTA (Refuse to Accept) policy to disqualify submissions that lack cybersecurity information or controls.

    What happens when devices are in the market has been somewhat ignored.

    That’s likely to change. The FDA, however, has a smaller workforce, the result of downsizing. Yet, we will probably see them begin to audit and review the effectiveness of their guidance in the real world.

    AI Heightens Security Risks

    Many new medical devices incorporate AI into their ecosystem. This increases risk, creating unique security risks, and the FDA realizes the implications.

    There are multiple concerns with AI, including data poisoning and model evasion and inversion. To prevent this, devices need to ensure data integrity and security.

    The FDA issued specific guidance on AI-enabled medical devices. It includes recommendations for addressing AI risks.

    Manufacturers to Increase Cybersecurity Spending

    In a highly regulated industry that’s susceptible to cyberattacks, medical device companies are increasing their cybersecurity spending. Experts forecast it to grow at a CAGR (compound annual growth rate) of 12.5% through 2027, with estimates of $10.9 billion.

    See also: SPDF and IEC 62304 Mapping: FDA Cyber Guide, FDA Penetration Testing Requirements for Medical Devices, and Letter to File vs New 510(k) for Cybersecurity Changes.

    With additional spending comes grander expectations from manufacturers. How and where to invest may not be so clear. There are numerous ways to boost cyber resilience that support devices through their entire lifecycle.

    Manufacturers will now need to prove their cybersecurity measures and protocols actually work once the device is in use. Smaller companies will feel this the most significantly, as they have fewer internal resources. It’s not impossible for them to compete, and many medical device companies began as startups. What it does suggest is that those without internal expertise may need to find it elsewhere.

    Cybersecurity as a Core Strategy

    Whether manufacturers are big or small, there’s one thing they can all do-treat cybersecurity as a core strategy. Don’t think of it purely as a cost or a check-the-box. Instead, cybersecurity could be a differentiator.

    Companies that develop a secure-by-design framework incorporate security and compliance from the start. They embed it in the development cycle. The more vulnerabilities they find prior to submission or go-to-market, the better. It’s much more cost-effective.

    5 Things to Do to Prepare for the FDA’s Probable Shift

    No matter where you are in the development lifecycle of a product, you can establish these things to stay compliant and cyber secure:

    1. Use penetration testing early and often. With these exercises, a provider replicates what an actual breach could look like. You’ll discover vulnerabilities and how to close gaps.
    2. Keep your SBOM up to date and track all components within that could become vulnerabilities.
    3. Set up real-time threat monitoring. A proactive approach to this enables quick mitigation of issues before they spread.
    4. Document incident response and recovery plans. If an incident occurs, you must be ready to respond.
    5. Implement legacy device security solutions.

    Have questions? We can help. We’re experts in pre- and post-market medical device cybersecurityContact us today.

    How Blue Goat approaches this

    Blue Goat Cyber helps medical device manufacturers navigate the evolving FDA cybersecurity landscape by integrating security from concept to postmarket support. Our team, comprised of certified professionals such as CISSPs and OSCPs, including ex-military red team members, provides an informed perspective on real-world threats and regulatory expectations. We specialize in developing and implementing security strategies that align with FDA guidance, covering everything from threat modeling and penetration testing to incident response planning and SBOM management.

    Our approach for premarket submissions reduces the likelihood of deficiencies, ensuring your submissions meet all FDA requirements. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. We also provide services for FDA postmarket cybersecurity, helping you maintain compliance and respond effectively to emerging threats throughout the device lifecycle.

    FAQ

    What is the FDA's focus on medical device cybersecurity in 2026?

    The FDA's focus in 2026 is expected to expand beyond premarket submissions to include the real-world, operational effectiveness of medical device cybersecurity throughout its lifecycle. This reflects a shift towards verifying implemented security measures.

    How does AI impact medical device cybersecurity risks?

    AI integration in medical devices introduces new cybersecurity risks such as data poisoning, model evasion, and inversion. The FDA recognizes these implications and has issued specific guidance for AI-enabled medical devices to address them.

    Does the FDA require a Software Bill of Materials (SBOM) for medical devices?

    Yes, the FDA requires an SBOM as part of premarket submissions. Manufacturers must also have plans for detecting and remediating vulnerabilities, and maintain an updated SBOM for all device components, as per the February 3, 2026 final guidance.

    What is the FDA's RTA policy regarding cybersecurity?

    The FDA's Refuse to Accept (RTA) policy allows them to disqualify premarket submissions that do not include adequate cybersecurity information or controls. This ensures that essential security elements are present before a device can be considered for approval.

    How can medical device manufacturers prepare for increased FDA cybersecurity scrutiny?

    Manufacturers can prepare by implementing secure-by-design principles, performing regular penetration testing, keeping SBOMs updated, establishing real-time threat monitoring, and documenting complete incident response plans.

    Related: Medical Device Cybersecurity: A Complete Lifecycle Guide

    About the author

    Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. again earlier this year- U.S. FDA
    2. issued specific guidance on AI-enabled medical devices- U.S. FDA
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.