The Food and Drug Administration (FDA) has prioritized medical device cybersecurity in recent years. They issued new guidance in 2023 and then again earlier this year. With cyberattacks increasing and products becoming more complex, they’re a target for hackers.
The healthcare industry has long been a favorite victim of cybercriminals. Medical devices offer them greater opportunity and a larger attack surface.
So, what will the FDA focus on in 2026?
From Pre-Market Submissions to Operational Execution
The FDA publications on cybersecurity have focused on the pre-market submission. It added requirements for an SBOM (software bill of materials) and for manufacturers to have plans for detecting vulnerabilities and fixing them.
The pre-market submission remains critical, as manufacturers must deliver everything required to receive approval. The FDA has also implemented an RTA (Refuse to Accept) policy to disqualify submissions that lack comprehensive cybersecurity information or controls.
What happens when devices are in the market has been somewhat ignored.
That’s likely to change. The FDA, however, has a smaller workforce, the result of downsizing. Yet, we will probably see them begin to audit and review the effectiveness of their guidance in the real world.
AI Heightens Security Risks
Many new medical devices incorporate AI into their ecosystem. This increases risk, creating unique security risks, and the FDA realizes the implications.
There are multiple concerns with AI, including data poisoning and model evasion and inversion. To prevent this, devices need to ensure data integrity and security.
The FDA issued specific guidance on AI-enabled medical devices. It includes recommendations for addressing AI risks.
Manufacturers to Increase Cybersecurity Spending
In a highly regulated industry that’s susceptible to cyberattacks, medical device companies are increasing their cybersecurity spending. Experts forecast it to grow at a CAGR (compound annual growth rate) of 12.5% through 2027, with estimates of $10.9 billion.
With additional spending comes grander expectations from manufacturers. How and where to invest may not be so clear. There are numerous ways to boost cyber resilience that support devices through their entire lifecycle.
Manufacturers will now need to prove their cybersecurity measures and protocols actually work once the device is in use. Smaller companies will feel this the most significantly, as they have fewer internal resources. It’s not impossible for them to compete, and many medical device companies began as startups. What it does suggest is that those without internal expertise may need to find it elsewhere.
Cybersecurity as a Core Strategy
Whether manufacturers are big or small, there’s one thing they can all do—treat cybersecurity as a core strategy. Don’t think of it purely as a cost or a check-the-box. Instead, cybersecurity could be a differentiator.
Companies that develop a secure-by-design framework incorporate security and compliance from the start. They embed it in the development cycle. The more vulnerabilities they find prior to submission or go-to-market, the better. It’s much more cost-effective.
5 Things to Do to Prepare for the FDA’s Probable Shift
No matter where you are in the development lifecycle of a product, you can establish these things to stay compliant and cyber secure:
- Use penetration testing early and often. With these exercises, a provider replicates what an actual breach could look like. You’ll discover vulnerabilities and how to close gaps.
- Keep your SBOM up to date and track all components within that could become vulnerabilities.
- Set up real-time threat monitoring. A proactive approach to this enables quick mitigation of issues before they spread.
- Document incident response and recovery plans. If an incident occurs, you must be ready to respond.
- Implement legacy device security solutions.
Have questions? We can help. We’re experts in pre- and post-market medical device cybersecurity. Contact us today.