%22%3E%0A%20%3Ccircle%20cx%3D%222%22%20cy%3D%222%22%20r%3D%221.2%22%20fill%3D%22rgba(255%2C255%2C255%2C0.18)%22%2F%3E%0A%20%3C%2Fpattern%3E%0A%20%3C%2Fdefs%3E%0A%20%3Crect%20width%3D%22800%22%20height%3D%22450%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%3Crect%20width%3D%22800%22%20height%3D%22450%22%20fill%3D%22url(%23dots)%22%2F%3E%0A%20%3Cg%20font-family%3D%22ui-sans-serif%2Csystem-ui%2C-apple-system%2CSegoe%20UI%2CRoboto%22%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3E%0A%20%3Ctext%20x%3D%2248%22%20y%3D%22380%22%20font-size%3D%2244%22%20font-weight%3D%22700%22%20letter-spacing%3D%22-1%22%3EBlue%20Goat%20Cyber%3C%2Ftext%3E%0A%20%3Ctext%20x%3D%2248%22%20y%3D%22412%22%20font-size%3D%2216%22%20opacity%3D%220.75%22%20letter-spacing%3D%222%22%3EBLUE%20GOAT%20CYBER%3C%2Ftext%3E%0A%20%3C%2Fg%3E%0A%3C%2Fsvg%3E)
Last reviewed: May 1, 2026
Free Guide · Blue Goat Cyber · Updated 2026
CHECKLIST · 1 PAGE · PROSPECT RESOURCE
FDA Classification Decision Tree (Wellness vs. Device) Validate a 'non-device' classification before FDA does it for you.
Misclassifying a software product as a general wellness tool is one of the most expensive mistakes in early-stage MedTech. Use this to pressure-test your current intended-use statement against the criteria FDA reviewers actually apply.
A. Clinical Decision Support (CDS) triggers Does the software provide a time-critical diagnosis or treatment recommendation? Is the algorithm opaque to the clinician (they cannot independently review the basis for the output)? Does it analyse medical images, waveforms, or genomic data to produce an output? Is it intended to automate a task previously performed by a licensed professional?
B. Wellness vs. disease claims Does any marketing or technical document mention a specific disease (e.g. diabetes, anxiety, PTSD)? Does the product claim to treat, diagnose, mitigate, or cure any condition? Is it intended to be used inside a clinical workflow or integrated with an EHR?
Does it generate alerts that require immediate clinical intervention?
C. Cybersecurity & 524B scope Does the software connect to the internet, a network, or a physical medical device?
Does it use off-the-shelf code that could carry known vulnerabilities?
Could a breach lead to patient harm, even indirectly through data corruption?
How to read it. Multiple 'Yes' answers in any section is a strong signal that the current non-device classification will not survive FDA scrutiny. Section C in particular maps directly to the 'cyber device' definition under Section 524B.
NEXT STEP → Book a 30-minute classification stress-test with a regulatory engineer to review your intended-use statement before submission. Book your discovery call: go.bluegoatcyber.com/meetings/blue-goat-cyber/discovery-session
Page 1 · © Blue Goat Cyber · 250+ FDA submissions, zero rejections, since 2014
Talk to us
This guide is part of Blue Goat Cyber's MedTech cybersecurity library. To apply it to your device program, book a 30-minute strategy session - no cost, no obligation. Or browse all guides.