Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · FDA

    Cybersecurity for IVD Devices: The FDA & Section 524B Guide

    How Section 524B, the Feb 2026 FDA premarket guidance, and AAMI SW96 apply to in vitro diagnostics. Clinical analyzers, point-of-care, and connected IVD platforms. Reviewer expectations, deliverables, and the pitfalls IVD teams hit.

    Hero illustration for the article: Cybersecurity for IVD Devices: The FDA & Section 524B Guide
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • Section 524B applies to any IVD that meets the 'cyber device' definition. Software, connectivity, and the potential to be susceptible to a cyber threat. Most modern analyzers, middleware, and connected point-of-care devices qualify.
    • Reviewers expect the same SPDF-aligned package as therapeutic devices: threat model, SBOM with VEX, security risk assessment mapped to patient harm, penetration test report, and a postmarket cybersecurity management plan.
    • IVD-specific harm scenarios (result manipulation, LIS/HL7 spoofing, QC bypass, PHI exfiltration via HL7/ASTM) must appear in the threat model. Generic IT threat lists get flagged as inadequate.
    • For companion diagnostics (CDx), the CDER/CDRH lead-center split determines the review path but Section 524B still governs the IVD portion. Plan the submission accordingly.
    • The fastest deficiency letter for IVD submissions comes from missing HL7/ASTM interface threat analysis and no documented interoperability security controls.
    TL;DR

    How Section 524B, the Feb 2026 FDA premarket guidance, and AAMI SW96 apply to in vitro diagnostics. Clinical analyzers, point-of-care, and connected IVD platforms. Reviewer expectations, deliverables, and the pitfalls IVD teams hit.

    In vitro diagnostics face the same FDA cybersecurity bar as therapeutic devices. With harm scenarios, interfaces, and reviewer expectations unique to the IVD stack. This guide is the working reference for regulatory and engineering teams shipping clinical analyzers, point-of-care devices, LIS middleware, and connected IVD platforms.

    Section 524B of the FD&C Act, the February 3, 2026 FDA premarket cybersecurity guidance, and ANSI/AAMI SW96 do not carve out an exception for diagnostics. If your device runs software and has any connectivity. Ethernet, Wi-Fi, Bluetooth, USB export, a serial LIS link, cellular telemetry, or a cloud portal. The cyber-device definition catches it. Reviewers now expect the full Secure Product Development Framework (SPDF) package in the submission, and IVD-specific gaps are the fastest path to a Major deficiency.

    Does Section 524B apply to my IVD?

    Section 524B(c) defines a "cyber device" as one that (1) includes software validated, installed, or authorized by the sponsor, (2) has the ability to connect to the internet, and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. In practice, the following IVDs almost always meet the definition:

    • Clinical chemistry, hematology, immunoassay, and molecular analyzers with LIS/HIS connectivity via HL7, ASTM E1394, or POCT1-A2
    • Point-of-care (POC) devices with Bluetooth, cellular, or docking-station data upload
    • IVD middleware and data managers that route results between instruments and the LIS
    • Companion diagnostics (CDx) with any connected reader or reporting portal
    • Next-generation sequencing (NGS) platforms and their analysis software
    • Cloud-hosted result review, QC, or remote-service portals

    If the device has software and any interface capable of accepting or transmitting data over a network. Including a serial cable to a networked LIS. Treat it as a cyber device and build the full package. Reviewers assume "in scope" until the submission proves otherwise.

    The deliverables reviewers expect

    The Feb 2026 guidance and AAMI SW96 anchor a consistent set of premarket cybersecurity deliverables. For an IVD, the list is:

    1. Security risk management plan and report aligned to AAMI TIR57 and integrated with the ISO 14971 safety risk file
    2. Threat model covering the full IVD architecture. Instrument firmware, on-device OS, LIS interfaces, middleware, cloud services, and user workstations
    3. SBOM in SPDX or CycloneDX with VEX for known vulnerabilities in the shipped stack
    4. Security architecture views (global system, multi-patient harm, updateability, security use case)
    5. Cybersecurity testing evidence. Vulnerability scanning, static/dynamic analysis, and independent penetration testing
    6. Cybersecurity management plan covering monitoring, coordinated vulnerability disclosure (CVD), and patch delivery across the fielded install base
    7. Labeling with security responsibilities for the healthcare delivery organization (HDO)

    The order matters. The threat model drives the risk assessment; the risk assessment drives the controls and testing; the SBOM and VEX drive the postmarket monitoring plan. Building deliverables in the wrong order produces the traceability gaps FDA cites most often.

    IVD-specific threat scenarios reviewers want to see

    Generic IT threat lists ("phishing, ransomware, insider threat") do not satisfy reviewers for a diagnostic device. The threat model must reason about patient harm through diagnostic error. The scenarios that appear in accepted IVD submissions include:

    • Result manipulation in transit. HL7 or ASTM message tampering between instrument and LIS producing a wrong quantitative result
    • QC bypass. Attacker suppression or forgery of quality-control failures, allowing the analyzer to release results it should have held
    • Reference range or assay parameter tampering. Modification of on-device calibration or assay definition files that shifts result interpretation
    • Middleware spoofing. A rogue node on the lab network impersonating the LIS and injecting orders or intercepting results
    • PHI exfiltration. Patient identifiers and result data leaving the device or middleware via an unmonitored interface
    • Denial of service on a time-critical analyzer. Blood gas, coagulation, or stat chemistry outages that delay patient care
    • Firmware or software update tampering. Unsigned or replay-attacked updates that install a compromised binary
    • Companion-diagnostic result forgery. CDx result manipulation that influences a therapeutic decision (particularly high-scrutiny under the CDER/CDRH lead-center split)

    Each scenario should trace to a patient-harm entry in the ISO 14971 file, a control in the security architecture, and a test in the V&V evidence. That three-way trace is what closes the reviewer's loop.

    Interoperability: the deficiency-letter hot spot

    The single most common Major deficiency we see on IVD cybersecurity submissions is insufficient analysis of the HL7/ASTM/POCT interface. Reviewers expect the submission to answer:

    • What transport is used (MLLP over TCP, TLS, VPN, serial) and what authentication protects it?
    • How are message integrity and origin validated? Are HL7 acknowledgements authenticated or replay-protected?
    • What happens when the interface is unavailable. Does the analyzer queue, drop, or hold results, and how is that state communicated to the operator?
    • How are downstream systems notified of a security event on the instrument?

    If the submission cannot answer these in the security architecture and threat model, expect a deficiency letter that specifically calls out interoperability controls. The fix is expensive after the fact; build it into the initial submission.

    Section 524B, EU IVDR, and the overlap

    Manufacturers shipping into both the U.S. and EU markets frequently ask whether one cybersecurity package can serve both regulators. The short version:

    • FDA (Section 524B + Feb 2026 guidance) anchors on AAMI SW96, TIR57/TIR97, and the SPDF.
    • EU IVDR (Regulation 2017/746) references IEC 81001-5-1 and the MDCG 2019-16 guidance on cybersecurity for medical devices.
    • The technical evidence overlaps substantially. Threat model, SBOM, testing, postmarket monitoring. But the submission format, labeling, and postmarket reporting cadence differ.

    Build one evidence base, then produce two submission-format packages. Attempting to submit an FDA-formatted cybersecurity package into IVDR technical documentation (or vice versa) creates avoidable rework.

    Companion diagnostics: the CDER/CDRH split

    For a CDx co-developed with a therapeutic, the FDA lead-center split (CDER for the drug, CDRH for the device) determines review path but does not change Section 524B applicability. The IVD portion still requires the full premarket cybersecurity package, and the risk-benefit analysis must consider cybersecurity failures that would misclassify a patient's eligibility for the paired therapeutic. That is a distinct harm scenario reviewers expect explicitly documented in the threat model.

    For the mechanics of the split, our combination product cybersecurity guide walks the CDER/CDRH handoff and how Section 524B applies when the device side of the combination is an IVD.

    Postmarket cybersecurity for IVDs

    The postmarket cybersecurity management plan for an IVD has to address realities the therapeutic-device world does not always face:

    • Long installed lifetimes. Analyzers frequently run 7–15 years in the field, past the support windows of the underlying OS and third-party libraries. The plan must cover end-of-support handling.
    • Distributed reagent-and-instrument business models. Security notices must reach the operating lab, not only the purchasing entity.
    • Shared middleware. A vulnerability in the instrument vendor's middleware can affect analyzers from multiple manufacturers on the same LIS. CVD coordination has to account for that.
    • QC and calibration data lifecycles. Monitoring must include integrity checks on assay parameter files, not only executable binaries.

    The plan should reference AAMI TIR97, the Feb 2026 guidance postmarket expectations, and (where applicable) EU IVDR postmarket surveillance obligations in a single coherent document.

    How Blue Goat Cyber approaches IVD cybersecurity submissions

    We run IVD cybersecurity as a regulated engineering workstream inside the manufacturer's QMS, not a document drop at the end. Engagements are led by senior medical-device security engineers who have shipped 250+ FDA cybersecurity submissions across 510(k), De Novo, PMA, and IVD pathways. What that looks like on an IVD:

    • Scoping against the actual IVD architecture. Analyzer firmware, embedded OS, LIS interfaces, middleware, cloud service, and connected workstations. Before any template opens.
    • Threat model built from IVD harm scenarios (result manipulation, QC bypass, LIS spoofing, CDx misclassification) rather than a generic IT threat list.
    • HL7/ASTM interface analysis with concrete controls, message-integrity evidence, and interface failure-mode handling documented in the security architecture.
    • SBOM and VEX generated inside the build pipeline so the postmarket monitoring plan has a live evidence source, not a snapshot.
    • Independent penetration testing covering instrument, network interfaces, middleware, and cloud portal. Executed by a testing team that does not also write the design.
    • Postmarket handoff, not abandonment. Every premarket package leaves a working CVD process, monitoring plan, and update cadence that stays defensible after clearance.

    Our FDA Premarket Cybersecurity Services, Medical Device Threat Modeling, and FDA-Compliant SBOM Services are the three most common entry points for IVD manufacturers.

    Frequently asked questions

    Does Section 524B apply to a benchtop IVD analyzer with only a serial LIS cable?

    Yes, in almost every case. The Section 524B(c) test is software plus the ability to connect to the internet plus vulnerability to cyber threats. A serial cable into a networked LIS gives the device an indirect internet path through the hospital network, and reviewers have consistently treated that as in-scope. Build the full package; do not attempt a scope-out argument.

    What is the difference between the FDA cybersecurity package for an IVD and for a therapeutic device?

    The deliverable list is the same. The content differs: IVD threat models must reason about result integrity, QC bypass, and LIS interoperability as first-class harm scenarios rather than as secondary concerns. IVD postmarket plans must handle long installed lifetimes and shared middleware. The FDA reviewer bar is identical.

    Do I need an SBOM for reagent kits or assay-only submissions?

    If the assay ships software (embedded scripting, analysis pipeline, on-device parameter files that qualify as software of unknown provenance) then yes. The software portion needs an SBOM. For pure reagent kits with no software content, Section 524B does not apply. When in doubt, treat any digital artifact as software and generate the SBOM; the cost of producing it is far below the cost of an RTA hold.

    How does the Feb 2026 FDA premarket cybersecurity guidance change what IVD submissions must include?

    The February 3, 2026 final guidance replaces the 2023 draft as the controlling document. For IVDs, the substantive shifts are the security architecture views (global, multi-patient harm, updateability, security use case), the explicit requirement for VEX alongside the SBOM, and the tightened expectations for postmarket monitoring and CVD. Submissions still using the 2023 draft as a reference get deficiency letters.

    What is the most common deficiency letter for IVD cybersecurity submissions?

    Insufficient analysis of the HL7/ASTM/POCT interface, followed closely by threat models that do not tie IVD-specific scenarios (result manipulation, QC bypass) to entries in the ISO 14971 patient-harm file. Both are avoidable in the initial submission.

    Do companion diagnostics require a separate cybersecurity package from the therapeutic?

    The IVD portion of a CDx submission requires its own Section 524B package. The therapeutic side follows the CDER cybersecurity expectations, which are less prescriptive today. The two packages should cross-reference each other in the risk analysis, particularly for harm scenarios where a compromised CDx result would misclassify eligibility for the paired therapeutic.

    Where this fits in the cluster

    This guide is the IVD-focused entry point into our FDA cybersecurity content. If you arrived here from a different starting point, the most useful adjacent pages are:

    Sources & primary references

    Talk to a regulatory cybersecurity team

    If you are shipping an IVD cybersecurity submission and want a second pair of eyes on the package before it goes in, we run cybersecurity deliverables end-to-end for IVD manufacturers across clinical analyzers, point-of-care devices, middleware, and companion diagnostics. Book a discovery session and we will walk your evidence with you.

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. Section 524B of the FD&C Act. Ensuring Cybersecurity of Medical Devices- U.S. FDA
    2. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 3, 2026 final)- U.S. FDA
    3. ANSI/AAMI SW96:2023. Standard for medical device security. Security risk management for device life cycle- AAMI
    4. MDCG 2019-16 Rev.1. Guidance on Cybersecurity for Medical Devices- health.ec.europa.eu
    5. IEC 81001-5-1:2021. Health software and health IT systems safety, effectiveness and security- ISO
    Suggested reading

    Related guides

    Guide
    FDA Section 524B & eSTAR Cybersecurity: The Walkthrough
    Guide
    FDA Section 524B Subsections: Index of Every Topic
    Guide
    Section 524B Compliance Checklist: FDA Cybersecurity Requirements for Cyber Devices
    Guide
    Section 524B Post-Market Retrofit Guide
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.