Software as a Medical Device (SaMD) Cybersecurity

SaMD - software that meets the medical-device definition without being embedded in hardware - is one of the fastest-growing FDA submission categories and one of the most cybersecurity-sensitive. Cloud backends, mobile apps, and standalone clinical software inherit all the FDA premarket requirements plus a much broader attack surface than embedded devices. This hub pulls together the services, guides, blog posts, and standards that explain what SaMD-grade cybersecurity looks like under the Feb 2026 guidance, IEC 62304, IEC 81001-5-1, and Section 524B.

Services

• Secure MedTech Product Design

  Architecture review, control selection, and secure development guidance from concept through V&V - aligned with FDA's Secure Product Development Framework.

• Full-Service FDA Premarket Cybersecurity

  Full-service, end-to-end: we deliver 100% of the artifacts FDA reviewers expect for 510(k), De Novo, PMA, and IDE submissions - traceable, complete, and aligned with current 524B guidance.

• Medical Device Threat Modeling

  Comprehensive threat modeling per FDA Section V.A.1 - covering supply chain, deployment, environment of use, and decommission risks for the full device system.

• FDA-Compliant SBOM Services

  Machine- and human-readable SBOMs with NTIA minimum elements, vulnerability mapping, and end-of-support tracking - built for FDA review.

• Medical Device Penetration Testing

  Hardware, firmware, mobile, and cloud - tested by operators with both red-team and medical-device experience. Reports built for FDA reviewers.

In-depth guides

• SaMD Cybersecurity FDA Requirements: A Compliance GuideMaster SaMD cybersecurity FDA requirements. Learn premarket submission needs, SBOM standards, and postmarket monitoring for SaMD under Section 524B.
• The SPDF PlaybookA practical, ungated guide to building a Secure Product Development Framework (SPDF) that FDA accepts — the eight pillars, the artifacts each one produces, and a pre-submission readiness checklist you can score yourself against.
• The MedTech Cybersecurity Standards DecoderA plain-English field guide to FDA Section 524B, IEC 81001-5-1, AAMI TIR57, ANSI/AAMI SW96, ISO 14971, and 8 more medical device cybersecurity standards — what they require, how they connect, and what FDA expects in your eSTAR premarket submission.
• Guide to IEC 81001-5-1 Security Risk AssessmentsLearn how to implement IEC 81001-5-1 security risk assessments for FDA compliance. Expert guidance on medical device lifecycle security mapping.

Standards & guidance

Defined entries from our MedTech Cybersecurity Standards Glossary.

• FDA 2026 GuidanceFDA Premarket Cybersecurity Guidance (Feb 3, 2026)The FDA's final premarket cybersecurity guidance, effective February 3, 2026. Defines the seven-section cybersecurity submission format reviewers now enforce at Technical Screening, replacing the 2023 draft. Operationalizes Section 524B of the FD&C Act.
• Section 524BFD&C Act Cyber Device RequirementsAdded by the Consolidated Appropriations Act, 2023, Section 524B gives the FDA explicit authority to require a complete cybersecurity package in every premarket submission for a cyber device, and to refuse submissions that lack one.
• SPDFSecure Product Development FrameworkA documented framework that shows security activities are integrated across the device lifecycle - not bolted on at the end. Includes secure requirements, threat modeling, secure coding, V&V, vulnerability management, and post-market response.
• IEC 81001-5-1Health Software Security ActivitiesThe international standard the FDA points to for the Secure Product Development Framework (SPDF). Defines security activities at each lifecycle stage - planning, requirements, design, implementation, V&V, release, and post-market.
• ISO 14971Medical Device Risk ManagementThe umbrella risk-management standard for medical devices. Defines hazard identification, risk estimation, risk evaluation, risk control, and residual risk evaluation. Cybersecurity risks must be reconciled here so a security control never silently introduces a safety hazard.
• ISO 13485Medical Device Quality Management SystemThe international QMS standard for MedTech. Covers design controls, document control, CAPA, supplier management, and post-market surveillance. The QMSR final rule (effective Feb 2, 2026) harmonizes 21 CFR Part 820 with ISO 13485.

From the blog

• SaMD vs SiMD: What Medical Device Manufacturers Need to KnowLearn the difference between SaMD and SiMD, why it matters for FDA strategy, and how to build secure-by-design medical devices across your product lifecycle.
• What Is Software as a Medical Device?Uncover the importance and implications of Software as a Medical Device (SaMD) in the healthcare industry.
• Cybersecurity Best Practices for Medical Device DesignDiscover cybersecurity best practices for medical device design, from threat modeling to FDA-aligned lifecycle management, to protect patients and data.
• Risk-Based Testing for Medical Device SoftwareExplore the intricacies of risk-based testing for medical device software in this comprehensive guide.

Related FDA deficiencies

The deficiency letters reviewers most often write on submissions in this topic area. Each links to the full response playbook.

• Inadequate Vulnerability Management Plan

  Your VM plan lacks defined triage timelines, a coordinated vulnerability disclosure path, or a documented patch-deploy mechanism.

  Response playbook
• Inadequate Post-Market Cybersecurity Plan

  Your post-market plan lacks monitoring, patching commitments, customer communications, or end-of-support handling.

  Response playbook
• Non-Conformant SBOM

  Your SBOM is missing required minimum elements, transitive dependencies, or is delivered in an unsupported format.

  Response playbook
• Missing SPDF Documentation

  Reviewers cannot find evidence that your QMS implements a Secure Product Development Framework integrated with design controls.

  Response playbook

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.