FDA Cyber Guidance Sets Priorities for Medical Device Companies

The Food and Drug Administration released updated cybersecurity guidance earlier this year, superseding its June 2025 guidance. This latest guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” aims to supplement the FDA’s postmarket cybersecurity guidance and “Content of Premarket Submissions for Device Software Functions.”

Medical devices and the healthcare sector writ large remain a favorite target of cyber criminals. Although the guidance’s recommendations are non-binding, medical device companies should review the guidance to ensure their practices meet the FDA’s expectations. The FDA also signaled that the guidance is meant to help companies with their existing statutory obligations.

Federal Cybersecurity Focus

The FDA’s guidance is part of a recent series of federal initiatives focusing on cybersecurity. The White House in March released its Cyber Strategy for America, which outlines the administration’s cybersecurity posture through six pillars that build on prior federal approaches.

The administration has been active on cybersecurity issues across federal agencies and industries, including through cyber-related rulemaking and enforcement activity, such as the Justice Department’s continuation of its Civil-Cyber Fraud Initiative and the Department of Defense’s final rule implementing the Cybersecurity Maturity Model Certification program.

FDA’s Cyber Guidance

The FDA’s guidance formalizes its position that cybersecurity risk management is essential to ensure devices are safe and effective. The FDA incorporates risk management framework ISO 13485 by reference and provides specific examples of how the framework can be incorporated into medical device security.

The guidance doesn’t mandate specific technical measures. Instead, it identifies cybersecurity controls that the FDA generally recommends medical device manufacturers to assess as part of their premarket submissions, including:

Secure design and architecture. During the design phase, companies should assess the existing system, identify the potential cybersecurity risks, and then implement “secure by design” principles—such as organizational transparency and accountability—to reduce the number of exploitable flaws in medical devices before introducing them to the market for widespread use or consumption.

The FDA recommends the following: controls related to authentication, authorization, cryptography, confidentiality, event detection and logging, resiliency and recovery, and “updatability and patchability.” Manufacturers should evaluate whether their architecture is designed to avoid deployment risks, disruption of supply chains, breaches of customer data, and the consequences of noncompliance with FDA guidance.

Cybersecurity transparency. Manufacturers should be transparent with device users and provide them with sufficient information about the device’s cybersecurity controls, potential risks to the medical device system, and other relevant information that allows a user to address potential or known cybersecurity risks.

Manufacturers should implement transparency policies that build trust with their end users. This means empowering their end users to assess the strengths and weaknesses of their policies and, where applicable, make informed decisions when purchasing their products.

Threat modeling. The FDA suggests that manufacturers conduct threat modeling that includes a process for identifying security objectives, risks, and vulnerabilities across the medical device system, and then defining countermeasures to prevent, mitigate, monitor, or respond to the effects of threats to the medical device system throughout its lifecycle. They should analyze their systems from a bad actor’s perspective, modeling how one could exploit the systems’ vulnerabilities.

Cyber risk assessments. The FDA calls for manufacturers to assess security risks and controls for residual risks as part of a cybersecurity risk assessment, including risks that can occur either intentionally or unintentionally. They should conduct risk assessments throughout the device’s lifecycle, identifying potential vulnerabilities, adopting measures that protect the system, detecting potential attacks, and responding to and recovering from malicious incidents.

Looking Ahead

Companies across sectors should anticipate federal agencies will monitor cyber-related threats and issue guidance, engage in rulemaking, and pursue enforcement actions where companies fail to adequately address or respond to cybersecurity matters.

In particular, medical device manufacturers—and companies operating in any of the 16 critical infrastructure sectors—should monitor for updates on rulemaking initiated by the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Tyler R. Bridegan is a partner at Womble Bond Dickinson and helps companies navigate the privacy, cybersecurity, and technology legal landscape by developing risk-based compliance strategies and defending companies targeted by government investigations and litigation.

Taylor Ey is a partner at Womble Bond Dickinson and focuses her practice on privacy and data security matters that overlap with consumer protection laws, digital advertising, and marketing.

Jennifer German is counsel at Womble Bond Dickinson and focuses her practice on regulatory issues that affect FDA-regulated industries.

Interested in writing? Review our author guidelines, and submit pitches to Insights@bloombergindustry.com.