FDA's Latest Medical Device Cybersecurity Guidance
FDA Issues Final Guidance on Medical Device Cybersecurity
ON June 27, 2025, the U.S. Food and Drug Administration (FDA) published a guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This guidance helps stakeholders understand the requirements, significance, and effective implementation of cybersecurity in medical devices.
What is Cyber Security?
According to a rule in the FD&C Act (Section 524B(c)), the FDA says that a "cyber device" is any medical device that has software inside it or is made entirely of software. This means:Even if the device is not connected to the internet or a network, it is still considered a cyber device just because it has software. Before this clarification, some manufacturers used to argue that their devices weren't cyber devices because they weren't network-enabled. But now the FDA has made it clear:If your device has any kind of software, this FDA guidance on medical device cybersecurity applies to it.
Use Risk Based approach on documentation
The FDA wants companies to focus on cybersecurity risks when preparing documentation - not just general software risks or other types of risk. This means, you must decide how detailed your cybersecurity documents should be based on how much cybersecurity risk the device poses.
It's not about how big or complex the software is - it's about how risky it is in terms of cybersecurity. The FDA gives two examples:
- A device might have complex software (high software risk), but if it's well protected or isolated, it may have low cybersecurity risk.
- On the other hand, a device with simple software could still be very vulnerable to cyber-attacks and have high cybersecurity risk.
So, always evaluate cybersecurity risk separately and tailor your documents accordingly.
Reference to updated standard
Most companies have not yet adopted the ANSI/AAMI SW96 standard. Instead, they typically rely on a combination of ISO 14971 to manage safety risks and AAMI TIR 57 to manage security risks. However, it's important to note that TIR 57 is only a guidance document-it is helpful but not mandatory or officially recognized as a standard. But, the FDA has specifically referenced ANSI/AAMI SW96 in its guidance, giving it more regulatory weight. This standard outlines clear and structured steps for managing cybersecurity risks, making cybersecurity an integral and required part of the medical device development process, rather than just an optional best practice.
The FDA's Cybersecurity Guidance for Medical Devices includes specific requirements for cyber devices.
Under Section v specific requirements are added which are:
- ✔️
Maintenance and continuous update of Cybersecurity management plan, as and when new information available.
- ✔️
Development of procedures to provide a assurance of cybersecurity: In the 2023 guidance, the FDA talked about “reasonable assurance” mainly in terms of a device being safe and effective. But in the 2025 guidance, the FDA makes it clear that manufacturers must also prove their device is secure from cyber threats - this is now a requirement. Also, if you're comparing a new device to an older one (a "predicate") to show they are similar, the FDA may reject the comparison if the new device has higher cybersecurity risks.
- ✔️
Software Bill of Materials (SBOM): A comprehensive Software Bill of Materials (SBOM) should list all components used in the device, including those developed by the manufacturer as well as third-party elements. This includes licensed or purchased software, open-source software, and any upstream dependencies required by these proprietary or third-party components
Share this blog
Read More Blogs
Only 6 Months Left! Is Your QMSR Compliance on Track?
Unique Device Identification Made Simple with V-Reg Solutions
Class I Medical Device Self-Certification Under EU MDR
