FDA Update: 3 Things to Know About Revised Cybersecurity Guidance for Medical Devices
Cyber vulnerabilities can jeopardize patient care, especially in the medical device industry. Over the past few years, the FDA has made it a priority to combat these threats by revising its guidance documents for cybersecurity in medical devices.
Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions, released in February, replaced a previous version released in June of 2025. Since the FDA released the first draft of this guidance in 2022, most manufacturer premarket submissions have already included many of the practices outlined in it. The revised version is intended to address minor policy changes and provide technical clarifications. Overall, the guidance aims to ensure medical devices are safe and effective for patients and safe from hacking or cyber threats.
Here are three things to know about the revisions:
1. They formalize expectations.
The updates pertain to the good manufacturing practice requirements under Part 820, previously known as the Quality System Regulation. The revisions formalize the widely accepted expectation that cybersecurity risk management is integrated into a device’s design as part of the device’s quality management system.
2. They clarify what needs to happen.
Under Part 820, the FDA clarifies the final rule regarding ISO 13485:2016. It amends the medical device current good manufacturing practice requirements, emphasizing risk management. It also gives examples of how the ISO risk management framework applies to medical device security. For example, medical device manufacturers may need to implement risk management and validation processes.
3. They highlight key controls.
The guidance highlights key cybersecurity controls that the FDA expects manufacturers to address. These include:
- Secure design and architecture: The FDA recommends manufacturers integrate cybersecurity risk management by design, including architectural controls to minimize vulnerabilities.
- Risk assessment and threat modeling: Manufacturers are expected to conduct security risk assessments and threat modeling.
- Authentication, access control and data protection: The FDA recommends controls to ensure only authorized users can access data and that data remains confidential and intact.
- Cybersecurity testing: The FDA recommends manufacturers extensively test cybersecurity vulnerabilities and potential attack methods.
- Software transparency and supply chain controls: The guidance emphasizes a software bill of materials (SBOM), which is an inventory of all software components, libraries and dependencies.
- Update and patch management: The FDA recommends devices be designed for timely updates and patches to address security vulnerabilities.
To learn more, read the guidance.
At ASG, we’re keeping a close eye on new developments and best practices in cybersecurity. Learn more about us.
