In June 2025, the US Food and Drug Administration (FDA) issued a final guidance titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (2025 Cybersecurity Guidance). This guidance updates the 2023 guidance of the same title with the agency’s interpretation of and compliance recommendations for new requirements for “cyber devices” under Section 524B of the Federal Food, Drug, and Cosmetic Act (FFDCA). These new statutory cybersecurity requirements, enacted in December 2022 as part of the Food and Drug Omnibus Reform Act (FDORA), are starting to take centerstage as the medical device sector begins to address new enforcement risks for cybersecurity deficiencies under more traditional fraud and abuse laws, such as the False Claims Act (FCA).
Overview of FDA’s Cybersecurity Requirements and Recent Enforcement
Section 524B of the FFDCA requires that any device that meets the definition of a “cyber device” provide certain cybersecurity information in the requisite premarket submission to ensure that the device meets the FFDCA’s cybersecurity requirements. This provision explicitly ties the new concept of reasonable assurance of cybersecurity to FDA’s authority to ensure that there is reasonable assurance of safety and effectiveness of devices—ultimately providing an avenue for FDA to deny premarket authorization related solely to cybersecurity. Additionally, it is now a prohibited act under Section 301(q) of the FFDCA to fail to maintain cybersecurity processes and procedures. Both of these changes place a premium on prioritizing cybersecurity pre and post market as part of device design and monitoring.
With new requirements and submissions to FDA regarding safety and effectiveness of cybersecurity controls, however, comes heightened enforcement scrutiny. The Department of Justice’s (DOJ’s) recent settlement with Illumina Inc. related to alleged cybersecurity deficiencies under the FCA, which we discussed previously, demonstrates that cybersecurity requirements are providing a new angle for DOJ enforcement and another reason for a company to ensure that it is focused on cybersecurity—if it wasn’t already. In that case, a whistleblower alleged that Illumina ignored and failed to mitigate cybersecurity vulnerabilities in its genomic sequencing products, which ultimately led to misrepresentations made as part of federal grants and contracts with agencies such as the National Institutes of Health.
Importantly, the relator’s complaint and the settlement agreement do not reference the new cybersecurity requirements of FDORA, but rather rely on Illumnia’s alleged failure to comply with FDA’s Quality System Regulation (QSR). FDORA’s new statutory requirements offer a clearer avenue for enforcement agencies like the DOJ to inquire about representations to FDA and other agencies about a medical device’s compliance with the new cybersecurity requirements.
These express requirements and potential certifications of compliance are more similar to contracts with federal agencies such as the US Department of Defense that require certifications with respect to its Cybersecurity Maturity Model Certification. These contracts have been a focus of FCA cybersecurity enforcement for some time. In short, stakeholders should be keenly aware of FDORA’s focus on cybersecurity because noncompliance may open doors to investigations and civil enforcement under the FCA.
Key Considerations for Medical Device Manufacturers
The 2025 Cybersecurity Guidance provides a detailed roadmap on processes, procedures, and documentation to ensure that devices are cybersecure and to demonstrate such to FDA in a premarket submission. Given this guidance and other recent activity, medical device manufacturers should be mindful of the following:
FDA Interprets the Definition of ‘Cyber Device’ Broadly
Any device that contains software, or is software, with connectivity capabilities—e.g., Wi-Fi or Bluetooth—are considered cyber devices whether or not the device is network-enabled.
Cybersecurity Cannot be an Afterthought
The statutory requirements around cybersecurity, and the premarket requirements in particular, means manufacturers cannot ignore cybersecurity until the last stages of device development. For over a decade, FDA has expressed that manufacturers should integrate cybersecurity considerations into the earliest stages of product development, and, since the publication of the 2023 guidance, the agency has made explicit that cybersecurity is part of FDA’s Quality System Regulation design control requirements, recommending the use of a Secure Product Development Framework (SPDF) to assist with compliance.
In practical terms, this means activities like threat modeling, secure coding practices, use of encryption/authentication, and robust software testing must be embedded in the quality system from the very beginning. Additionally, manufacturers of cyber devices must incorporate software bill of materials (SBOM) generation and management into their quality system and supplier agreements, so that an SBOM can be produced and updated readily as the product evolves.
Prepare for Increased Scrutiny of Premarket Submissions
Inadequate documentation of cybersecurity can delay clearances or approvals. Careful preparation of a cybersecurity risk management file, test reports, SBOM, and maintenance plan as well as an understanding of the cybersecurity needs for your device type is critical for an efficient FDA review. Keep in mind that having the same or similar cybersecurity measures as a predicate device may not be sufficient especially if there have been changes to the use environment, including the existence new risks or vulnerabilities since the predicate was cleared.
Cybersecurity Requirements Do Not End with Premarket Authorization
With cybersecurity being associated with prohibited acts in the FFDCA and a looming possibility of FCA enforcement related to certifications and representations of compliance with cybersecurity requirements to the government, manufacturers cannot rest on their laurels after obtaining FDA authorization. Section 524B of the FFDCA imposes ongoing obligations throughout the lifecycle of a device on manufacturers to monitor for cybersecurity risks and vulnerabilities, and to make available updates and patches to the device and related systems on either a regular basis, or as soon as possible, depending on the categorization of the vulnerability being patched. Some of these updates and patches may implicate other requirements, such as requirements to report device corrections or any potential adverse events to FDA under 21 CFR parts 803 and 806. Software changes may also require a new premarket submission.
Unanswered Questions Remain for Legacy Devices
The 2025 Cybersecurity Guidance is silent on how legacy devices, essentially devices that use outdated hardware or software systems that are not able to be patched or updated and are often no longer supported by the manufacturer, can comply with the requirements in Section 524B of the FFDCA.
We previously discussed the policy concerns related to the cybersecurity of medical devices. The FFDCA requires all premarket submissions to provide evidence that the device is reasonably cybersecure and enables FDA to deny an authorization for failure to establish such. Legacy devices will be unable to meet these requirements, but there are no exceptions in the statute, and FDA did not offer enforcement discretion in the guidance. This should put manufacturers who have outdated hardware or software that they may need to make significant design changes to these long-marketed devices or begin speaking with FDA about possible paths forward.
How to Prepare for a Cybersecurity Incident
Medical device companies should consider investing in cybersecurity preparedness to help prevent and respond to incidents. Having strong cybersecurity governance, strong controls, and regular testing helps ensure efficient and thoughtful responses to incidents. Companies should consider having an incident response plan with preapproved third-party experts, engaging in risk assessments and threat modeling, and regularly testing their incident response plans through annual tabletop exercises. Where possible, these tabletop exercises should focus on worst case scenarios, including long-term critical system outages.
In addition, companies should consider identifying critical systems to allow them to prioritize recovery efforts in the event of an outage and invest in backup and recovery systems. Finally, companies should consider fostering a culture of cybersecurity preparedness, including leadership engagement and employee training. This mindset helps prevent social engineering and phishing, which have been the root cause of many recent incidents.
How We Can Help
We can assist medical device companies in managing their cybersecurity program and responding to cybersecurity incidents. Our team is well versed in breach reporting regimes applicable to health data, including the Health Insurance Portability and Accountability Act (HIPAA), the FTC’s Health Data Breach Notification Rule, and state data breach laws as well as FDA’s reporting requirements.
We are continuously monitoring emerging cybersecurity threats to help companies in the life sciences sector prevent and respond to incidents. Please reach out to our team if you have any questions or would like assistance with your cybersecurity program.