Cybersecurity for Medical Devices: what you need to know to meet the FDA's 2025 Guidance

Why cybersecurity is critical for FDA submissions

As medical devices become more connected and software-driven, cybersecurity is no longer a nice to have, it's a regulatory requirement. Cyber threats can compromise patient safety, disrupt device functionality, and damage your organization’s credibility.

In June 2025, the FDA released its final guidance:

“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” Available at FDA.gov.

This document outlines what manufacturers must include in their premarket submissions to ensure devices are secure by design and compliant with Section 524B of the FD&C Act.

What devices are covered?

The guidance applies to cyber devices, defined by the FDA as medical devices that:

1. Contain software validated as a device or as part of a device.

2. Can connect to the internet or other networks.

3. Are susceptible to cybersecurity threats due to technological features.

This includes a wide range of connected solutions—wearables, cloud-integrated devices, and hospital-based platforms.

Key cybersecurity requirements for FDA premarket submissions

The FDA outlines seven core areas that manufacturers should address:

1. Secure product development framework (SPDF)

You must establish a documented, risk-based process for integrating cybersecurity across the product lifecycle. This includes:

• Threat identification and mitigation from early design stages.

• Implementation of built-in security controls.

• Secure mechanisms for software updates and patching.

  
  

Note: FDA reviewers will expect evidence that security is embedded from day one—not added as an afterthought.

2. Software bill of materials (SBOM)

An SBOM must include:

• All software components, including third-party and open-source libraries.

• Version numbers, dependencies, and support status.

• End-of-life information for each component.

  
  

Note: A well-maintained SBOM enables faster response to known vulnerabilities and strengthens supply chain transparency.

3. Cybersecurity risk assessment

Go beyond clinical risk. FDA expects:

• Comprehensive threat modeling.

• Assessment of vulnerability exploitability.

• Evaluation of risks related to device interoperability.

  
  

Note: Prioritize risks that could lead to patient harm or compromise critical device functions.

4. Cybersecurity testing and anomaly response

Manufacturers must validate the effectiveness of security controls through testing. Any unresolved anomalies should be assessed for potential safety impact and documented accordingly.

5. Device labeling and user guidance

Labeling should support secure configuration and ongoing maintenance. Include:

• Security configuration instructions.

• Software update procedures.

• Information on known cybersecurity risks.

  
  

6. Total product lifecycle (TPLC) cybersecurity

Cybersecurity is not a one-time effort. Manufacturers are expected to:

• Monitor for new threats postmarket.

• Update the SBOM and risk documentation accordingly.

• Have formal procedures to deploy mitigations when needed.

  
  

7. Coordinated vulnerability disclosure and timely mitigation

You must include:

• A Coordinated Vulnerability Disclosure (CVD) plan outlining how you handle security reports from researchers, customers, or third parties.

• A reasonable timeline to assess and mitigate vulnerabilities, especially those that pose a safety risk.

  
  

Note: These elements are not optional—they are required under Section 524B. Having a clear process in place demonstrates organizational maturity and readiness to manage security events responsibly.

⚠️ Important note: This information is general and does not replace a thorough review of the FDA’s official guidance. Each requirement is outlined in detail in the document “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The FDA may request additional or device-specific information depending on the product’s characteristics and risk level.

Best practices manufacturers

• 🔐 Build security into the design. It’s easier and cheaper than fixing issues post-submission.

• 🧾Automate your SBOM. Use tools that generate and update it continuously.

• 🧠Use threat modeling from the start. Identify potential entry points early.

• 📁Document every security decision. The FDA expects clear traceability.

• ⏱️Define ownership and response timelines. Be ready to act fast on vulnerabilities.

• 🤝Work with experts. Partnering with regulatory and cybersecurity professionals improves your chances of approval.

📞 How Sanrubio, LLC can support you

At Sanrubio, LLC, based in Miami, we offer:

• Tailored regulatory consulting: From pre-submission planning to 510(k) or De Novo submission preparation.

• Strategic location: Miami serves as a gateway for international manufacturers entering the U.S. market.

• Free consultations: Discuss your project with our experts and optimize your regulatory pathway.

  
  

Ready to bring your medical device to the U.S. market? 

CONTACT US for personalized consulting and take the next step in your medical device journey with confidence