FDA Medical Device Cyber Security Requirements

FDA MEDICAL DEVICE CYBERSECURITY REQUIREMENTS

Regulatory Compilation under Section 524B of the FD&C Act

21 U.S.C. § 360n-2 and FDA Implementation Guidance

Last updated: October 29, 2025

FDA Requirements Only - Additional Compliance Obligations May Apply

Independent resource: We are not affiliated with or endorsed by the U.S. Food & Drug Administration. For official requirements, consult the FD&C Act §524B (21 U.S.C. §360n-2) and FDA guidance and Federal Register notices.

⚠ Important: This compilation addresses FDA requirements ONLY. Due to currently fragmented availability of information surrounding this topic, this is a resource provided for convenience navigating Medical Device requirements but is provided with no guarantees whatsoever. This compilation is not legal advice. This is an independent summary for convenience and is not the official text of the eCFR or FDA guidance. Medical device vendors and healthcare entities may have additional cybersecurity obligations under HIPAA, state laws, and other regulations. Consult qualified regulatory professionals for specific scenarios. See full disclaimers in References section.

Section 1. Authority

This compilation summarizes requirements derived from:

  1. Section 524B of the Federal Food, Drug, and Cosmetic Act, as codified at 21 U.S.C. § 360n-2, added by Section 3305 of the Food and Drug Omnibus Reform Act of 2022 (FDORA), Public Law 117-328, Division FF, Title III, § 3305(a), enacted December 29, 2022.
  2. Section 510(k), 513, 515(c), 515(f), and 520(m) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. §§ 360(k), 360c, 360e(c), 360e(f), and 360j(m)).
  3. FDA's general authorities under 21 CFR Part 820 (Quality System Regulation) and 21 CFR 10.115 (Good Guidance Practices).

Section 2. Purpose and Scope

Compilation Purpose: This document consolidates FDA's currently scattered medical device cybersecurity requirements into a single, organized reference. It addresses FDA requirements under Section 524B of the FD&C Act only and does not encompass other cybersecurity obligations that may apply under HIPAA, state laws, international regulations, or industry standards.

This is a plain-language summary intended for convenience and does not reproduce the full statutory or guidance text - please see referenced sources for official texts.

(a) Purpose

This document establishes requirements and recommendations for ensuring the cybersecurity of medical devices to:

  1. Protect patient safety by ensuring medical devices are sufficiently resilient to cybersecurity threats;
  2. Ensure the continued safety and effectiveness of devices throughout their total product lifecycle;
  3. Establish procedures for monitoring, identifying, and addressing postmarket cybersecurity vulnerabilities and exploits;
  4. Provide reasonable assurance that devices and related systems are cybersecure.

(b) Scope

  1. These requirements apply to all cyber devices as defined in Section 3 of this document.
  2. The requirements became effective March 29, 2023, for all premarket submissions submitted on or after that date.
  3. The FDA's refuse to accept policy for incomplete cybersecurity information became effective October 1, 2023.

Section 3. Definitions

For purposes of this document, the following definitions apply:

(a) Cyber device

A device that:

  1. includes software validated, installed, or authorized by the sponsor as a device or in a device;
  2. has the ability to connect to the internet; and
  3. contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

(b) Cybersecure

The state of a device and related systems having adequate protection against unauthorized access, modification, or disruption that could compromise safety, effectiveness, or security of the device or the data it processes.

(c) Secure Product Development Framework (SPDF)

A set of processes that reduce the number of potentially exploitable weaknesses in a device's software and establish design and development processes that meet cybersecurity requirements.

(d) Software Bill of Materials (SBOM)

A comprehensive list that includes commercial, open-source, and off-the-shelf software components contained in the device software.

(e) Coordinated vulnerability disclosure

A process for receiving information about potential cybersecurity vulnerabilities in devices from security researchers and other stakeholders and coordinating remediation and public disclosure.

(f) Related systems

Any software, hardware, or network components that could affect or be affected by the cybersecurity of the medical device.

Section 4. Premarket Submission Requirements

(a) General requirements

Under Section 524B of the FD&C Act and related FDA guidance, premarket applications or submissions for a cyber device must include information sufficient to demonstrate that the device meets all cybersecurity requirements specified in this section.

(b) Required cybersecurity documentation

Each premarket submission for a cyber device must include:

  1. Cybersecurity management plan
    1. A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits in a reasonable time;
    2. Coordinated vulnerability disclosure procedures and related processes;
    3. Procedures for security patch management and software updates.
  2. Security risk management documentation
    1. A security risk assessment identifying potential vulnerabilities, threats, and mitigations;
    2. A threat model analyzing reasonably foreseeable cybersecurity risks;
    3. Documentation of security controls implemented to address identified risks;
    4. Evidence that security controls have been tested and validated.
  3. Software Bill of Materials (SBOM)
    1. A comprehensive listing of all commercial software components;
    2. Identification of all open-source software components;
    3. Documentation of all off-the-shelf software components;
    4. Version information and known vulnerabilities for each component.
  4. Security architecture documentation
    1. System diagrams showing all communication pathways and interfaces;
    2. Authentication and authorization mechanisms;
    3. Data encryption methods for data at rest and in transit;
    4. Security event logging and detection capabilities.
  5. Cybersecurity testing documentation
    1. Results of vulnerability scanning and assessment;
    2. Penetration testing results, where applicable;
    3. Static and dynamic code analysis results;
    4. Third-party security assessment reports, if available.

(c) Design and development requirements

Manufacturers shall design, develop, and maintain processes and procedures to:

  1. Provide reasonable assurance that the device and related systems are cybersecure;
  2. Implement security by design principles throughout the product development lifecycle;
  3. Establish and maintain configuration management and change control procedures;
  4. Ensure secure software development practices are followed.

Section 5. Postmarket Cybersecurity Maintenance

(a) Update and patch management

Note: Under Section 524B and FDA guidance, manufacturers must maintain processes to monitor, identify, and address vulnerabilities and should provide updates and patches, including out-of-cycle fixes for critical vulnerabilities.

Manufacturers shall make available postmarket updates and patches to address:

  1. Regular cycle updates
    1. Known unacceptable vulnerabilities on a reasonably justified regular cycle;
    2. Routine security improvements and enhancements;
    3. Updates to third-party software components.
  2. Emergency updates
    1. Critical vulnerabilities that could cause uncontrolled risks as soon as possible out of cycle;
    2. Actively exploited vulnerabilities;
    3. Vulnerabilities that could result in patient harm.

(b) Vulnerability monitoring and disclosure

  1. Manufacturers shall establish procedures for continuous monitoring of cybersecurity vulnerabilities;
  2. A coordinated vulnerability disclosure policy shall be maintained and publicly accessible;
  3. Vulnerabilities shall be assessed for risk and addressed according to severity;
  4. Communication plans shall be established for notifying users of significant vulnerabilities.

(c) Incident response

Manufacturers shall maintain capabilities for:

  1. Detection and analysis of security incidents;
  2. Containment and remediation of security breaches;
  3. Recovery and restoration of device functionality;
  4. Documentation and reporting of significant cybersecurity incidents.

Section 6. Manufacturer Responsibilities and Reporting

(a) Quality system integration

Cybersecurity requirements shall be integrated into the manufacturer's quality system, including:

  1. Design controls addressing cybersecurity risks;
  2. Risk management procedures incorporating cybersecurity considerations;
  3. Validation and verification activities for security controls;
  4. Change control procedures for security-related modifications.

(b) Labeling requirements

Device labeling shall include:

  1. Instructions for users regarding secure configuration and use;
  2. Description of security features and their proper use;
  3. Information about device interfaces and communication capabilities;
  4. Recommended cybersecurity controls for the use environment.

(c) Documentation maintenance

Manufacturers shall maintain:

  1. Current security risk assessments;
  2. Records of vulnerability assessments and remediation;
  3. Documentation of security testing performed;
  4. Records of security-related complaints and adverse events.

(d) End-of-support planning

  1. Manufacturers shall provide advance notice of software end-of-support dates;
  2. Plans for device decommissioning and secure disposal shall be provided;
  3. Options for continued security support or device replacement shall be communicated.

Section 7. FDA Oversight and Enforcement

(a) Premarket review

  1. FDA will evaluate whether submissions contain required cybersecurity information;
  2. Submissions lacking required information may be subject to refuse to accept decisions;
  3. FDA will assess whether there is reasonable assurance of device cybersecurity.

(b) Refuse to accept policy

  1. Effective dates
    1. Requirements became effective March 29, 2023;
    2. FDA refrained from issuing refuse to accept decisions solely for cybersecurity reasons before October 1, 2023;
    3. Beginning October 1, 2023, FDA may refuse to accept submissions lacking required cybersecurity information.
  2. Exceptions
    1. Applications or submissions submitted before March 29, 2023, are not subject to these requirements;
    2. FDA may work collaboratively with sponsors during the review process to address deficiencies.

(c) Postmarket surveillance

  1. FDA may request additional cybersecurity information for marketed devices;
  2. Manufacturers shall report cybersecurity vulnerabilities that may impact device safety or effectiveness;
  3. FDA may require corrective actions for inadequately addressed cybersecurity risks.

(d) Exemptions

The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements. Such exemptions shall be published in the Federal Register and updated as appropriate if any are identified.

Section 8. Implementation

(a) Guidance documents

FDA has issued and may periodically update guidance documents to assist manufacturers in meeting these requirements, including:

  1. "Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act" (March 30, 2023);
  2. "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (September 27, 2023, updated June 27, 2025);
  3. Future guidance as determined necessary by the Secretary (check the FDA site for subsequent updates).

(b) Transitional provisions

  1. Devices cleared or approved before March 29, 2023, are not required to retrospectively meet these requirements unless subject to new premarket submissions;
  2. Modifications to existing devices that require premarket notification shall include cybersecurity documentation if the modification impacts cybersecurity.

(c) Pending rulemaking

Implementation of additional requirements under Section 524B(b)(4) of the FD&C Act remains pending further rulemaking. The Secretary may promulgate regulations establishing additional cybersecurity requirements as necessary to ensure devices and related systems are cybersecure.

(d) Comprehensive compliance considerations

Organizations implementing medical device cybersecurity programs should note that compliance with FDA requirements represents only one component of a comprehensive cybersecurity compliance framework. Additional requirements may apply based on:

  • The organization's role (manufacturer, covered entity, business associate, healthcare provider)
  • The type of data processed (ePHI, personally identifiable information, clinical trial data)
  • Geographic markets served (EU MDR, UK MHRA, Health Canada requirements)
  • Contractual obligations with healthcare customers or supply chain partners
  • Industry standards and best practices (NIST Cybersecurity Framework, ISO 27001, IEC 62304)

References

Statutory Authority:
• 21 U.S.C. § 360n-2 (Section 524B of the FD&C Act) - Ensuring Cybersecurity of Devices
• Public Law 117-328, Division FF, Title III, § 3305 - Food and Drug Omnibus Reform Act of 2022
FDA Guidance Documents:
• FDA Guidance: "Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act" (March 30, 2023) - Document No. GUI00007021
• FDA Guidance: "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (September 27, 2023, updated June 27, 2025) - Docket No. FDA-2021-D-1158
Federal Register Notices:
• 88 FR 19149 (March 30, 2023) - Refuse to Accept Policy Guidance Availability
• 88 FR 66459 (September 27, 2023) - Quality System Considerations Guidance Availability
• 90 FR 27634 (June 27, 2025) - Updated Quality System Considerations Guidance Availability
Related Resources:
• FDA Cybersecurity Page: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity
• IMDRF Principles and Practices for Medical Device Cybersecurity (March 2020)
• IEC 81001-5-1 Health Software and Health IT Systems Safety, Effectiveness and Security

Note: United States federal statutes, regulations, and Federal Register notices are public-domain materials. Third-party standards (e.g., IEC, IMDRF publications) are cited by title only; their full texts may be subject to copyright and licensing.

Important Notice: This document compiles existing statutory requirements and FDA guidance into an eCFR-style format for readability. It is not the official text of the eCFR or of any FDA guidance document. It does not create new regulatory requirements beyond those established in 21 U.S.C. § 360n-2 and related FDA guidance. Implementation of certain provisions remains subject to future FDA rulemaking as authorized under Section 524B(b)(4) of the FD&C Act.
Scope of This Compilation:

This document serves as a consolidated reference for FDA medical device cybersecurity requirements, which are currently distributed across multiple statutes and guidance documents. This compilation addresses FDA requirements ONLY.

Additional cybersecurity obligations NOT covered in this document may apply to:

  • Medical Device Manufacturers - May have obligations under state data breach laws, FTC requirements, international regulations (EU MDR, UK MHRA), industry standards (ISO/IEC 27001, IEC 62304), and contractual requirements with healthcare customers.
  • HIPAA Covered Entities - Must comply with the HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) when medical devices process, store, or transmit electronic protected health information (ePHI).
  • Business Associates - Subject to HIPAA Security Rule requirements and Business Associate Agreement obligations when handling ePHI through or in connection with medical devices.
  • Healthcare Delivery Organizations - May have additional requirements under state privacy laws, Joint Commission standards, CMS Conditions of Participation, and cyber insurance policy requirements.

Organizations should conduct comprehensive compliance assessments to identify all applicable cybersecurity requirements beyond those specified in this FDA-focused compilation.

Legal Disclaimer:
  • Not Legal Advice: This document is provided for informational and educational purposes only and does not constitute legal advice. The interpretation and application of FDA regulations require analysis of specific facts and circumstances.
  • No Attorney-Client Relationship: Use of this document does not create an attorney-client relationship or any professional relationship with the compiler.
  • Consult Qualified Professionals: Organizations should consult with qualified regulatory affairs professionals, FDA regulatory attorneys, or directly with FDA for guidance specific to their devices and circumstances.
  • No Warranty: While efforts have been made to ensure accuracy, this compilation is provided "as is" without warranty of any kind, express or implied, including completeness, accuracy, or fitness for a particular purpose.
  • Currency of Information: This document was compiled on October 29, 2025, based on regulations and guidance available as of that date. FDA regulations and guidance are subject to change. Users should verify current requirements with official FDA sources.
  • Official Sources: For authoritative information, refer directly to the United States Code, Code of Federal Regulations, Federal Register, and FDA's official website at www.fda.gov.
  • Compliance Responsibility: Medical device manufacturers remain solely responsible for ensuring compliance with all applicable FDA requirements, including those related to cybersecurity.

About us

We take care of your IT so you can take care of your patients.

Rural health care organizations deserve the same IT strength as large systems - without losing their independence. visuaFUSION Systems Solutions makes that possible with scalable, expert-driven support tailored to the unique needs of smaller providers.

Our HealthNet solution offers a shared enterprise-grade environment and IT department, allowing rural health care teams to benefit from centralized infrastructure, support, and upgrades - all while maintaining local control of their day-to-day operations and data.

We also provide affordable access to enterprise tools like Microsoft software, email encryption, backup solutions, systems management, and mobile device management - with pricing typically only available to large organizations. These services are available to any rural health care provider, whether or not they’re part of HealthNet.

Our mission is simple: empower rural health care organizations with the IT capabilities they need to stay secure, efficient, and focused on care - not complexity.

Contact Info

visuaFUSION Systems Solutions works exclusively with rural health care organizations. If you're trying to cut IT costs without sacrificing quality, we have a lot to talk about!

Phone and Email

If you'd rather give us a call or send an email, here’s how to reach us:

Time 8:00 AM – 6:00 PM CST
Day Monday to Friday
Telephone +1 (701) 540-0894
Email info@visuafusion.com

Quick contact

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.