August 5, 2025
The U.S. Food and Drug Administration (FDA) released an updated guidance document in June 2025, titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” replacing the 2023 version. This guidance details expectations for managing cybersecurity risks across the entire lifecycle of medical devices, from design to decommissioning.
What This Means for Medical Device Manufacturers
With medical devices increasingly integrated with networks, hospital systems, and cloud platforms, they face heightened cybersecurity risks. These vulnerabilities can impair device functionality and endanger patient safety. Notable incidents like the WannaCry ransomware attack and vulnerabilities such as URGENT/11 and SweynTooth underscore the critical need for robust cybersecurity measures in medical device ecosystems.
Who Is Affected
- Devices with software or programmable logic, whether networked or non-networked
- All FDA premarket submission types, including 510(k), PMA, De Novo, HDE, BLA, and IND
- “Cyber devices,” as defined by section 524B of the FD&C Act (internet-connected devices with software functionality)
- Devices with cybersecurity-relevant functions, even if not subject to a premarket submission
Key Requirements
1. Cybersecurity Integral to Device Safety
Cybersecurity is now a core component of device safety and effectiveness. Compliance with the FDA’s Quality System (QS) regulation mandates incorporating cybersecurity risk management and design controls.
2. Secure Product Development Framework (SPDF)
The FDA recommends adopting an SPDF, a structured set of processes integrated into design, development, and maintenance to reduce vulnerabilities early in the lifecycle.
3. Robust Risk Management
Manufacturers must conduct:
- Threat modeling to identify and mitigate potential attack vectors
- Cybersecurity risk assessments focusing on exploitability, not just likelihood
- Safety and security evaluations for unresolved software anomalies
- Ongoing security risk management, including updates and end-of-life strategies
4.Third-Party Software and SBOMs
A Software Bill of Materials (SBOM) is required to document all software components, particularly third-party and open-source software. The SBOM must detail support status and known vulnerabilities to facilitate timely patches or replacements.
5. Transparency in Labeling
Manufacturers must include cybersecurity features, configurations, and risks in device labeling to enable users to manage risks effectively and ensure safe operation in intended environments.
6. Compliance with FDORA Section 524B
“Cyber devices” must meet additional requirements, including:
- Documented cybersecurity plans and procedures
- Processes to ensure ongoing cybersecurity throughout the device lifecycle
- A machine-readable SBOM
7. Security Architecture
Manufacturers must document the device’s security architecture, covering authentication, encryption, data integrity, logging, and update mechanisms. Security controls should be integrated into the design, not added as an afterthought.
8. Testing and Metrics
Premarket submissions must include results from penetration testing, fuzz testing, and static/dynamic code analysis. Manufacturers should track metrics such as patch deployment timelines and defect density to demonstrate cybersecurity robustness.
How AssurX Helps Manufacturers Meet These Requirements
AssurX enables manufacturers to operationalize the FDA’s 2025 cybersecurity guidance without adding disparate tools or disrupting existing processes. Our cloud-based eQMS embeds cybersecurity best practices into all of our solutions, including, Design Control, Risk Management, and Adverse Event Reporting workflows. Our platform captures threat information and security requirements in DHF artifacts, launches Change Control or CAPA workflows when vulnerabilities surface, and more. It also maintains robust audit trails with electronic signatures, making objective evidence readily available for auditors.
Conclusion
The FDA’s 2025 cybersecurity guidance marks a significant step in addressing the evolving digital threats to medical devices. By linking cybersecurity directly to device safety and effectiveness, the FDA emphasizes a proactive, transparent, and systematic approach. Manufacturers must embed cybersecurity into every stage of the device lifecycle to safeguard patients and healthcare systems from emerging risks.
About the Author
Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.