Recent security breaches at healthcare institutions have amplified the U.S. government’s concerns over cybersecurity, a fact reflected in the FDA’s most recent guidance on the subject. The June 2025 FDA guidance was issued pursuant to the Consolidated Appropriations Act, 2023, which gives the agency much more exhaustive compliance and enforcement authority over cybersecurity.
As described by the FDA, Section 3305 of the Consolidated Appropriations Act 2023 gave the agency express authority to require cybersecurity features in medical devices, which had previously been largely voluntary. While the effect on FDA oversight was not retroactive, the agency was authorized as of March 29, 2023, to reject a premarket application based on any perceived deficiencies in the application’s cybersecurity provisions.
The FDA had exercised enforcement discretion for these requirements for premarket applications over the first six months after the March 29, 2023, effective date. However, manufacturers may have received refuse-to-accept letters for their applications related to cybersecurity issues as of October 2023. Section 3305 gave the FDA authority to require cybersecurity features as part of the Quality System Regulation (QSR), which suggests that device manufacturing facility inspections will include a review of cybersecurity features for medical devices, a significant change from the historical scope of inspections.
Devices and device combination products overseen by both the Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER) are within the scope of the guidance. In addition to 510(k), PMA, and de novo filings, the guidance applies to investigational device exemptions as well as biologics license applications and investigational new drug submissions when part of a combination product.
The guidance emphasizes the need to ensure robust cybersecurity across the total product life cycle (TPLC) and recommends the use of a Secure Product Development Framework (SPDF) to meet this requirement. The guidance describes an SPDF as a series of processes that identify and reduce the number and severity of vulnerabilities inherent to a product’s design and features.
The guidance is not prescriptive about the exact structure of an SPDF other than that it should encompass the entire TPLC, including device decommissioning. The FDA stated that an SPDF serves to ensure that the requirements of the QSR have been met in a premarket application, although the agency will consider other approaches.
The FDA stated that risk management for cybersecurity does not lend itself well to ISO 14971, the widely used risk management standard for medical devices. The agency’s rationale is that the ISO standard is a safety risk management tool while cybersecurity requires an assessment of the potential for indirect harm to patients. Cybersecurity lapses may create a reputational and/or business risk as well. Additionally, cybersecurity risks are seen as falling outside the probabilistic nature of the types of risks ISO 14971 was formed to address.
Device manufacturers should also bear in mind that the replacement for the QSR, the Quality Management System Regulation (QMSR) will become effective in February 2026. While the overarching themes of the two standards are largely the same, the QMSR adopts critical provisions of the ISO standard related to inspections. Among these are that documents related to management reviews and internal audits will be subject to scrutiny in FDA inspections, another reason device manufacturers must be prepared to incorporate cybersecurity features into device design at the earliest stages.
Copyright © 2025 - Medmarc