What Information FDA is Expecting for Cyber Devices?


In an era where medical devices are increasingly interconnected and reliant on software, cybersecurity has become a critical component of healthcare. The FDA recognizes the importance of cybersecurity in protecting public health and ensuring the safety and effectiveness of medical devices. To address these concerns, the FDA has outlined specific cybersecurity information needs for medical device manufacturers in Final guidance Cybersecurity in Medical Devices (September 26, 2023).

Understanding the FDA’s Role in Cybersecurity

The FDA is responsible for regulating medical devices to ensure they are safe and effective for use. With the growing integration of digital technologies in medical devices, the FDA’s oversight was expanded to include cybersecurity. This includes assessing the cybersecurity risks of devices during the premarket review process to determine if the manufacturer has provided a reasonable assurance that cybersecurity concerns have been adequately addressed, and monitoring for vulnerabilities post-market will be in place.

Here are the critical components manufacturers must address:

1. Architecture Security Views
Global System View

Manufacturers must provide a comprehensive overview of the device’s architecture, including how it interacts with other systems. This global system view should highlight:

  • Network interfaces and communication pathways.
  • Data flow between components and external systems.
  • Potential entry points for cyber threats.
Multi-Patient Harm View

The multi-patient harm view focuses on the potential impact of cybersecurity threats on multiple patients. This includes:

  • Assessing scenarios where a single cyber incident could affect multiple patients.
  • Identifying critical vulnerabilities that could lead to widespread harm.
  • Implementing safeguards to mitigate such risks.
Updatability and Patchability View

This view addresses the device’s capability to be updated and patched throughout its lifecycle. Manufacturers should detail:

  • The process for delivering updates and patches.
  • Mechanisms to ensure updates do not compromise device functionality.
  • Strategies to minimize downtime and disruption during updates.
Additional Security Views

Other security views may include:

  • Access Control View: Describing how access to the device and its data is controlled and monitored.
  • Data Integrity View: Ensuring that data stored, processed, and transmitted by the device remains accurate and unaltered.
2. Threat Modeling
Data Flow Diagrams

Threat modeling involves identifying potential threats to the device by mapping out data flows. Data flow diagrams should:

  • Illustrate how data moves through the system.
  • Highlight points where data may be vulnerable to unauthorized access or modification.
  • Serve as a basis for identifying and mitigating threats.
3. Threat Analysis
Non-probabilistic Scoring

The Common Vulnerability Scoring System (CVSS) or similar, is used to evaluate the severity of vulnerabilities. Manufacturers should:

  • Assign non-probabilistic scores to identified vulnerabilities.
  • Prioritize mitigation efforts based on the severity of these scores.
  • Continuously reassess vulnerabilities as new threats emerge.

Effective mitigation strategies are essential for addressing identified vulnerabilities. This includes:

  • Implementing technical controls, such as encryption and authentication.
  • Developing response plans for potential cybersecurity incidents.
  • Regularly updating security measures based on new threat information.
4. Management Plans
Device Update

Manufacturers must have a robust update management plan that ensures:

  • Timely deployment of security patches and updates.
  • Clear communication with users about the importance of updates.
  • Procedures to verify the successful application of updates.
Response to incidents

A well-defined response plan is crucial for addressing cybersecurity incidents. This plan should include:

  • Steps for identifying and assessing incidents.
  • Procedures for containing and mitigating the impact of incidents.
  • Communication protocols with stakeholders, including the FDA and affected users.
5. Testing Results
Penetration Testing

Penetration testing involves simulating cyber attacks to identify vulnerabilities. Manufacturers should:

  • Conduct regular penetration tests.
  • Document the findings and remediation efforts.
  • Use the results to strengthen security measures.
Fuzz Testing

Fuzz testing involves inputting random data to find vulnerabilities. Key aspects include:

  • Identifying potential points of failure.
  • Evaluating the device’s response to unexpected inputs.
  • Using the results to improve the device’s robustness.

Other testing as appropriate.

6. Software Bill of Materials (SBOM)

Software bill of materials for all software that is part of the medical device.  These SBOM’s should be machine readable and follow a standard format.

Vulnerability Analysis

Vulnerabilities in third-party software components should be analyzed:

  • Determine impact on the medical device and provide any necessary mitigation.
  • Ensure third-party vendors provide timely security updates.
Support Expectation for Third-Party

Manufacturers must outline their expectations for third-party software support, including:

  • Commitments from vendors to provide updates and patches.
  • Processes for integrating third-party updates into the device.
  • Contingency plans for unsupported third-party components.
7. Monitoring and Incident Reporting
Analysis of Incidents

Continuous monitoring and analysis of cybersecurity incidents are vital. This involves:

  • Collecting and analyzing data on security incidents.
  • Identifying trends and patterns in incidents.
  • Using insights to improve device security.
Metrics to gauge effectiveness

Developing metrics to measure the effectiveness of cybersecurity efforts is crucial. Key metrics might include:

  • Number and severity of identified vulnerabilities.
  • Time taken to deploy updates and patches.
  • Frequency and impact of cybersecurity incidents.
Product Update Cycles

Manufacturers should establish regular product update cycles, ensuring:

  • Consistent and timely updates to address new threats.
  • Communication with users about upcoming updates.
  • Minimization of disruption during the update process.
The Implications for Manufacturers and Healthcare Providers

Adhering to the FDA’s cybersecurity information needs is crucial for manufacturers to ensure their devices are secure and compliant with regulatory requirements. By integrating cybersecurity into the entire lifecycle of a medical device, manufacturers can protect patient safety, maintain trust, and reduce the risk of costly recalls and legal issues.


As medical devices become more interconnected and reliant on digital technologies, cybersecurity will continue to be a top priority for the FDA and the healthcare industry. By addressing the FDA’s cybersecurity information needs, manufacturers can ensure their devices are secure, effective, and capable of protecting patient health in an increasingly digital world.

Bold Type is here to help whether you need a secure software development partner or just a consultant to help ensure your system is secure and will meet FDA’s latest requirements. Reach out at [email protected] to set up a quick chat.


Ensuring Secure Software Updates for Medical Devices


While remote software updates for medical devices have traditionally been seen as a convenient feature, the FDA now emphasizes their crucial role in safeguarding against discovered cybersecurity vulnerabilities. However, it’s imperative that these updates themselves are secure; otherwise, they become potential avenues for cyber attacks.

Differentiating Secure from Insecure Software Updates:

The journey towards a secure update begins with a fundamental capability known as ‘secure boot’. This hardware-based feature ensures that only authorized software runs during device startup. It’s paramount that no mechanism, whether in hardware or software, undermines this process. Despite processor manufacturers often including ‘back door’ access for development purposes, these must be disabled in production for genuine security. The software executed during boot-up is typically stored internally within the processor, safeguarding it against modifications. While it’s feasible to store boot software externally, verifying its authenticity poses challenges in smaller systems. The selection of cryptographic authentication methods is pivotal and may hinge on available hardware and software.

By combining secure boot hardware with trusted boot software, a cryptographic root of trust is established on the processor. This setup guarantees that the device powers up securely each time, allowing validation of the main software application before execution.

Steps for Secure Updates:

  1. Downloading from a Trusted Source: Initiating an update process begins with downloading the update from a trusted remote source. Authentication of this source is critical and can be achieved through cryptographic means, utilizing pre-provisioned information and identity details from the source. Commonly, X509 certificates are utilized to provide attestation information.
  2. Verification of the Update: Upon downloading, the update undergoes cryptographic verification to ensure its trustworthiness. This involves computing a cryptographic hash of the update and validating it against a provided cryptographic signature from the software builder, ensuring it was produced by a trusted source.
  3. Application of the Update: Once verified, the trusted update is applied to the device, either replacing the existing software or patching it. The new software is treated to ensure trustworthiness in subsequent power-up cycles, often involving the computation of a cryptographic hash and secure storage of this hash for future verification.

This framework guarantees that only trusted software is executed, ensuring the system remains secure throughout the update process. While additional considerations such as fallback mechanisms and encryption methods are important, they build upon the robust foundation established here.

At BoldType, we have decades of experience in developing and deploying secure remote software update mechanisms. Let us assist you in implementing a secure update mechanism for your next product, ensuring all software updates are executed safely and securely.


New Cybersecurity Regulations Make Remote Software Updates Practically Mandatory


A startup recently shared with us that they were considering incorporating remote software updates into their medical device. They knew this feature would add a lot of value, but were leaning against it for fear it would create barriers to FDA approval due to cybersecurity concerns. This is a natural concern, especially given the major changes around cybersecurity that have happened at FDA in the last year. We would argue, however, that remote software updates are no longer optional precisely because of FDA’s increased scrutiny on cybersecurity. 

First, a quick history. FDA has recognized the importance of cybersecurity for more than a decade. In 2014 and 2016, they finalized guidance documents on cybersecurity information in pre-market submissions and post market management of cybersecurity. While FDA technically did not have statutory authority to require cybersecurity information, they understandably argued that cybersecurity is key to device safety, and therefore in their purview. Medical device manufacturers were expected to include a cybersecurity file with basic risk analyses, but the bar was not particularly high; especially for low risk devices. 

Everything changed in 2023, however, when the Food and Drug Omnibus Reform Act (FDORA) codified new statutory authority for the FDA to require cybersecurity information and post-market monitoring for cybersecurity vulnerabilities. Section 524B of the Federal Food, Drug and Cosmetic (FD&C) Act now requires specific cybersecurity information for all “cyber devices” and detailed plans on how vulnerabilities will be handled post-market. Now you might be thinking, “yeah, but my device is not a cyber device.” Think again. 

Here is how the FD&C Act defines a cyber device: 

DEFINITION.—In this section, the term ‘cyber device’ means a device that—

(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;

(2) has the ability to connect to the internet; and

(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

Now you might be thinking, “Cool, so long as my device doesn’t connect to the internet, it’s not a cyber device.” Not so fast. FDA probably heard this once or twice and decided to provide some additional clarification in their March 2024 draft guidance Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act. Here it their clarification verbatim: 

FDA considers devices that include any of the following features to have the ability to connect to the internet. The list below is illustrative, not exhaustive:

  • Wi-Fi or cellular;
  • Network, server, or Cloud Service Provider connections;
  • Bluetooth or Bluetooth Low Energy;
  • Radiofrequency communications;
  • Inductive communications; and
  • Hardware connectors capable of connecting to the internet (e.g., USB, ethernet, serial port).

Did you pick up on that last line? FDA is saying, if you incorporate any means of wireless or wired communication in your device, it’s a cyber device!

So what does that have to do with remote software updates? Well, section 524(b)(1) of the FD&C Act requires plans that describe “the timeline, with associated justifications, to develop and release required updates and patches.” Again, verbatim from the guidance: 

  • Section 524B(b)(2)(A) of the FD&C Act requires manufacturers of cyber devices to make updates and patches for known unacceptable vulnerabilities available on a reasonably justified regular cycle.
  • Section 524B(b)(2)(B) of the FD&C Act requires manufacturers of cyber devices to make available updates and patches to the device and related systems to address as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.

Now you tell me: how are you going to “make updates and patches” to your cyber device without remote software updates? Will you execute a physical device recall? Is the plan to send a technician around with a thumb drive? Putting aside the cost and reputational damage to either of these approaches, it probably won’t fly with FDA anyway. Notice the language: “the FD&C Act requires manufacturers of cyber devices to make available updates and patches to the device and related systems to address as soon as possible out of cycle..” 

The bottom line is that FDA just raised the cybersecurity bar substantially when it comes to medical devices that incorporate software and any conceivable means of external access. You’re not going to be able to get away with simple rationales of why your device is low risk or why it is not a cyber device. Chances are that (a) your device is a cyber device, (b) you need to make sure cyber security risks are managed, and (c) you need a means to update it remotely once fielded. 

Now here is the good news: First, ensuring the cybersecurity of your device is not just a good idea because FDA is forcing you to; it’s the right thing to do and it’s the smart thing to do. Second, it’s not just a cybersecurity issue. You may find a software anomaly that impacts your device’s safety and be forced to issue a recall if you don’t have remote software update capabilities. Third, data is gold. Avoiding cloud connectivity out of cybersecurity fear robs you of the tremendous value that comes from generating and accessing all sorts of data that increase your enterprise value.  And finally, implementing secure remote software updates (and cloud connectivity in general) is challenging, but it’s not rocket science. You just have to make sure it is truly secure. In our next blog, we’ll explain precisely how to do that. 

Bold Type is here to help whether you need a secure software development partner or just a consultant to help ensure your system is secure and will meet FDA’s latest requirements. Reach out at [email protected] to set up a quick chat.