FDA tightens medical device cybersecurity guidance, setting tougher lifecycle requirements

The Food and Drug Administration has issued updated cybersecurity guidance for medical devices, setting stricter requirements that many existing systems—and the software that runs them—cannot meet without significant redesign. The framework, enacted through the omnibus appropriations legislation known as Section 524B, marks a major shift in how device security is regulated in the United States.

Under the guidance, manufacturers must build security into products across the entire lifecycle. That includes documenting software components, managing vulnerabilities and maintaining secure development processes. The change is pushing healthcare providers, federal agencies and manufacturers to move away from retroactive fixes and toward continuous risk management.

Organizations including the Departments of Health and Human Services and Veterans Affairs, along with the Health Information Sharing and Analysis Center (Health-ISAC), are working to help health systems align with the FDA’s expectations, improve risk visibility and strengthen protections for connected medical infrastructure.

Phil Englert, director of medical device security at Health-ISAC, said the field has evolved from a niche technical concern to a critical pillar of patient safety and operational resilience. In hospital environments, he noted, medical devices make up a relatively small but specialized slice of connected assets.

“Medical devices represent between 5% and 11% of the endpoints, while your Internet of Things and operational technology population represents about 30%,” he said. “The rest are the traditional IT endpoints we’re used to.” With connected devices now central to diagnosis and treatment and generating vast volumes of clinical data, securing them is essential for both data protection and care delivery.

Health-ISAC facilitates threat intelligence sharing, risk analysis and collaboration across the healthcare ecosystem. “We have more than 1,000 member organizations worldwide, with about 12,000 staff involved,” Englert said, describing how the group shares indicators of compromise, threat intelligence and best practices.

The organization also acts as an intermediary, translating technical vulnerabilities into clinical risk terms that providers can act on. “We curate alerts and try to address whether should you care, how much should you care and what should you do about it,” Englert said.

That translation focuses on how a given issue could affect care—whether an attacker could gain root access, change operating parameters, access data or move laterally—so hospitals can make more informed decisions. As the FDA’s guidance takes hold, stakeholders across the healthcare sector are adjusting processes and capabilities to meet the new, lifecycle-oriented expectations and to strengthen the security of connected medical devices.