March 18, 2026
By Sarah Fitzgerald
Medical device regulators around the world are encouraging coordination and regulatory consistency. From a high level, virtually all medical device regulators take a risk-based approach and require that the benefits of the medical device outweigh the risks before authorization. However, detailed expectations are not yet consistent. The United States (U.S.) Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) has three main areas with expectations that are usually significantly different from most other regions of the world. These areas are biocompatibility,reprocessing (cleaning, disinfection, and/or sterilization), and cybersecurity.
Background on cybersecurity
Cybersecurity is the ability of a product to resist unauthorized access, use, and/or damage of electronic data and the measures taken to achieve this ability. A cybersecurity attack could allow the hacker to access protected health information (PHI), block legitimate access to information, alter stored information, prevent software from working (denial of service) or change how software works. This can result in a device not working at all, including potentially stopping in the middle of an action, or acting inappropriately. This can lead to a wide range of safety, effectiveness and confidentiality concerns.
The National Institute of Standards and Technology (NIST) provides a framework for considering cybersecurity, which emphasizes risk management. Various organizations have worked on providing expectations related to cybersecurity, generally that build on the NIST framework directly or indirectly. The table below provides an overview of these potential standards. Note that cybersecurity is a field that currently has many overlapping and sometimes competing standards and no company or product is expected to comply with all of these standards. Some are more focused on the individual medical device and some are more focused on the overall interconnected health system that a medical device integrates into, especially for software as a medical device (SaMD).
Table 1. Cybersecurity Standards
Standard | Standard Title |
|---|---|
| AAMI TIR 57 | Principles for medical device security – Risk management |
| AAMI TIR 97 | Principles for medical device security – Postmarket risk management for device manufacturers |
| ANSI/AAMI SW 96 | Standard for Medical Device Security – Security Risk Management for Device Manufacturers |
| ANSI/UL 2900-1 | Standard for Safety, Software Cybersecurity for Network-Connected Products, Part 1: General Requirements |
| ANSI/UL 2900-2-1 | Standard for Safety, Software Cybersecurity for Network-Connected Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems |
| IEC 80001-1 | Application of risk management for IT-networks incorporating medical devices – Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software |
| IEC TR 80001-2-2 | Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the communication of medical device security needs, risks and controls |
| IEC TR 80001-2-5 | Application of risk management for IT-networks incorporating medical devices – Part 2-5: Guidance on distributed alarm systems |
| ANSI/AAMI/ISO TIR 80001-2-6 | Application of risk management for IT-networks incorporating medical devices – Part 2-6: Application guidance – Guidance for responsibility agreements |
| IEC TR 80001-2-8 | Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 |
| IEC TR 80001-2-9 | Application of risk management for IT-networks incorporating medical devices – Part 2-9: Application Guidance – Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001-2-2 security capabilities |
| IEC 81001-5-1 | Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle |
| ANSI/AAMI 2700-1 | Medical Devices and Medical Systems – Essential safety requirements for equipment comprising the patient-centric integrated clinical environment (ICE) – Part 1: General requirements and conceptual model |
| ANSI/AAMI 2700-2-1 | Medical Devices and Medical Systems – Essential safety requirements for equipment comprising the patient-centric integrated clinical environment (ICE) – Part 2-1: Particular requirements for forensic data logging |
| FIRST CVSS | Common Vulnerability Scoring System |
Although not a standard, the Medical Device and Health IT Joint Security Plan (JSP) provides a reference guide for utilizing a total product lifecycle approach and should also be considered.
Overview of cybersecurity and regulators
Regulators generally want to ensure that cybersecurity is considered throughout the life cycle of a medical device and is aligned with the risk of the device and any special risks related to cybersecurity.
Risk management for cybersecurity includes additional considerations as compared to ISO 14971, which is used for most medical device risk management. Per ISO 14971, a company needs to consider the hazards, the probability that a hazard occurs, and the severity if that hazard was to occur. In cybersecurity risk management, additional topics need to be considered. Assets (information) that the software utilizes and/or stores need to be identified, potential threat actors need to be considered (who would want to access that information), and potential access based on the environments where the device may be available all need to be considered. These feed into the likelihood that an attack would occur and is considered the threat model. Additionally, risks should include not only hazards to the user and/or patient, but also exposure of PHI. AAMI TIR 57 and ANSI/AAMI SW 96 provide detailed information on risk management in relationship to cybersecurity.
In general, some amount of validation is expected by regulators, with the exact requirements depending on the overall risk based on the device intended use and design. Authenticity (including integrity), authorization, availability and confidentiality should all be considered. For testing, frequently a minimum of code analysis, vulnerability scanning and penetration testing is considered necessary.
Cybersecurity and the US FDA versus other regulators
As with all medical device regulators, the US FDA is focused primarily on safety and effectiveness of the device. They consider cybersecurity a critical aspect for consideration. However, there are two main differences related to U.S. FDA expectations. First, they consider additional devices to need detailed cybersecurity assessments while most regulators need only basic information on controls for many devices. Second, the FDA generally needs additional analysis, testing, and post-market plans for addressing cybersecurity information as compared to most regulators. These are discussed in more detail below.
Devices Requiring Cybersecurity Information
The biggest difference in cybersecurity expectations for the U.S .FDA versus other medical device regulators is not the information expected but rather what is considered a device which needs to be evaluated in relationship to cybersecurity.
Most medical device regulators require cybersecurity assessment for any device that is intended to or easily could be connected to a network. However, devices that have features like USB ports intended for service only that have controls to prevent it from being easily connected to a network (such as authentication keys or a physical port that requires special tools to remove for access) are often considered to have fully addressed cybersecurity requirements. The FDA requires that any device that has the potential to connect to a network, even if it is not intended to do so and has controls that minimize the possibility of such a connection, to be thoroughly analyzed and tested to demonstrate cybersecurity. Therefore, the FDA requires cybersecurity information from more devices than do most medical device regulators.
Cybersecurity Information Required
The FDA has published three main guidance documents that address the topic of cybersecurity. One deals with the use of off-the-shelf (OTS) software in medical devices, another provides cybersecurity expectations primarily for bringing a device to market but also emphasizing that a total product life cycle (TPLC) should be utilized, and the third provides cybersecurity expectations for postmarket management of cybersecurity. Other guidance documents, such as evaluating software changes for if a new 510(k) is needed, include some information related to cybersecurity in specific circumstances.
Technically, a company only needs to comply with the relevant guidance documents for cybersecurity. However, the FDA both references and completely recognizes AAMI TIR 57 and ANSI/AAMI SW 96 as standards for assessing risk related to cybersecurity, and these should be strongly considered. Additionally, the FDA either completely or partially recognizes a number of additional standards related to cybersecurity, as noted in Table 1. Depending on the overall risk based on the device intended use and design, utilization of additional standards may be helpful to demonstrate the cybersecurity of a device.
In general, the FDA wants significantly more information in relationship to cybersecurity than is considered necessary by most other medical device regulators. The following table provides general FDA expectations for premarket submissions like 510(k)s. Additionally, the FDA has specific expectations on cybersecurity information to be included in labeling for such devices which should be carefully considered and which the FDA will review as part of a premarket submission review.
Table 2. Cybersecurity Information to be Included
Information | Notes |
|---|---|
| Cybersecurity Risk Management Assessment and Report | This should include traceability from the threat model to the SBOM to the testing documentation. |
| Threat Model | Refer to AAMI TIR 57 and ANSI/AAMI SW 96 |
| Software Bill of Materials (SBOM) | Indicates all software used, including software name, supplier name / alias, version, software level of support, component / cryptographic hash, unique identifier, relationship (something included in something else). |
| Vulnerability Assessment and Software Support | Identify any known vulnerabilities or state that there are none. Ensure each known vulnerability is assessed for risk and implement controls if necessary. |
| Interoperable Device Analysis | Ensure that interoperable devices, including their interfaces, are appropriately considered |
| Third Party Software Controls Established | All third party software, including OTS software, needs to be carefully considered. |
| Unresolved Anomalies Assessment | Should focus on risk. |
| Architecture Views | Global, Multi-Patient, Updateability / Patchability, Security Use Case Views required. Should consider interfaces, interconnections, and interactions with external entities. |
| Cybersecurity Controls | Include or otherwise address: authentication, authorization, cryptography, integrity, confidentiality, event detection and logging, resiliency and recovery, and updateability and patchability. Acceptance criteria are determined for these controls. |
| Testing and/or Analysis | Expected to include:
|
| Cybersecurity Management Plans | Plans to address cybersecurity throughout the product lifecycle, including:
|
FDA versus Other Regulator Expectations Discussion
To summarize, the FDA is generally considered to have the broadest expectations for which devices require cybersecurity information and the most stringent expectations for what information needs to be included to demonstrate adequate cybersecurity.
Therefore, even if a device has already been authorized by other regulators, the FDA may require significant additional cybersecurity assessment and/or testing to satisfy their requirements. This can be challenging for manufacturers to understand initially and can jeopardize submissions as the FDA only allows a limited time to respond.
Minimizing the risk of the FDA not accepting cybersecurity
There are a few manners to minimize the risk that the FDA will not accept the cybersecurity evaluation and testing provided.
First, a manufacturer should carefully consider whether their device requires cybersecurity assessment in alignment with FDA guidance documents. In most cases where a device utilizes software, full cybersecurity assessment is necessary.
Second, if a manufacturer has questions related to the acceptability of their data, even data that has been accepted by other regulators as sufficient to address cybersecurity, they may wish to consider formally reaching out to the FDA via a Q-submission to obtain FDA feedback. It is important to note that a Q-submission is not intended to be a pre-review of a submission, but it is acceptable to summarize evaluation and testing and ask for FDA feedback.
Concluding remarks
Cybersecurity is one of the three main areas where the FDA frequently has expectations that do not align with the expectations of other regulators and where even if a device has already been accepted in other regions, additional evaluation and testing may be necessary. Manufacturers should carefully consider cybersecurity before making a premarket submission to reduce the chance of the submission being rejected by the FDA.
Request more information from our specialists
Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.