U.S. flag An official website of the United States government

On Oct. 1, 2024, the FDA began implementing a reorganization impacting many parts of the agency. We are in the process of updating FDA.gov content to reflect these changes.

  1. Home
  2. Medical Devices
  3. Digital Health Center of Excellence
  4. Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)
  1. Digital Health Center of Excellence

Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)

This page provides answers to frequently asked questions (FAQs) related to cybersecurity in medical devices.

On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus—"Ensuring Cybersecurity of Medical Devices"—amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. The information provided on this page may be useful for sponsors in preparing their premarket submissions.

A: Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission— including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE)— for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b). This includes Special and Abbreviated 510(k) applications as well as PMA and HDE supplements.

A: Section 524B(c) of the FD&C Act defines "cyber device" as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA.

A: As provided by the Omnibus, the cybersecurity requirements do not apply to an application or submission submitted to the Food and Drug Administration (FDA) before March 29, 2023. If a cyber device was previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law would apply for the new premarket submission.

A: Section 524B(a) of the FD&C Act provides that the sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. The requirements in section 524B(b) of the FD&C Act are:

  • Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
  • Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure. See FAQs 6 through 9 for additional details on ways manufacturers might demonstrate that their devices are cybersecure.

A: Manufacturers of cyber devices are required to submit this information starting March 29, 2023, in premarket submissions including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE). This includes Abbreviated and Special 510(k) submissions and PMA/HDE supplements. Premarket submissions that were received prior to March 29, 2023, and are under review or currently on hold are not subject to these requirements.

The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions final guidance does not supersede the previously issued guidance Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems, however, the policy in the latter guidance expired on October 1, 2023. Beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act.

Additionally, as part of the FDA’s efforts to modernize the 510(k) Program and implement MDUFA V, starting October 1, 2023, all 510(k) submissions, unless exempted, must be submitted as electronic submissions using eSTAR, as noted in the Electronic Submission Template for Medical Device 510(k) Submissions final guidance. For eSTAR submissions, an eSTAR will be put on a Technical Screening hold if it does not contain accurate responses and relevant attachments in the Cybersecurity section of eSTAR.

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses throughout plans for patches and updates across the total product life cycle (TPLC). The 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices" discusses cybersecurity routine updates and patches and describes patching in the context of remediating cybersecurity vulnerabilities.

Back to Top