Cybersecurity is no longer a nice-to-have appended to a submission, for connected medical devices it is a gating requirement for FDA clearance, and an ongoing post-market obligation.
”Cyber devices” and section 524B
Under section 524B of the Food, Drug, and Cosmetic Act, sponsors of a cyber device (broadly, a device with software that can connect to the internet and could be vulnerable to threats) must include cybersecurity information in their premarket submission. FDA can refuse to accept a submission that does not adequately address it. At minimum, sponsors must:
- Submit a plan to monitor, identify, and address post-market vulnerabilities and exploits, including coordinated disclosure.
- Design, develop, and maintain processes to provide reasonable assurance the device and related systems are cybersecure, and make updates and patches available.
- Provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components.
Pre-market: build security into design
FDA expects security to be engineered in, not bolted on:
- Threat modeling during design to identify assets, attack surfaces, and mitigations.
- Security risk management integrated with the ISO 14971 process.
- SBOM generation and management, consistent with IEC 62304 software lifecycle practices.
- Security testing (e.g., vulnerability scanning, penetration testing) as part of design verification.
Post-market: the work continues
Clearance is the start, not the finish. Post-market expectations include vulnerability monitoring, coordinated disclosure procedures, patch and update management, and documentation that keeps the device’s regulatory file current as the threat landscape changes.
Why it matters
Connected devices touch protected health information and clinical workflows. A credible cybersecurity program protects patients, satisfies FDA, and increasingly satisfies hospital procurement and HIPAA obligations at the same time, turning a compliance burden into a trust advantage.
Sequence Group builds medical-device cybersecurity programs, threat modeling, SBOM, security risk management, and pre/post-market documentation, alongside HIPAA compliance. Get in touch.