A consensus report (CR) on MedTech cybersecurity has been added to the Food and Drug Administration’s (FDA) list of recognized consensus standards. “Cybersecurity Consideration Unique to Machine-Learning Enabled Medical Devices,” AAMI CR515:2025, is one of 31 new entries on the list, which was updated by the US agency on Feb. 19.
CR515 from the Association for the Advancement of Medical Instrumentation (AAMI) “specifically addresses the unique cybersecurity threats associated with developing and deploying machine learning-enabled medical device software, as distinct from the broader cybersecurity risks applicable to all medical device life cycle phases,” the FDA wrote when it officially recognized the document in late December.
Such “unique” threats “can arise from or during data collection, product design, product deployment, product use, and maintenance,” the agency explained.
Despite being a CR, the document by AAMI was nevertheless added to the FDA’s standards list because it was “recognized on its scientific and technical merit and/or because it supports existing regulatory policies.”
The agency warned, however, that a device that conforms to CR515 “may not satisfy all the cybersecurity requirements” found in the Federal Food, Drug, and Cosmetic (FD&C) Act or the recommendations found in these FDA final guidance documents:
- Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions
- Postmarket Management of Cybersecurity in Medical Devices
- Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence, Enabled Device Software Functions
The FDA reminded manufacturers that they “should consider the information” in the guidance docs and the FD&C Act “in their assessment of cybersecurity for their device.”
By adding a consensus report to its standards list, the FDA is following OMB A-119 from the US Office of Management and Budget (OMB). That document says a “standard” or “technical standard” includes, among other things, a “common and repeated use of rules, conditions, guidelines, or characteristics for products or related processes and production methods, and related management systems practices.”
Cybersecurity: A Perennial Hot Topic – and Only Getting Hotter
Cybersecurity in medical devices is a perennial hot topic, and even more so now that the US Department of Justice (DOJ) “has been looking at whether companies are incorrectly managing their cybersecurity risks,” according to Jennifer Bragg, a Partner in the Washington, DC, office of the law firm Latham & Watkins, and a former Associate Chief Counsel for Enforcement in the FDA’s Office of Chief Counsel.
“This is something … folks should keep an eye on,” she said during a late January Latham & Watkins webinar on DOJ enforcement priorities. (Related Story: “MedTech Quality, Manufacturing, Cybersecurity in DOJ’s Enforcement Sights in 2026, Industry Attorney Warns,” QualityHub, Feb. 16, 2026.)
Bragg noted that there has been an uptick in DOJ allegations and settlements “involving medical device companies accused of selling medical device software that has cybersecurity vulnerabilities,” pointing out that these resolutions did not include allegations that there had been a cybersecurity breach.
She said these settlements were unusual because they were founded solely on allegations that the possibility of cybersecurity vulnerabilities, even without any actual breach, was enough to classify the devices as defective.
