The US Food and Drug Administration (FDA) has taken the unusual step of making changes to its pre-market cybersecurity final guidance document for the MedTech industry.
The guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” was finalized on Sept. 27, 2023. The updated version, which now includes a new seven-page section on cyber devices, carries a publication date of June 27, 2025.
QualityHub spoke with longtime industry expert Eric Henry on June 26 about the modified guidance and what manufacturers should know. Henry, who is a senior advisor and the head of quality compliance for the Washington, DC, law firm Brooke & Associates, also discussed the FDA’s recent push to change language in draft and finalized docs and the potential dangers around that. The Q&A below was edited for clarity and brevity.
QualityHub: What are the changes to this cybersecurity guidance that companies should be aware of?
Eric Henry: First off, the FDA deleted the definition for “hardening,” and I believe the reason they did that is because the agency defined hardening in the 2023 version of the guidance but they didn’t use that word anywhere else in the guidance.
QH: What is hardening?
Henry: It’s a process to eliminate means of attack by patching vulnerabilities and turning off nonessential services. It’s the turning off the nonessential services that typically tends to be a big part of hardening. So, I may, for instance, turn off access to a USB port. I’m certainly patching my vulnerabilities, but I’m thinking of other things. I’m adopting a zero-trust architecture, which means I assume you’re a bad guy unless I give you explicit permission to come in. So, all those kinds of things – addressing external threats, using encryption, anything that reduces the attack surface – that’s going to be a part of hardening, which helps make your device less vulnerable to malicious attackers.
QH: What looks like a significant addition to the final guidance is the new section – Sec. VII – on cyber devices.
Henry: What we see in Sec. VII, which is the only other significant change, addresses what is a cyber device, which is a big deal. It talks about what needs to be done in terms of things like coordinated vulnerability disclosure. A lot of this is the contents of your post-market plan. So, coordinated vulnerability disclosure, patching, all those kinds of things, they’re all kind of rolled into that. It’s the idea of how you make changes that impact cybersecurity and those that don’t, and how you reflect those on your plan. There’s this reiteration that the FDA now has the authority to enforce the cyber-secure state of a medical device above and beyond how it impacts safety and efficacy.
So, it could have nothing to do with safety. But if there’s a cybersecurity issue, the FDA still has the authority to enforce those requirements on the device. And the way the FDA frames that is, “We consider cybersecurity to be a form of safety and efficacy.”
Now, this new Sec. VII is just the same information that was in the 2024 guidance, “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.” That guidance defined a cyber device subject to Sec. 524B of the Federal Food, Drug, and Cosmetic Act, which was revised in December 2022. So, the FDA just took that 2024 content, dropped it into Sec. VII, and removed that definition of “hardening.” And there you go.
QH: It’s unusual to make changes to a final guidance document like this, right?
Henry: When Robert F. Kennedy first came on board as HHS secretary, they made this change to FDA policy that basically said, “We’re going to widely interpret this administrative rule that allows us to make changes to regulatory documents that we consider to be administrative in nature. We’re going to interpret that more widely and we’re going to use it more often.” So, you can see where, from the FDA point of view, they had Document A, they had Document B, and they meged those two documents into Document A, end of story.
QH: What are some of the potential dangers of making changes to documents that are already finalized?
Henry: I think there’s a general danger of how widely the FDA is adopting this process. They’re giving themselves permission to make a more wide-ranging series of changes to guidances, to published guidances, to make changes to guidances that they consider to be in the public interest, or they consider to be an administrative change, pretty much at will. They get to decide what that means.
This new Sec. VII was an innocuous change. A company could say, “Hey, I didn’t know that was in there.” But what that tells me is that the company missed seeing it when the FDA published that information in 2024 in “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.” So, they should have kept up with things – it’s kind of their own fault. However, we also know that the FDA has given itself permission to do this on a much more wide-ranging basis, and that I see as potentially problematic. They can impose expectations or define expectations to industry that industry may not be prepared for and may have had little to no opportunity to comment on, and I think that is a dangerous future. Whether that’s realized at some point is yet to be determined, but it’s certainly a risk of the stance they’ve chosen to take.
[Editor’s Note: Keeping up with FDA guidance documents can often feel overwhelming for MedTech and pharmaceutical companies – so let QualityHub lend a hand. Find out today what our vast network of experienced consultants can do to ease that burden for your firm.]
