What Medical Device Manufacturers Need to Know About FDA Cybersecurity Requirements

In response to the increasing frequency of cyberattacks on healthcare infrastructure, the FDA has significantly intensified its expectations for premarket submissions. Manufacturers can no longer treat cybersecurity as an "add-on" feature or a post-production patch. It must be designed into the device from day one.

The Shift to Mandatory Requirements

The core change moves from voluntary standards to mandatory mandates under Section 524B of the FD&C Act. Devices are now categorized by their risk profile, with "Cyber Devices" — any device that includes software, connects to the internet, or could be vulnerable to cybersecurity threats — requiring rigorous documentation of their security posture before they can reach patients.

This means virtually every connected medical device now falls under these requirements.

What You Need to Document

At a minimum, your premarket submission needs to include:

• Software Bill of Materials (SBOM): A complete inventory of every software component, including open-source libraries and third-party dependencies. This allows for rapid response when new vulnerabilities are disclosed.

• Threat Model: A structured analysis of your device's attack surfaces, potential threat actors, and risk mitigations. STRIDE-based analysis and attack tree mapping are commonly accepted methodologies.

• Security Architecture: Documentation of how your device implements authentication, encryption, access controls, and secure update mechanisms.

• Vulnerability Testing Results: Evidence that your device has undergone penetration testing by a qualified third party, with findings mapped to clinical impact.

• Post-Market Plan: A coordinated vulnerability disclosure process and a plan for monitoring and patching security issues after the device ships.

Penetration Testing Requirements

The FDA expects manufacturers to conduct security testing that goes beyond automated scanning. This means hands-on penetration testing of:

• Network interfaces: Wi-Fi, Bluetooth, BLE, cellular, and wired protocols
• Firmware: Reverse engineering, binary analysis, and update mechanism testing
• Physical interfaces: USB, JTAG, debug ports, and tamper resistance
• Cloud/backend: API security, authentication flows, and data handling

Your pentest report should map findings to clinical impact — not just technical severity. A vulnerability that could allow unauthorized modification of drug dosage parameters is categorically different from one that leaks a device serial number, even if they score similarly on CVSS.

How to Prepare

If you're planning an FDA submission in the next 6-12 months, here's a practical checklist:

Timeline Expectations

A typical penetration testing engagement looks like this:

1. Scoping: Create an engagement on Thrombus, upload your documentation and source code, and select your test type — all self-service, on your schedule
2. Device shipping: Send your device to our hardware lab
3. Testing (~4 weeks): Hands-on security testing across all attack surfaces
4. Report delivery: FDA-formatted pentest report with findings, risk assessment, and remediation guidance
5. Remediation (varies): Your engineering team addresses findings
6. Re-testing (~1 week): Verification that fixes are effective — included free within 60 days
7. Letter of remediation: Formal confirmation that identified vulnerabilities have been resolved

Once we receive your device, plan for ~4 weeks to final report, plus remediation time on your end before re-testing.