FDA Tightens Cybersecurity Rules for Digital Health Devices

On March 27, 2025, the U.S. Food and Drug Administration (FDA) finalized a sweeping new set of cybersecurity requirements for connected medical devices. Although technically a continuation of prior guidance, the new rules mark the first time device makers are legally required to build cybersecurity into their design, development, and regulatory approval processes.

The move, which became fully enforceable this summer, has reshaped how medical technology companies approach everything from product testing to postmarket monitoring. But for hospitals and patients, the impact is even bigger: the devices meant to save lives must now defend against the threats that could end them.

How Did This Happen?

The Rise of the “Cyber Device”

As more medical devices rely on software, wireless updates, and network connectivity, the FDA redefined what qualifies as a “cyber device.” The new criteria cover anything that contains software and connects to the internet, which includes everything from insulin pumps to surgical robots.

This change was prompted by a growing number of attacks targeting hospitals and medical infrastructure, where outdated, insecure devices were often the easiest way in.

Lawmakers Pushed for Enforcement

Following several high-profile breaches in 2023 and 2024, Congress passed Section 524B of the Food, Drug, and Cosmetic Act, giving the FDA authority to mandate cybersecurity reviews for device approvals. Starting this year, manufacturers must comply or risk denial.

What Do the New Rules Require?

Cybersecurity Plans Are Now Mandatory

Before receiving FDA approval, device manufacturers must now submit a cybersecurity risk management plan. A detailed roadmap outlining how they will detect, monitor, and respond to vulnerabilities throughout the device’s lifecycle.

Software Bill of Materials (SBOM)

Devices must also include an SBOM, which lists every piece of software inside the device including third-party components. This makes it easier to identify risks when new vulnerabilities are discovered in shared code libraries.

Secure Update Mechanisms

All new devices must support safe, authenticated updates and have a clear plan for patching known flaws. Even after the device is in use. Static software that can’t be updated is no longer acceptable.

What Kind of Devices Are Affected?

• Pacemakers and defibrillators
• Infusion pumps and IV controllers
• Connected monitoring devices
• Imaging systems (MRI, CT, etc.)
• Any networked hospital equipment

These changes affect not only new devices entering the market, but also updates to existing ones.

Why It Still Matters Today

Outdated Devices Still Pose a Threat

Many hospitals still use legacy medical devices built before modern security standards. These systems are often running old software that can’t be patched, leaving patients vulnerable to ransomware and remote exploitation.

Hackers Are Already Targeting Healthcare

Healthcare remains one of the most targeted industries for ransomware attacks. Vulnerable devices can be used as entry points into hospital networks, patient data, or even life-support systems.

Legal and Ethical Questions

If a connected device is compromised and harms a patient, who is responsible? The manufacturer, the hospital, or the software vendor? The FDA’s new rules aim to clarify accountability.

How to Reduce Risk if You Use These Devices

Ask About Device Security

Patients receiving connected devices should ask providers whether the device supports secure updates and whether it has been tested against known vulnerabilities.

Monitor for Updates and Recalls

Check with your device manufacturer or the FDA’s device database to see if your medical device is still supported or has been flagged for cyber risks.

Limit Exposure When Possible

Hospitals can reduce risk by isolating critical devices from broader networks, segmenting internet access, and applying strict authentication protocols.

Conclusion

The FDA’s cybersecurity rules mark a major shift in how medical technology is designed and regulated. For the first time, connected devices will be treated not just as tools of care, but as potential points of failure in the face of digital threats.

The industry still has a long way to go. But this is a clear message: in 2025, if your device can connect, it must also protect.

Stay informed and empowered with Cyber News Live! Join us for ongoing coverage of healthcare cybersecurity, FDA regulations, and the evolving risks of the digital medical age.

By Sam Kirkpatrick, an Information Communication Technology student at the University of Kentucky and intern at Cyber News Live.