The scrutiny by the US Food and Drug Administration – FDA around medical device cybersecurity is going to intensify prominently as one moves into 2026, forecasts an expert.
It is well to be noted that in June 2025, the agency went ahead and published its final expectations for premarket submissions and also post-market lifecycle obligations when it comes to medical device cybersecurity protocols as per the Federal Food, Drug, and Cosmetic – FD&C Act under Section 524B.
The team lead of life science practice at Founder Shield, the technology broker, Justin Kozak, expects that the FDA is going to switch its focus from pre-market paperwork to active operational execution in the coming year.
Kozak went on to confirm to the Medical Device Network that the FDA is going to move beyond reviewing plans under Section 524B in order to audit the real-world effectiveness when it comes to post-market security processes.
Notably, Section 524B, which was brought to the fore in December 2022 as part of the Consolidated Appropriations Act, goes on to mandate a range of cybersecurity needs all throughout the lifecycle for some medical devices. Those targeted through the legislation are the ones that connect to the internet and also include software that is validated and installed as well as authorized by a device manufacturer.
Required details go on to include information around security controls of the device and plans for vulnerability disclosure along with the provision of a software bill of materials – SBOM.
In October 2023, the FDA went on to execute its refuse to accept – FTA policy as per Action 524B. The action gave the agency authority to reject the pre-market application – PMA submissions for in-scope medical device submissions that lacked complete cybersecurity information.
Kozak further said that the fast integration of AI or generative AI – genAI within the devices is introducing quite distinct security risks, which go on to demand specialized governance along with secure-by-design principles in order to maintain the safety of the patient.
Kozak also remarked that this transition will force the companies to prove their vulnerability management works within the field and not only at pre-product launch.
Given the fact that the premarket enforcement has been in existence since 2023, the industry has been kind of bracing itself for the post-market cybersecurity needs. For instance, UL Solutions, the safety testing company, has a page that is dedicated on its website to going ahead and answering FAQs on how to navigate Section 524B to its best.
Kozak underscored that small medtech companies go on to face a heightened risk because of resource limitations and also a threat of regulatory failure.
He added that they often lack the deep pockets that the larger companies have, thereby resulting in a triple burden situation.
In order to deal with the requirements promulgated under Section 524B, Kozak advises the smaller companies to go ahead and treat security as a central engineering requirement right from day one, as opposed to an afterthought.
Kozak opines that the most effective strategy is certainly to embed automated security checks much earlier in the development pipeline. The reason for this kind of shift-left strategy is that fixing susceptibilities during coding is indeed more cost-efficient as compared to post-market remediation.