The FDA’s newly released draft guidance on artificial intelligence (AI) and cybersecurity is the latest milestone in a series of initiatives the agency has undertaken over the past decade to enhance medical device cybersecurity. As threats evolve, so too must regulatory approaches and industry practices. This guidance reflects the FDA’s commitment to strengthen medical device security by setting clear expectations for manufacturers, particularly in an era where AI is transforming healthcare. For medical device manufacturers (MDMs), adapting to these requirements is not just about regulatory compliance, it’s about ensuring patient safety, maintaining trust and staying ahead of emerging cyber threats.

What does the new guidance mean for medical device manufacturers?

The draft guidance lays out clear expectations for MDMs regarding AI and cybersecurity. Key elements include:

• Transparency and Explainability: AI models should be interpretable, ensuring stakeholders can understand their decision-making processes.
• Secure-by-Design Principles: Security must be embedded at every stage of development. However, with AI-driven devices, the risk extends beyond the device itself — threats such as data poisoning, adversarial attacks, and model manipulation can introduce vulnerabilities before a product even reaches the market. Ensuring security throughout the AI lifecycle, from training data integrity to post-market monitoring, is crucial.
• Lifecycle Management: Manufacturers are expected to continuously assess and manage cybersecurity risks, incorporating secure software updates, threat intelligence and post-market surveillance to mitigate emerging vulnerabilities.

What responsibilities do manufacturers have?

To meet these expectations, MDMs must integrate cybersecurity and risk management into their regulatory and operational practices. Key responsibilities include:

• Submitting detailed cybersecurity plans and risk assessments as part of premarket submissions.
• Implementing robust monitoring mechanisms to detect, mitigate and report vulnerabilities.
• Demonstrating the validation of AI systems for safety, accuracy, and fairness, ensuring they remain reliable even as conditions change.

The integration of these principles aligns closely with the Quality System Regulation (QSR), recently modernized through the Quality Management System Regulation (QMSR). The QMSR emphasizes risk-based, systematic approaches to device design and production, reinforcing cybersecurity and AI management as critical elements of regulatory compliance.

How will this guidance impact the industry?

Sets a New Standard for AI in Devices

This guidance establishes a baseline for AI use in medical devices and represents a fundamental shift for the industry. Between 2015 and 2020, the number of AI-enabled medical devices increased 83%, and the trend continues to grow rapidly, with more than 500 devices now cleared by the FDA. For manufacturers — many of whom rely on AI for diagnostic, imaging, and decision-support applications — these changes will require significant resource reallocation. Manufacturers must now prioritize security alongside innovation, ensuring AI models are not only effective but also resistant to manipulation and exploitation.

The number of AI/ML-enabled medical devices authorized by the FDA from 1995 to Aug. 7, 2024, which include hardware or software features.

Makes Cybersecurity as a Core Requirement

Cyberattacks on healthcare systems are growing more sophisticated, and medical devices are increasingly targeted as potential entry points. The FDA’s guidance reinforces that cybersecurity must be an integral part of product development — not an afterthought. MDMs will need to enhance their approaches to secure software updates, supply chain integrity, and real-time threat monitoring to prevent malicious exploitation. This shift underscores the necessity of continuous risk assessment, recognizing that cybersecurity is not a static milestone but an evolving challenge..

Impacts Cost and Resources

Compliance with these requirements will demand increased investment in cybersecurity measures, AI validation and regulatory documentation. Smaller and mid-sized manufacturers, in particular, may face challenges adapting to these more stringent standards. However, failing to comply can lead to market entry delays, regulatory pushback, and potential reputational damage. Additionally, under QMSR, manufacturers must allocate resources for continuous process improvement, reinforcing that cybersecurity is not just a cost center but an investment in long-term business sustainability and patient safety.

What if I decide to wait and see?

Regulatory Setbacks

Non-compliance with FDA guidance can result in delayed product approvals, rejections, or increased scrutiny during regulatory evaluations. The QMSR’s emphasis on proactive risk management means the manufacturers without a strong cybersecurity and AI governance framework may struggle to gain or maintain market access.

Reputational and Business Risks

Medical device cybersecurity incidents can have far-reaching consequences. A security breach or AI malfunction can erode trust among healthcare providers, regulators, and patients. Negative publicity, recalls, and litigation can have lasting financial and reputational damage, making it far costlier to address security issues post-market than to invest in security from the outset.

Increased Cybersecurity Vulnerabilities

Failing to implement robust cybersecurity protections exposes devices to emerging threats. Attackers are continuously evolving their tactics, and devices that are not designed with security in mind may become easy targets for exploitation. A reactive approach to cybersecurity is no longer viable in today’s threat landscape.

What can MDMs do to prepare for these changes?

1. Early Risk Assessments and Gap Analysis — MDMs should conduct a comprehensive review of their current AI and cybersecurity practices against the FDA’s draft guidance and QMSR. Identifying gaps early allows for more effective risk mitigation strategies..
2. Investment in Compliance Tools — Leverage tools such as Software Bill of Materials (SBOM) management platforms, AI model validation frameworks, and real-time vulnerability scanning can help streamline compliance efforts and reduce security risks.
3. Cross-Functional Collaboration — Cybersecurity and AI compliance requires collaboration across multiple disciplines, including regulatory affairs, cybersecurity, engineering, and data science. MDMs should foster integrated teams to ensure security and compliance considerations are embedded at every stage of development.
4. Engage Experts and Resources — MDMs should consider partnering with regulatory consultants, participating in industry events, and leveraging FDA resources to stay informed. Webinars, industry collaborations, and cybersecurity partnerships can help MDMs stay ahead of evolving regulatory expectations.
5. Plan for the Long-Term- Cybersecurity and AI risks will continue to evolve, necessitating ongoing risk assessment and adaptation. Implementing continuous monitoring, updating security protocols, and aligning with QMSR’s principles will position MDMs for sustained success in highly regulated industry.

Conclusion

Cybersecurity threats are evolving rapidly, and MDMs cannot afford to be complacent. The FDA’s guidance makes it clear that securing AI-driven medical devices requires a proactive, end-to-end approach. Security must be embedded from the earliest design stages, encompassing AI model integrity, real-time monitoring, and post-market vigilance.

This is not just about regulatory compliance — it’s about future-proofing the industry against increasingly sophisticated cyber threats. Bad actors are adapting faster than ever, and MDMs must stay ahead by continuously strengthening their security frameworks.

By acting now, MDMs can protect patients, gain a competitive advantage, and demonstrate leadership in an industry where trust and safety are paramount. The time for incremental improvements has passed — MDMs must fully embrace security as a cornerstone of medical device innovation. The risks of inaction are too great, and the rewards of proactive security are too significant to ignore.

Medcrypt provides extensive regulatory services that help MDMs navigate FDA approval:

• FDA cybersecurity readiness
• FDA hold letter response
• Threat modeling
• Cryptography design and review

Avoid approval delays from missing key cybersecurity information, get started with Medcrypt to meet FDA requirements.

‍