When medical device manufacturers think about delays to market, they think about design hiccups, documentation gaps, or missing risk analyses. But increasingly, there’s another culprit: bad data — not just inaccurate, but fabricated, duplicated, or completely untrustworthy.

In recent weeks, the FDA issued a new Notification on Data Integrity — Medical Devices, citing widespread concerns about fraudulent or unreliable test lab results. This followed warning letters last year to two Chinese biocompatibility testing labs, flagging serious violations of 21 C.F.R. Part 58 (Good Laboratory Practices for Nonclinical Laboratory Studies).

In its February 26, 2025 General Correspondence Letter (GCL), the FDA cited examples including:

• Cytotoxicity studies with identical results across different test dates
• Guinea pig sensitization tests with reused body weight data
• Large animal safety studies with implausible weight gains

The FDA didn’t mince words: “FDA has no reason to believe this data is reliable.”

And the consequences? These data were rejected outright until labs could demonstrate resolution — and the associated 510(k)s were effectively halted.

“You failed to ensure that all data generated during the conduct of the nonclinical laboratory study are accurately recorded and verified.”
- FDA Warning Letter to Hangzhou Testsea Biotechnology Co., Ltd. (Sept 2023)

“The medical device industry must be built and sustained on safety, effectiveness and quality,” said Owen Faris, Ph.D., acting director of the Office of Product Evaluation and Quality in the FDA’s Center for Devices and Radiological Health. “The FDA will take action to protect patients, consumers and the medical device supply chain from quality failures and violative practices. We strenuously remind industry of their responsibility and accountability for all data included in their submissions, which are required to comply with federal law.”

This Isn’t Just a Biocomp Problem

While the GCL focused on biocompatibility and animal studies, the implications reach further. Whether your device testing includes Electromagnetic Compatibility (EMC), usability, performance, or cybersecurity (including penetration testing), your choice of third-party vendor matters.

We recognize that terms like “test lab” may not perfectly describe all types of third-party testing, particularly in cybersecurity. Penetration testing and vulnerability assessments may not fall under traditional lab expectations, such as standardization or accreditation, due to the variety of methods that may be needed and applied. However, some of these activities are outsourced to meet FDA’s expectations of independent testing and still carry regulatory consequences if performed poorly. Cybersecurity testing may include, but not be limited to: fuzz testing, penetration testing, dynamic application security testing (DAST), and static application security testing (SAST). Some or all of these can be conducted internally (with appropriate independence), but penetration testing is usually conducted by an independent third party. The skills and accreditation of the individual testers should be evaluated during vendor selection and documented in reports.

In fact, we’ve already seen examples where cybersecurity and pen test data have been flagged by FDA reviewers. Reports have been sent back for:

• Using non-device-specific threat models
• Lacking verification of the attack surface through testing
• Presenting a single round of clean results without evidence of test-fix-retest cycles
• Including only a generic “vulnerability scan” and calling it a pen test
• Failing to demonstrate that an in-house test lab is independent of the R&D team developing the product within the same company
• For third-party test labs, failing to include information about the test group including scope of testing, duration of testing, credentials and identity of test team members

In the past six months alone, we’ve seen three 510(k) submissions delayed due to cybersecurity test reports that:

• Lacked traceability from relevant device requirements and functions through risk controls to validation
• Included no raw data (methods applied to generate findings) or device-specific findings
• Performed by IT security firms whose generalist approach failed to identify and prioritize security vulnerabilities with direct implications for patient safety or device efficacy.

The takeaway? If you’re outsourcing testing, including cybersecurity testing, you are still accountable for the quality of that data. And if the partner you choose cuts corners, it’s your submission that pays the price.

Signs Your Test Vendor May Not Be FDA-Ready

We’ve worked on more than 200 projects with medical device companies preparing 510(k) submissions, and unfortunately, we’ve seen some patterns that raise red flags:

• Recycled data from other clients without proper documentation
• Lacked traceability, preventing validation of the cybersecurity risk management process against the device’s threat model, system architecture, and intended use.
• Failure to test the system end-to-end (e.g., we tested the hardware and software of the body-worn medical device but not the mobile medical app, nor the cloud connection that shares the data to other authorized users)

It’s also worth noting that the FDA expects manufacturers to provide a “wrapper” or internal evaluation and summary of the penetration test findings that helps reviewers understand penetration testing reports within the context of the overall submission in addition to the third party penetration test report. This should include findings, recommendations, scope, timeline, qualifications, and — critically — the manufacturer’s analysis, mitigation plans, and rationale for addressing (or not addressing) findings.

Choosing the wrong partner could set you back months — or worse, prompt a formal FDA deficiency letter.

What to Ask Before Choosing a Testing Partner

Here are some critical questions you should ask before engaging any third-party testing lab:

• Are they experienced with 510(k), PMA, or De Novo submissions?
• Can they provide representative sample reports (de-identified)?
• Do they scope the testing with your device-specific use cases, architectures, and threat models in mind?
• Will they engage in risk-based testing alignment with your team?
• Does their reporting provide sufficient detail to verify what was tested, how, and why?

Note: Standards like ISO/IEC 17025 or FDA GLP may apply to traditional test labs but do not always translate to cybersecurity testing. For adversary simulation and penetration testing, the goal is often different — to emulate real-world threat scenarios — not just to meet a static standard.

From FDA’s 2023 Cybersecurity Guidance:
“The sponsor should ensure that testing is device-specific, reproducible, and reflects clinically relevant threat conditions.”

Best Practices for Ensuring Testing Integrity

Even with a solid vendor, manufacturers need to stay vigilant:

• Review raw data and findings, not just final summaries
• Cross-check testing outcomes with internal threat models, architecture views, and risk controls
• Keep documentation on vendor selection rationale in your DHF
• When in doubt, get a second opinion — especially for critical test results

Also be mindful that FDA reviewers expect penetration tests to:

• Cover all relevant interfaces (network, physical, radio frequency, proprietary)
• Consider all device use cases, including technical modes such as field update or local/remote access.
• Include a test-fix-retest cycle to demonstrate maturity
• Be scoped and executed with adequate depth and time investment

Conclusion: Your Testing Vendor Can Make or Break Your Submission

FDA scrutiny is intensifying — and it’s not enough to assume your test lab or security partner did everything by the book. Whether you’re evaluating a vendor for EMC, biocompatibility, or penetration testing, you must do your due diligence.

Because when a report gets flagged, it’s not the vendor who has to explain it. It’s you.

‍