FDA Cybersecurity Labeling: What HDOs Need to Know
Post Summary
The FDA requires medical device manufacturers to include cybersecurity labeling to help healthcare delivery organizations (HDOs) manage critical medical device security risks. This rule, effective since December 29, 2022, applies to devices with software, internet connectivity, or cyber vulnerabilities. Key updates in 2025 include mandatory labeling elements, Software Bill of Materials (SBOM) submissions, and five-year update commitments. These measures aim to enhance device security and patient safety.
Key Takeaways:
- Cyber Devices: Must include cybersecurity documentation in FDA submissions.
- 14 Labeling Elements: Cover security features, vulnerabilities, updates, and end-of-support details.
- SBOMs: Crucial for tracking software components and managing vulnerabilities.
- HDO Responsibilities: Evaluate labeling, monitor risks, and plan for device lifecycle security.
HDOs should review device labeling for compliance and use tools like SBOMs to manage risks effectively.
A Quick Primer on FDA's Final Guidance for Cybersecurity in Medical Devices
sbb-itb-535baee
FDA Cybersecurity Labeling
FDA's 14 Required Cybersecurity Labeling Elements for Medical Devices
What Changed in the 2025 FDA Guidance
On June 27, 2025, the FDA rolled out new guidance requiring mandatory cybersecurity labeling for all premarket submissions, including 510(k), PMA, and De Novo applications. This guidance introduced 14 specific labeling elements and added a requirement for submitting a Software Bill of Materials (SBOM) alongside these applications[2][3].
The FDA also set strict timelines for manufacturers, mandating that devices receive cybersecurity updates for at least five years after they hit the market - or for the duration of the device lifecycle, whichever is shorter. Manufacturers are now required to disclose end-of-support dates and warn healthcare delivery organizations (HDOs) about risks tied to unsupported devices, such as unpatched vulnerabilities[3]. While these measures have increased premarket review times by 20–30%, experts believe the trade-off helps healthcare organizations reduce procurement risks and improve overall cybersecurity readiness[2][3].
This updated guidance lays the groundwork for understanding the 14 required labeling elements.
The 14 Required Labeling Elements
The FDA guidance outlines 14 essential labeling elements that manufacturers must include, addressing cybersecurity across the entire device lifecycle - from initial setup to end-of-support. For instance, devices must ship with secure-by-default configurations, which include features like active firewalls, randomized default passwords, and TLS 1.3 encryption enabled right out of the box[2].
Manufacturers are also required to provide detailed information about third-party components using SBOM references, explain the vulnerability reporting process, and describe their plans for post-market surveillance. Other key elements include vulnerability assessment methods, exploit mitigation strategies, and the cybersecurity controls built into the device. Additionally, manufacturers must offer user guidance on secure operation and address interoperability security, ensuring HDOs have a full understanding of how the device safeguards patient data and clinical systems[2][3].
When it comes to update commitments, manufacturers must clearly define timelines and outline what happens once support ends. For example, labeling for an imaging device might state: "End-of-support: December 31, 2030; post-support risks include known vulnerabilities without patches." This level of transparency helps HDOs plan ahead, enabling them to schedule device replacements and allocate budgets for cybersecurity maintenance well before devices become potential liabilities[3].
How HDOs Should Evaluate Cybersecurity Labeling
Reviewing Cybersecurity Protections
Healthcare delivery organizations (HDOs) need to ensure that every qualifying medical device aligns with Section 524B requirements. This section applies to devices submitted to the FDA after March 29, 2023[1]. These "cyber devices", as outlined earlier, must include specific cybersecurity documentation. When reviewing device labeling, HDOs should confirm the inclusion of these key elements:
- Postmarket monitoring plans for identifying vulnerabilities.
- Processes for updates and patches to address security issues.
- A Software Bill of Materials (SBOM) that lists all software components.
The SBOM is particularly useful because it allows HDOs to check components against known vulnerability databases. Additionally, HDOs should evaluate the manufacturer’s commitments to timely patching and updating, ensuring there’s a reliable process for maintaining security throughout the device’s lifecycle.
For devices submitted after October 1, 2023, the FDA has implemented a technical screening hold (eSTAR) as part of its "Refuse to Accept" policy. Submissions missing accurate cybersecurity information will not proceed, ensuring that newer devices meet stricter security standards before entering the market[1]. These measures help HDOs gauge potential risks, especially as devices approach the end of their support lifecycle.
Understanding End-of-Support and Risk Warnings
HDOs must also consider the long-term security of medical devices, particularly when they reach the end of their support period. Once support ends, manufacturers stop issuing security patches, leaving devices vulnerable. To mitigate this, HDOs should verify that manufacturers have a coordinated vulnerability disclosure (CVD) process in place. This ensures that any potential exploits are communicated and addressed effectively.
Additionally, any changes to a device that could impact its cybersecurity require updated documentation and, in some cases, new premarket reviews. By asking manufacturers about planned modifications and how they might affect the device’s security, HDOs can better manage risks tied to their device portfolio tied to outdated security controls[1]. This proactive approach helps safeguard patient data and maintain operational security throughout the device's usage.
SBOMs and Documentation Requirements
Using SBOMs for Risk Management
An SBOM, or Software Bill of Materials, is essentially a detailed, machine-readable inventory of a medical device's software components, dependencies, and related metadata. The FDA's 2025 cybersecurity labeling guidance requires SBOMs to provide healthcare delivery organizations (HDOs) with clear insight into the software running on their devices. This transparency is critical because an SBOM identifies specifics like open-source libraries - such as the exact version of Log4j - and supplier details. For instance, when vulnerabilities like Log4j CVE‑2021‑44228 arise, HDOs can quickly determine which devices are at risk [4].
This proactive approach changes the game for risk management. Instead of spending months uncovering vulnerabilities, HDOs can use tools to scan SBOMs - formatted in standards like CycloneDX - and check for over 1,200 CVEs across their devices. This reduces the time to mitigate potential exploits from months to just days [7]. One notable example involved a major U.S. hospital system that received SBOMs from its infusion pump vendor. After identifying a vulnerable version of OpenSSL (CVE‑2022‑3602), the hospital deployed mitigations across 500 devices in under 48 hours, successfully avoiding ransomware threats [9].
To meet FDA compliance, an SBOM must include key details such as the component name, version, unique identifiers (like CPE or PURL), dependency relationships, supplier information, and any disclosed vulnerabilities. Accepted formats like SPDX 2.3 or CycloneDX 1.4 enable HDOs to automate the integration of SBOM data into their risk management workflows [8]. A 2025 survey highlighted that 85% of HDOs now prioritize SBOM automation, with organizations reporting annual savings of $2.5 million due to improved visibility into software dependencies [4].
By leveraging these tools and processes, HDOs not only improve risk management but also ensure their documentation aligns with labeling requirements for full traceability.
Matching Documentation with Labeling Requirements
Beyond the technical benefits of SBOMs, accurate documentation plays a crucial role in meeting cybersecurity labeling compliance. As outlined by the FDA, traceability documentation - such as matrices linking SBOM components to design specifications and security controls - helps establish a clear evidence trail. For example, a matrix might connect a specific vulnerability fix to FDA labeling element #7, which pertains to cybersecurity controls [5].
HDOs must ensure that SBOMs align with specific labeling elements, such as element #10 (SBOM provision) and element #11 (vulnerability tracking process). This includes documentation that outlines exploit risks and patch timelines. A practical solution is to create a checklist that ensures the SBOM addresses element #5 (known vulnerabilities) and includes matrices validating the manufacturer's cybersecurity commitments [11].
However, challenges like incomplete SBOMs and inconsistent formats can complicate compliance. To address these, HDOs can mandate the inclusion of NTIA-minimum elements in procurement contracts and utilize validation tools like Dependency-Track. Pilot programs have shown that these tools can boost compliance rates by 70% [10]. By addressing these common obstacles, HDOs can streamline the documentation process and strengthen their cybersecurity posture.
How Censinet RiskOps™ Supports Cybersecurity Labeling Compliance
Automating Device Labeling Reviews
Censinet RiskOps™ simplifies the process of reviewing third-party device labeling to ensure compliance with FDA standards. Instead of manually comparing vendor documentation against the FDA's 14 required labeling elements, the platform automates this evaluation. This approach provides actionable insights, helping healthcare delivery organizations (HDOs) identify gaps in vulnerability management plans and software bill of materials (SBOM) disclosures before devices are purchased or deployed. Censinet RiskOps™ also ensures that device labeling and documentation meet the three main requirements of Section 524B(b): vulnerability monitoring plans, postmarket update and patch processes, and detailed SBOMs. By centralizing this critical information, HDOs can confirm that each cyber device - defined according to FDA standards - meets statutory requirements. This automation lays the groundwork for faster, AI-driven risk assessments.
AI-Powered Risk Summaries
Censinet RiskOps™ leverages Censinet AI™ to create concise, easy-to-understand risk summaries. This feature allows HDOs to quickly review complex cybersecurity documentation without spending hours sifting through lengthy vendor submissions. The AI highlights essential safety details, such as whether a device needs specific network controls or configuration settings during installation, making risk assessments more efficient. Beyond this, Censinet AI™ speeds up the entire third-party risk assessment process by summarizing vendor evidence, identifying key integration details, and outlining fourth-party risk exposures. The platform also generates detailed risk summary reports while maintaining human oversight through customizable rules and review processes. These insights enhance collaboration between HDOs and vendors, fostering a more streamlined approach to risk management.
Coordinating Risk Management Between HDOs and Vendors
Censinet RiskOps™ facilitates seamless collaboration between HDOs and device manufacturers by ensuring vendors provide all necessary FDA Section 524B documentation. Through its collaborative risk network, the platform allows HDOs to request and monitor vendor commitments, such as timely delivery of security updates and patches. Vendors, in turn, can use the system to submit updated SBOMs and vulnerability disclosures directly. This coordination ensures compliance with FDA requirements and strengthens the partnership between HDOs and vendors.
"The sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act." - FDA
Conclusion
What HDOs Need to Remember
The 2025 FDA guidance introduced essential cybersecurity labeling requirements with 14 specific elements that healthcare delivery organizations (HDOs) must verify before purchasing or deploying medical devices. These requirements emphasize the need for thorough evaluation, particularly focusing on end-of-support warnings and the inclusion of software bill of materials (SBOMs) to address potential security vulnerabilities. The urgency is clear - cybersecurity incidents surged by 45% between 2022 and 2024, with 22 million patient records breached in 2023 alone[6].
To mitigate risks, HDOs should incorporate SBOM analysis into their procurement processes. This ensures vendors provide complete documentation for vulnerability tracking, postmarket updates, and patch management. Tools like Censinet RiskOps™ can simplify this process by automating labeling reviews and vendor coordination, significantly reducing the time required for risk assessments while ensuring compliance with FDA standards.
What's Next for Cybersecurity Labeling
Looking ahead, cybersecurity labeling is set to evolve with stricter requirements. These may include real-time SBOM updates, expanded labeling for software-as-a-medical-device (SaMD), and AI-powered threat detection. Such advancements could reduce breach incidents by 25%, thanks to improved vendor accountability and higher-quality documentation[4][10].
HDOs that adopt collaborative risk management platforms today will be better prepared for these future changes. Early adopters have already seen 30% faster risk resolution through automated labeling reviews and streamlined vendor coordination[11]. With over 1,200 medical device vulnerabilities reported by the FDA in 2025 - 60% of which were linked to poor documentation - staying proactive in meeting labeling mandates is critical. Doing so could help the industry avoid up to $10 billion in annual losses from cyberattacks[12]. These evolving standards will continue to foster stronger collaboration between HDOs and manufacturers, enhancing patient safety and building a more secure healthcare environment.
FAQs
Which of our medical devices qualify as FDA “cyber devices”?
Medical devices are classified as FDA "cyber devices" when they meet specific criteria: they must include software, connect to the internet or other networks, and possess features that could expose them to cybersecurity threats. These attributes align with the FDA's guidelines for identifying devices vulnerable to cyber risks.
How can an SBOM help quickly identify and prioritize device vulnerabilities?
An SBOM (Software Bill of Materials) is like a detailed ingredient list for software, cataloging all the components within a device. It allows for automated detection of vulnerabilities, making it easier to pinpoint weak spots. By mapping out components, their dependencies, and associated risks in real-time, an SBOM helps identify problem areas quickly, supports ongoing monitoring, and speeds up the remediation process. This approach improves visibility across the supply chain and simplifies risk management, cutting down the time and effort required with manual methods.
What should we do if a device is nearing end-of-support or no longer gets security patches?
If your device is approaching the end of its support lifecycle or has stopped receiving security updates, it's time to plan for a replacement. Staying up-to-date is critical for maintaining security and compliance. Regular and effective patch management helps minimize cybersecurity threats and safeguard sensitive information. Make sure your replacement strategy is in sync with your organization's risk management approach to tackle vulnerabilities without delay.
