Updates to AdvaMed Code coincide with increased FDA, DOJ focus on device cybersecurity

AdvaMed recognizes role of data-driven technologies

The updated Code principally adds a new section, Section XIV, on “data-driven technologies.” The new section recognizes that medical devices increasingly rely on software, connectivity, and data analytics, and emphasizes that companies must ensure trust and ethical stewardship as these technologies expand in clinical use. AdvaMed encourages companies to apply three categories of principles in deploying data-driven technologies:

• Principles of Trust: Companies should use patient-related data only when doing so meaningfully supports patient care and should limit the personal information they collect to what is necessary and clearly authorized.
• Principles of Privacy, Transparency, and Control: Companies should implement strong privacy and security safeguards aligned with recognized standards, communicate clearly about how data is used, and ensure that individuals have appropriate control over their information.
• Principles of Responsible Data Management: Companies should follow ethical and reliable data-governance practices, use technology and training to mitigate cybersecurity threats, and collaborate with health care partners so that data collection and use remain well understood and appropriately safeguarded.

The AdvaMed Code guidance supplements and interprets legal requirements, and this new Section XIV is no different—it provides thematic contours for compliance considerations that build on existing federal and state privacy and consumer protection laws. At the same time, the revision underscores industry commitments to ensuring their compliance programs evolve along with innovations in software, AI, and connectivity.

FDA outlines cybersecurity lifecycle recommendations

AdvaMed's update follows recent actions by FDA and DOJ that collectively reinforce the importance of systemic cybersecurity not only to device authorization and management but also to a manufacturer's FCA exposure.

In June 2025, FDA updated its final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, as we discussed here and here. Recognizing that “cybersecurity threats to the healthcare sector have become more frequent and more severe,” the guidance outlines FDA's recommendations for manufacturers of software-enabled or internet-connectable medical devices. Manufacturers must show that these devices have a “reasonable assurance” of cybersecurity as part of FDA's safety and effectiveness determination under the Food, Drug, and Cosmetic Act.

The FDA guidance indicates that cybersecurity compliance is essential throughout a device's total product lifecycle—tracking AdvaMed's later update recommending that manufacturers protect data “through appropriate organizational security measures” and “train teams in relevant aspects of data protection and cybersecurity to maintain a consistently high level of threat awareness.”

In parallel, FDA has been seeking more detailed information from manufacturers on cybersecurity, both in terms of testing before the device is authorized and in terms of how the manufacturer will monitor post-market performance and address any cybersecurity deficiencies.

Given that many devices comprised of or containing software include both “device” and “non-device” functions, it is notable that FDA routinely expects marketing applications to include end-to-end testing of cybersecurity, i.e., of the product as a whole notwithstanding that its functions may not all be regulated by FDA.

With respect to management of cybersecurity after a device is authorized, FDA now requires for 510(k), De Novo, and PMA submissions that manufacturers include a “cybersecurity management plan” (CMP) in premarket submissions so that FDA can evaluate how they will maintain device safety and effectiveness in this respect after marketing authorization. The CMP must include:

• Identities of personnel responsible for overseeing and implementing the cybersecurity plan;
• Sources, methods, and frequency for monitoring and detecting vulnerabilities;
• Procedures for periodic security testing;
• A timeline for developing and releasing patches, including the rate at which updates can be delivered to devices; and
• A description of the coordinated vulnerability disclosure process.

DOJ targets cybersecurity gaps under FCA

DOJ has, in turn, pursued enforcement actions on the theory that cybersecurity shortcomings can serve as the basis for FCA liability. As we wrote about here, recent settlements reflect that cybersecurity vulnerabilities are increasingly FCA risks for government contractors, including device manufacturers. The government's settlement with Illumina, Inc., a biotechnology company, illustrates this point.

Illumina sold genomic-sequencing systems (a type of medical device) to federal agencies. The systems allegedly failed to comply with certain of FDA's device cybersecurity requirements, including by failing to incorporate cybersecurity throughout the product's life cycle. Despite no actual breach, DOJ alleged that Illumina's certifications of compliance and inadequate quality systems made its claims false.

Illumina's settlement did not involve an admission of wrongdoing, and it seems possible that the $9.8 million settlement amount, which was significantly lower than potential damages in the complaint, could be indicative of challenges the government will face to connect alleged cybersecurity weaknesses to government financial harm. In particular, DOJ (and qui tam relators) face a burden of proving how cybersecurity vulnerabilities meet materiality and causation standards under the FCA when the agency received the actual products or services for which the defendant billed.

These potential defenses notwithstanding, the settlement illustrates how DOJ (or relators) could extend this government contractor-based theory of liability to claims for cyber devices reimbursed by federal health care programs like Medicare and Medicaid, which could further increase potential financial exposure. Although, it is notable that in articulating its allegations in the settlement agreement, the government did not adopt a federal health care program reimbursement theory even though the Illumina relator advanced that theory in her complaint. 

Industry faces higher bar for cybersecurity compliance

AdvaMed's update to the Code, FDA's cybersecurity guidance and related scrutiny, and DOJ's recent enforcement activity all point to a unified expectation that device manufacturers manage cybersecurity as an essential compliance obligation. They also collectively raise the bar for how companies align with industry benchmarks, manage their quality systems, and substantiate representations to the government. If you have questions about what these developments may mean in practice, please contact any of the authors of this update or the Hogan Lovells lawyer with whom you regularly work.

Authored by Jonathan Diesenhaus, Thomas Beimers, Suzanne Levy Friedman, Laura Hunter, and Evelyn Tsisin