FDA Digital Transformation

FDA’s Digital Transformation and the regulation of Medical Device Cybersecurity?

I read the recent FDA post that discussed the FDA’s Digital Transformation:

“Today, the U.S. Food and Drug Administration announced the reorganization of the agency’s information technology (IT), data management and cybersecurity functions into the new Office of Digital Transformation (ODT).”

Then I was reading an email from a news service that provides information and news targeting those that work in industries regulated by the US FDA.  The email stated, “The new office’s cybersecurity function will be especially relevant to devices, given increasing concerns about the vulnerability of some devices to online hacking.”

IMO this could be a bit confusing and misleading to imply that the FDA Digital Transformation Cybersecurity Function will be especially relevant to devices.

IMO from my first read of the original FDA Digital Transformation post I do not believe that the activity included in Digital Transformation has a focus on medical device cybersecurity or the regulation of medical device cybersecurity.

This entire Office of Digital Transformation is about computers networks and data resources owned and operated by the agency, aka FDA IT and has minimal connections with regulated products.

I did ask a colleague at the FDA about this and heard back the following:  “Digital Transformation is primarily Information Technology. It’s not related to medical device security regulation directly. Of course, DT helps with basic administrative operations indirectly.”

Medical Device Regulatory Information is available on the Digital Health Center of Excellence website. It is my understanding that the Digital Health Center of Excellence is part of CDRH while the Office of Digital Transformation is now part of the Office of Commissioner.

Medical Device Cybersecurity Guidance can be accessed on the FDA’s Digital Health Center of Excellence webpage https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity#guidance

See our recent post on cybersecurity:  Cybersecurity Perspective – Physical OTS Components in Medical Devices

About the author

John is a 25 year FDA veteran. John served as a regulatory and compliance expert for FDA regulated computers and software. Practice (focus) areas include FDA software related guidances, software device classification determination, pre-market software review, post market software inspectional 483’s, additional information software requests, Digital Health Pre-certification, AAMI Software related TIRs and related medical device software standards.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.