A recent FDA Class II recall involving GE HealthCare’s Centricity Universal Viewer is another sign that medical device cybersecurity is no longer being treated as a secondary IT issue. It is being treated as a product safety, quality, and regulatory issue. The FDA posted the recall on March 16, 2026, after GE initiated corrective action on January 30, 2026.

According to FDA recall records, the issue involves service login credentials that could be identified on affected systems. If an unauthorized person gained access to the local workstation, they could potentially access the system and manipulate patient data. GE issued an urgent medical device correction notice and told customers they could continue using the affected products while applying interim mitigations, including workstation security controls and network account authentication using Active Directory or LDAP where possible. GE also stated it would correct affected products at no cost.

This matters beyond one vendor or one product line.

The vulnerability described in the recall is not especially exotic. It is the kind of issue that should be identified through secure design review, authentication control analysis, threat modeling, and validation of how credentials are handled at the endpoint. But the bigger signal is regulatory. FDA’s current cybersecurity expectations are now much more explicit, more operational, and more closely tied to overall device safety and quality.

FDA’s February 3, 2026 cybersecurity guidance superseded the June 27, 2025 version and continues to address Section 524B of the FD&C Act for cyber devices. Section 524B requires applicable manufacturers to provide documentation showing that they have plans and procedures to monitor, identify, and address postmarket vulnerabilities, that they can make patches and updates available in a reasonably justified cycle, and that they can provide an SBOM covering commercial, open source, and off the shelf software components.

Just as important, FDA says cybersecurity is part of device safety and part of the Quality Management System. It is not something to be bolted on at the end of development or handled only as an incident response function. The agency also states that inadequate cybersecurity information in device labeling may cause a device to be misbranded under the FD&C Act. That means cybersecurity documentation now has legal and market consequences, not just technical ones.

For medical device manufacturers, the lesson is clear. Regulators are looking for evidence of process, traceability, and defensible decision making. They want to see that vulnerabilities are identified in context, assessed against device architecture and intended use, prioritized appropriately, and addressed through documented processes that connect engineering, product security, quality, and regulatory teams.

That means several things should already be in motion.

First, manufacturers need accurate SBOM coverage for relevant devices and a way to keep that data useful over time. An SBOM by itself is not enough if it is disconnected from architecture, exploitability, compensating controls, and postmarket workflows. FDA’s requirements are about more than file generation. They are about demonstrating control.

Second, authentication and credential handling practices deserve close review. The GE recall centers on exposed service credentials. That is a reminder that basic design and implementation choices can become recall level events when they affect access, integrity, or system availability in clinical environments.

Third, cybersecurity labeling and documentation should be reviewed with the same seriousness as other regulated product content. If the security information provided to customers and regulators is incomplete, inconsistent, or not operationally useful, the risk is no longer theoretical. FDA has made clear that labeling adequacy matters.

Finally, manufacturers should be preparing for a broader regulatory environment, not just FDA. In the EU, CRA reporting obligations begin on September 11, 2026, ahead of the broader application date in December 2027. The direction is the same across markets: more evidence, more accountability, and less tolerance for fragmented cybersecurity processes.

Medical device cybersecurity is now a lifecycle discipline. The companies that are ready will be the ones that can connect SBOMs, vulnerabilities, architecture, risk decisions, corrective actions, and regulatory evidence into one defensible operating model.

At C2A Security, we help medical device manufacturers do exactly that. EVSec brings together product context, SBOM intelligence, vulnerability management, threat modeling, and compliance workflows so teams can move faster, make better risk decisions, and show regulators the evidence behind them. If you want to strengthen FDA readiness and reduce postmarket exposure without adding more disconnected tools and manual work, C2A can help.