FDA to Delay Medical Device Cybersecurity Rule for 90 Days, CMS to Adjust Hospital Payments

FDA Enforcement Discretion Expected January 6

The Food and Drug Administration will announce a 90-day enforcement discretion policy for its new medical device cybersecurity rule on January 6, giving manufacturers until early April to comply with enhanced vulnerability reporting requirements, according to two FDA officials familiar with the decision. The officials said the policy will apply to devices submitted for premarket approval after January 1, 2026, and will not alter the underlying rule but will delay active enforcement of certain documentation requirements.

The rule in question, finalized in late 2024, requires device makers to submit software bills of materials, vulnerability scanning reports, and remediation timelines as part of the FDA premarket review process. The officials said the agency has received complaints from more than 40 device manufacturers since October 2025 arguing that smaller firms lack the resources to meet the documentation standards by the original January 1 deadline. The officials said the Center for Devices and Radiological Health recommended the delay after a December 23 meeting with industry representatives at FDA headquarters in White Oak, Maryland.

A lobbyist for device makers, who attended the December 23 meeting, confirmed that FDA officials signaled the delay during the final 15 minutes of the session. The lobbyist said the agency agreed to publish the enforcement discretion notice in the Federal Register on January 6 and to hold a public webinar on January 14 to explain the transition period. The lobbyist added that major trade associations, including AdvaMed and the Medical Device Manufacturers Association, were informed of the decision in a January 3 email from the FDA's Office of External Affairs.

CMS Prepares Parallel Payment Adjustment

The Centers for Medicare and Medicaid Services is preparing a related payment adjustment that will increase hospital outpatient reimbursement rates for cybersecurity-related maintenance by 3.2 percent starting April 1, according to a hospital administrator briefed on the rule. The administrator said CMS will issue the change through a transmittal on January 8, with the new rates taking effect for services provided on or after April 1, 2026. The adjustment will apply to outpatient procedures involving networked diagnostic and therapeutic devices that require regular security patches.

The administrator, who helps oversee payment policy at a nonprofit hospital system in the Midwest, said the CMS change is intended to offset costs that hospitals will incur as device makers pass cybersecurity compliance expenses downstream. The administrator said the 3.2 percent adjustment was calculated based on a CMS analysis of 2024 cost reports from 220 hospitals that identified an average annual cybersecurity maintenance cost of $1.7 million per facility. The administrator added that the agency will open a 30-day comment period after issuing the transmittal.

One of the FDA officials said the CMS adjustment was developed in coordination with the Department of Health and Human Services Office of the National Coordinator for Health Information Technology. The official said the two agencies held a joint call on December 30 with representatives from ten hospital systems to discuss how the payment change would interact with the delayed enforcement timeline. The official added that HHS Secretary nominee discussions played no role in the decision and that career staff made the recommendation.

Industry Reaction and Small Business Concerns

Device makers with fewer than 100 employees have been among the most vocal opponents of the cybersecurity rule, arguing that the cost of third-party vulnerability assessments can exceed $200,000 per device line. A second lobbyist for device makers, who represents several small manufacturers in Minnesota and Massachusetts, said the 90-day delay provides only marginal relief and that many firms will need six months to complete the required documentation. The lobbyist said at least 15 small device makers have considered withdrawing products from the U.S. market if compliance costs continue to rise.

The hospital administrator said larger health systems generally support the CMS adjustment but are concerned that it will not cover the full cost of maintaining legacy devices that no longer receive manufacturer security updates. The administrator cited one 2018 imaging system still in use at a regional hospital that cannot receive automated patches and must be manually updated at a cost of roughly $40,000 per year. The administrator said CMS has not indicated whether it will provide separate funding for legacy device replacement.

The FDA officials said the 90-day enforcement discretion will not apply to devices that have already received warning letters for cybersecurity deficiencies. The officials said the agency's Office of Compliance will continue to monitor adverse event reports and may still take action against devices that pose an immediate risk to patient safety. The officials added that the enforcement discretion notice will include a list of 12 device categories that remain subject to full compliance, including infusion pumps, pacemakers, and insulin delivery systems.

What to Watch Over the Next 72 Hours

Watch for the Federal Register notice to appear on January 6, which will include the exact end date of the enforcement discretion period and any exceptions for high-risk devices. The FDA officials said the agency's Center for Devices and Radiological Health will post a guidance document on its website by noon on January 6, ahead of the January 14 webinar. The officials said the webinar will include a question-and-answer session with CDRH Director Michelle Tarver, though the format has not been finalized.

Congressional health staffers in both chambers said they expect the delay to draw scrutiny from lawmakers who supported the original rule. A Republican aide on the Senate Health, Education, Labor, and Pensions Committee said Senator Bill Cassidy of Louisiana may request a briefing from FDA leadership before the end of the month. A Democratic aide on the House Energy and Commerce health subcommittee said members are concerned that repeated enforcement delays will undermine the rule's effectiveness.

The combined FDA and CMS actions could shape the regulatory environment for medical devices through the first half of 2026. Device makers are expected to use the 90-day window to submit revised compliance plans, while hospitals will begin budgeting for the April 1 payment adjustment. If the delay leads to a broader rulemaking revision, the cybersecurity requirements could become a central issue in upcoming hearings on health care costs and patient safety.