Encryption of data at rest and in transit from existing security design requirements — confidentiality controls focus this on patient-safety-relevant data rather than all device data.
FDA Appendix 1.E explicitly scopes confidentiality to data whose disclosure could cause patient harm, identifies credential confidentiality as a multi-patient harm risk, and requires confidentiality assessment as part of threat modeling and risk management.
Credential storage security (hardware-backed vs. plaintext), encryption coverage of safety-relevant data, and multi-patient harm assessment for shared credentials — missing credential encryption is the most common confidentiality deficiency.
Maps to
FDA Cybersecurity: §Appendix 1.E Confidentiality
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026) recommends that manufacturers ensure support for the confidentiality of any data whose disclosure could lead to patient harm. Loss of confidentiality of credentials could be used by a threat actor to effect multi-patient harm. Lack of encryption to protect sensitive information at rest and in transit can expose that information to misuse that could lead to patient harm. Manufacturers should evaluate and assess confidentiality controls during threat modeling and risk management activities and make appropriate changes to ensure confidentiality controls are in place.
Why this clause exists
Confidentiality in the medical device context carries a patient-safety dimension that differs from general IT confidentiality: the primary concern is not privacy of health information (addressed by HIPAA) but rather the use of disclosed information to enable device compromise that causes direct harm. FDA Appendix 1.E specifically identifies credential confidentiality as a multi-patient harm risk: if authentication credentials shared across a device fleet are disclosed, a threat actor can authenticate to all devices simultaneously. This is structurally distinct from a single-device safety risk. The guidance scopes confidentiality to data whose disclosure could lead to patient harm — including cryptographic keys used for authentication — while expressly noting that protection of protected health information (PHI) confidentiality, though important, is covered by HIPAA rather than this guidance. This scoping helps manufacturers prioritize confidentiality controls on safety-relevant data (device commands, configuration parameters, authentication credentials) rather than treating all data as equivalent.
What changed
FDA's September 2023 final guidance (updated February 2026) Appendix 1.E scopes device confidentiality requirements to data whose disclosure could lead to patient harm, explicitly distinguishing this from HIPAA PHI confidentiality obligations. The specific identification of credential confidentiality as a multi-patient harm risk is new — it connects a confidentiality control failure directly to the multi-patient harm framework established in the security architecture view requirements. This scoping helps manufacturers prioritize confidentiality controls on safety-critical assets.
Common gaps (what we see in audits)
- Authentication credentials stored or transmitted without encryption — Device authentication credentials — including shared fleet credentials that could enable multi-patient harm — are sometimes stored in plaintext on device file systems or transmitted without encryption. FDA Appendix 1.E recommends confidentiality controls specifically for credentials whose disclosure could enable patient harm, with elevated attention to credentials shared across device fleets.