What about devices with no network at all?

Manual or service-tech updates remain valid. The submission needs to show how the manual path enforces the same integrity controls (signed packages, version verification, audit log).

Does OTA require a Predetermined Change Control Plan (PCCP)?

Only for AI/ML model updates that change algorithm performance. Standard security patches typically follow letter-to-file change controls.

All terms

CybersecurityConnected & Cyber-Physical Devices Software LifecycleOTA

Over-the-Air Updates

Remote, network-delivered software or firmware updates to a fielded medical device.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Over-the-Air (OTA) updates are software or firmware updates delivered to a fielded medical device over a network - Wi-Fi, cellular, or hospital-managed channel - rather than via local USB, service visit, or operator manual upgrade. A robust OTA system includes cryptographic signing of update packages, integrity verification on the device, secure boot validation, A/B (or dual-bank) partitioning to support rollback, audit logging, and version reporting back to the manufacturer.

What the regulation says

FDA's 2023 cybersecurity guidance expects update mechanisms to be designed into the device, validated, and protected from tampering. The Updateability/Patchability architecture view in the submission must document the OTA channel's controls. NIST SP 800-193 (Platform Firmware Resiliency) and IEC 62443-4-1 inform the secure-update design pattern.

What this means in practice

OTA is the operational backbone of patchability. Most MedTech failures in this area are not in the cryptographic primitives but in the operational details - handling power loss mid-update, recovering from a corrupted partition, communicating status to clinicians, and giving hospitals control over the maintenance window.

Common pitfalls

•No rollback path - a single bad update bricks the fleet.
•Updates that require clinical downtime without a hospital-controlled maintenance window.
•Skipping signature verification 'because we control the update server' - trust the signature, not the server.

Frequently asked questions

No - many hospital security policies require approval before any device update reaches the network. OTA mechanisms should support a 'staged' or 'opt-in' delivery model.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

FDA·1NIST·1MDCG·1

Inline markers like [1] jump to the matching reference above.