[gmassman]

Use best IoT practices. Treat a medical device like any new product whose data you want to remain secure. On the device itself, ensure your firmware is inaccessible to curious hackers. Most MCUs provide read back protection so enable it! Ensure OTA updates are encrypted and signed, and only verified bootloaders can decrypt and install firmware. All network communications should be encrypted too; use HTTPS or similar protocols and treat your device certs like you treat your firmware.

On the backend, use web API security best practices. This means only allow API access to authorized devices and/or users. Keep your database secure. There’s tons of resources out there about how to build a secure backend.

Cybersecurity isn’t nearly as complicated as marketers and would-be consultants paint it out to be. Granted, programs are complicated (firmware especially), so invest heavily in good testing to catch insecure code before they manifest into issues.

As far as the FDA is concerned, document everything, probably more that you think is necessary. Write up a clear set of requirements, verification and validation plans, and very thorough design documents. This benefits both them and any future team members that may need to work on the project.