The FD&C Act Section 524B is a US FDA regulation addressing mobile medical device cybersecurity. The Federal Food, Drug, and Cosmetic Act (i.e., FD&C Act) is a United States federal law granting FDA authority to regulate food, drugs, cosmetics, and medical devices.
Section 524B was put in place to address growing cybersecurity concerns surrounding medical devices connected to mobile platforms like smartphones or tablets and requires manufacturers of such products to consider and mitigate any associated cybersecurity risks. Medical devices play an essential role in patient care, and their use has been increasingly ubiquitous in recent years. With the growth of medical-connected devices, medical devices are becoming an increasingly attractive attack surface for threat actors. Cybersecurity risks can lead to severe patient consequences, such as compromised personal information, loss of device functionality, or even patient harm.
Under Section 524B, manufacturers of medical devices designed for use on mobile platforms must provide assurances regarding the security of their devices and demonstrate that appropriate safeguards have been put in place to guard against potential cybersecurity threats. These assurances may involve developing strategies to identify, prevent, respond to, and recover from security breaches.
In 2023 Section 524B was amended to require medical device manufacturers to take steps to ensure the cybersecurity of their products. If a device uses software that connects to the Internet, it is most likely a cyber device subject to new section 524B of the FD&C Act, “Ensuring Cybersecurity of Devices.” The 524B amendment took effect in March 2023 and will become part of the FDA’s “refuse to accept” (RTA) checklist in October 2023.
Section 524B requires that medical device manufacturers establish and maintain a comprehensive cybersecurity risk management program. The program must be designed to identify, assess, and manage cybersecurity risks throughout the device’sdevice’s lifecycle, from design and development to postmarket surveillance.
The 2023 amendment to Section 524B adds four requirements that medical device manufacturers must meet for cybersecurity compliance:
- Submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure, and make available postmarket updates and patches to the device and associated systems to address: A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and (B) as soon as possible out of the process, critical vulnerabilities that could cause uncontrolled risks;
- Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
- Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure.
In addition, Section 524B defines a “cyber device” as a device that 1) includes software validated, installed, or authorized by the sponsor as a device or in a device; 2) can connect to the Internet; and 3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
FD&C Act Section 524B Compliance Best Practices
To meet Section 524B compliance requirements for their connected medical devices, medical device manufacturers should follow mobile security best practices, including:
- Integrate cybersecurity monitoring and alerting functions into the medical device and connected apps.
- Establish a triage, prioritization process, and remediation strategies for identified vulnerabilities.
- Implement an ongoing application security testing program.
- Create a vulnerability disclosure program.
- Promptly report cybersecurity issues to the FDA.
- Develop and establish a cybersecurity risk management plan, including cybersecurity controls and risk mitigation strategies.
- Invest in a robust a postmarket cybersecurity surveillance plan with a tested process for device updates and patches.
Text of FD&C Act Section 524B (as amended in March 2023)
SEC. 524B. ø21 U.S.C. 360n–2¿ ENSURING CYBERSECURITY OF DEVICES. (a) IN GENERAL.—A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(b) CYBERSECURITY REQUIREMENTS.—The sponsor of an application or submission described in subsection (a) shall—
(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address: A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and (B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure.
(c) DEFINITION.—In this section, the term “cyber device” means a device that—
(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2) has the ability to connect to the Internet; and
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
(d) EXEMPTION.—The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cyber-security requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary.
Conclusion
Section 524B of the Federal Drug & Cosmetic Act seeks to strengthen mobile medical device cybersecurity by including its requirements in its legislative text while encouraging the development of secure technologies within the healthcare industry. The provision promotes collaboration among FDA, device manufacturers, and other stakeholders to develop guidelines, standards, and best practices for mobile medical device cybersecurity.
The 2023 Amendment to Section 524B further enhances the cybersecurity safety of medical devices. By requiring manufacturers to develop and implement robust postmarket surveillance plans, Section 524B aims to improve the detection and management of potential cybersecurity risks associated with medical devices. The overarching goal of Section 524B and its 2023 amendment remains to protect sensitive patient information better, prevent unauthorized access or tampering with devices, and lower potential harm risk to patients.