As technology becomes more integrated into healthcare, the need to protect medical devices from cyber threats has become increasingly critical. The FDA has responded, and in March this year, Section 524B Amendment of the FD&C Act, ‘Ensuring Cybersecurity of Devices’ came into effect.
Let’s take a look at it in greater detail, and examine what medical device manufacturers must do to ensure that they are compliant.
Why is 524B important?
The FDA has stated that “beginning October 1, 2023, FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain the information required by section 524B of the FD&C Act and FDA may [refuse to accept] premarket submissions that do not”. We have seen the FDA preparing for this, hiring experts in this field, and already this year, cybersecurity is forming a growing part of the major and minor items in FDA responses (anywhere from 25% to 60% of items).
What does 524B require medtech companies to do?
- Submit a plan to monitor, identify, and address, as appropriate in a reasonable time, post-market cybersecurity vulnerabilities and exploits including coordinated vulnerability disclosure and related procedures.
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure, and make available post-market updates and patches to the device and related systems.
- Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
How do medtech companies comply with 524B?
- Security by Design must now be incorporated into medical device development
- The device must have gone through a threat modeling process resulting in a comprehensive cybersecurity risk assessment
- The risk assessment must use an exploitive scoring system like the Common Vulnerability Scoring System (CVSS) and avoid severity/impact models
- Controls must be designed for these risks and built into the device
- The manufacturer must have a plan in place for reviewing, securing, and updating the security of the device over time
- The manufacturer must have an incident management plan in place in order to respond to incidents as they arise
- An SBOM that allows the content of the software to be automatically reviewed by the FDA
- Threat models that encompass the cybersecurity and safety aspects of the device and have controls tested and are part of the traceability matrix
- The manufacturer must also design, develop, and maintain processes and procedures to ensure that the device and related systems are cyber secure on an ongoing basis.
‘It’s key to understand that you must maintain the device after it goes live. The post-market process must now be ready for review by the FDA at the time of submission. You don’t get to think about this afterward.’
John O'Gorman, Principal Technology Officer – Cybersecurity & Data Analytics, S3 Connected Health
Since the first draft of this legislation in 2016, our team of cybersecurity experts has continually applied evolving regulations to FDA submissions, giving us a strong understanding of, and expertise on successful compliance.
To speak with our team of cybersecurity experts on 524B and what it means for your medical device submission, get in touch with us today.