Section 524B requires certain organizations to strengthen their medical device cybersecurity to mitigate the risk of security incidents.
On Dec. 29, 2022, Congress passed into law the Consolidated Appropriations Act, 2023. Section 3305 of that act, “Ensuring Cybersecurity of Medical Devices,” includes Section 524B, “Ensuring Cybersecurity of Devices,” which amends the Food, Drug, and Cosmetic Act (FD&C Act). Effective March 29, 2023, medical device manufacturers must meet certain cybersecurity standards. Further, if organizations do not meet said requirements, the U.S. Food and Drug Administration (FDA) will begin refusing to accept premarket submissions beginning Oct. 1, 2023.
To avoid such consequences and to shore up their cybersecurity, organizations can take steps to improve the security of medical devices that they manufacture or use and align with the requirements of the guidance.
Why does medical device cybersecurity matter?
One FDA spokesperson highlighted the criticality of implementing these new cybersecurity standards: “Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally.” For life sciences organizations that either work with medical devices or manufacture them, the risk of not aligning with this guidance could lead to incidents ranging from the exfiltration of patient information to device availability disruptions, resulting in a gap in patient care.
To whom does Section 524B apply?
Section 524B applies to medical device manufacturers, healthcare providers, health systems, third-party device servicers, patient advocates, and organizations that use third-party medical devices to provide services to patients.
What steps should organizations take?
Until Oct.1, 2023, the FDA will work with organizations to enhance any cybersecurity documentation that does not outline plans to remediate identified vulnerabilities. Starting Oct. 1, 2023, the FDA likely will refuse to accept premarket submissions of devices that do not have cybersecurity plans outlined in their product applications.
Organizations can take proactive steps to align with Section 524B guidance, and they can rely on established cybersecurity practices to do so. For example, the National Institute of Standards and Technology (NIST) Special Publication 800-53 provides security and privacy controls for information systems and organizations. If organizations do not already include such controls as part of their information security programs, they should consider adopting NIST security practices.
What does Section 524B require?
FDA guidance, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” outlines four requirements of Section 524B. Following is a summary of those four requirements.