Medical device cybersecurity

Complying with Section 524B

Brad Gilliat, Michael Lucas, Ann Lyndon Duckworth
5/31/2023
Medical device cybersecurity: Complying with Section 524B

Section 524B requires certain organizations to strengthen their medical device cybersecurity to mitigate the risk of security incidents.

On Dec. 29, 2022, Congress passed into law the Consolidated Appropriations Act, 2023. Section 3305 of that act, “Ensuring Cybersecurity of Medical Devices,” includes Section 524B, “Ensuring Cybersecurity of Devices,” which amends the Food, Drug, and Cosmetic Act (FD&C Act). Effective March 29, 2023, medical device manufacturers must meet certain cybersecurity standards. Further, if organizations do not meet said requirements, the U.S. Food and Drug Administration (FDA) will begin refusing to accept premarket submissions beginning Oct. 1, 2023.

To avoid such consequences and to shore up their cybersecurity, organizations can take steps to improve the security of medical devices that they manufacture or use and align with the requirements of the guidance.

Why does medical device cybersecurity matter?

One FDA spokesperson highlighted the criticality of implementing these new cybersecurity standards: “Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally.” For life sciences organizations that either work with medical devices or manufacture them, the risk of not aligning with this guidance could lead to incidents ranging from the exfiltration of patient information to device availability disruptions, resulting in a gap in patient care.

To whom does Section 524B apply?

Section 524B applies to medical device manufacturers, healthcare providers, health systems, third-party device servicers, patient advocates, and organizations that use third-party medical devices to provide services to patients.

What steps should organizations take?

Until Oct.1, 2023, the FDA will work with organizations to enhance any cybersecurity documentation that does not outline plans to remediate identified vulnerabilities. Starting Oct. 1, 2023, the FDA likely will refuse to accept premarket submissions of devices that do not have cybersecurity plans outlined in their product applications.

Organizations can take proactive steps to align with Section 524B guidance, and they can rely on established cybersecurity practices to do so. For example, the National Institute of Standards and Technology (NIST) Special Publication 800-53 provides security and privacy controls for information systems and organizations. If organizations do not already include such controls as part of their information security programs, they should consider adopting NIST security practices.

What does Section 524B require?

FDA guidance, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” outlines four requirements of Section 524B. Following is a summary of those four requirements.

1. Submit a plan

Section 524B requires organizations to submit a plan “to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”

Monitor. NIST controls SI-4, SI-5, SC-7, AU-2, and AU-9 require monitoring systems to detect attacks or unauthorized access. Organizations can follow this guidance to:

  • Enable logging for everything on the device and the supporting application that the system is capable of logging, including button presses, application programming interface calls, or any interaction between the user, the device, and another system. Logging activity can allow for easy debugging when a vulnerability is inevitably identified.
  • Receive security alerts from external organizations on an ongoing basis.
  • Implement tools such as intrusion detection systems, intrusion prevention systems, and web application firewalls for monitoring the applications and supporting networks.
  • Use a security information and event management solution to centrally track logs and protect them from unauthorized access, modification, or deletion.

Identify. NIST controls CA-8, RA-5, and SA-11 require the use of technology solutions to identify vulnerabilities related to hardware or software. Organizations can follow this guidance to:

  • Conduct penetration testing and vulnerability scanning on the physical device and supporting applications and networks. According to NIST, testing and scanning frequency should be based on risk and determined by the organization.
  • Perform application security testing inclusive of static application security testing, dynamic application security testing, interactive application security testing, and manual code reviews.
  • Identify third-party populations and confirm that they follow these new requirements in the amendment. This action is especially relevant for companies that use medical devices with third-party software.

Address. NIST controls RA-7 and SI-2 require the remediation of critical or high-risk vulnerabilities previously identified within time frames identified by the organization based on risk tolerance. Organizations can follow this guidance to:

  • Define a vulnerability management process and risk-rate vulnerabilities based on exploitability and impact.
  • Define a remediation process and timeline to verify that patches are prioritized based on risk.
  • Track all remediation progress on identified vulnerabilities, either manually or by using an information technology service management tool.

2. Develop processes and procedures

Section 524B requires organizations to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” Organizations also should regularly provide postmarket updates and patches to address known vulnerabilities and mitigate critical vulnerabilities as needed, even if out of cycle.

NIST controls CM2, CM3, and CM9 support such risk mitigation, and organizations can follow this guidance to:

  • Establish secure software development processes
  • Develop secure configuration and change management processes by confirming the system is hardened following configuration standards
  • Track processes to test, review, and approve necessary changes to systems before implementation

3. Provide a software bill of materials

Section 524B requires organizations to provide “a software bill of materials, including commercial, open-source, and off-the-shelf software components.”

  • It is critical for medical device manufacturers to strengthen security and documentation requirements, and providing a software bill of materials (SBOM) as part of their product submissions and subsequent releases helps to do so. Organizations can use a software composition analysis tool to gather the required information.
  • SBOMs should be reviewed and updated as software changes. There are free tools available for companies that cannot purchase a new software solution – these free tools can be used to perform reviews and updates.
  • SBOMs can be in the format of customizable dashboards or reports, or they can be exported to spreadsheets.

4. Comply with requirements

Section 524B requires organizations to “demonstrate reasonable assurance that the device and related systems are cybersecure.”

NIST controls SC-28, AC-1, and AC-2 can offer direction for organizations as they establish and maintain secure development practices.

  • Many medical devices process patient protected health information, so it is important that devices and their associated processes protect data throughout transit and at rest using cryptography.
  • Medical devices should enable access controls to prevent unauthorized access and implement the principle of least privilege.

Shoring up your medical device cybersecurity

Organizations can take these and other steps to strengthen their overall and medical device cybersecurity and to align with Section 524B.

Medical device manufacturers should incorporate security into their device and software development processes by establishing security standards to which all devices and software must adhere. Organizations that use medical devices also should take steps to align with new cybersecurity standards and strengthen their cyber resilience.

While new standards might seem overwhelming to some, the good news is that Crowe can help. With experienced risk consultants around the world, the Crowe team can help your organization plan, build, and run third-party risk management and cybersecurity programs that fit your business needs.

Let’s connect

Need help reviewing your medical device security or evaluating your third parties? We would love to connect with you.
Brad Gilliat
Brad Gilliat
Principal, Consulting
Michael Lucas
Michael Lucas
Principal, Consulting
Ann Lyndon Duckworth
Ann Lyndon Duckworth
Consulting