Michelle Jump, Chief Executive Officer
Chuck Farlow, Senior Director, Program Management and Regulatory Policy
The Consolidated Appropriations Act, 2023 (“Omnibus”) was signed into law by President Biden on December 29, 2022. Omnibus has wide-ranging provisions for nearly every governmental agency and function, from defense spending to farm subsidies. Section 3305 of Omnibus contains several subsections associated with ensuring the cybersecurity of medical devices. Section 3305, subsection (a) amends Federal Food, Drug, and Cosmetic Act (FD&C) by adding Sec. 524B, Ensuring Cybersecurity of Devices. Section 524B specifies new submission requirements for medical devices classified as “cyber devices” with an effective date of March 29, 2023.
On March 29, 2023, the U.S. Food and Drug Administration (FDA) published guidance “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act” (“RTA Guidance”) to clarify implementation of Section 524B. This guidance document is being implemented immediately, but it remains subject to comment in accordance with FDA's good guidance practices. In this blog, we discuss what medical device manufacturers need to know about Section 524B including what has changed and how to maximize your chances for a smooth regulatory submission.
Section 524B: What’s Changed for Medical Device Developers
Section 524B is subdivided into four subsections, each summarized below.
(a) In General – specifies 524B applicability (to a “cyber device”) and enumerates affected applications and submissions
(b) Cybersecurity Requirements – lists submission requirements for a “cyber device”
(c) Definition – defines a “cyber device”
(d) Exemption – empowers the Secretary to exempt “devices, or categories or types of devices” from the requirements of 524B
Our discussion will focus on the implications of subsections (b) and (c) of Section 524B. While subsection (d) can exempt some devices, we do not expect this provision to be applied widely. As a first step in understanding the implications of Section 524B, one must first look to the term “cyber device” as defined in subsection (c):
(c) DEFINITION — In this section, the term ‘cyber device’ means a device that
(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2) has the ability to connect to the internet; and
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
This definition differs from the scope of previously published FDA cybersecurity guidance documents which do not require that “a device has the ability to connect to the internet”. This is likely to be a point of clarification moving forward. However, recent discussions with FDA staff suggest that it would behoove manufacturers of all medical devices with software to adhere to the provisions of Section 524B.
Subsection (b) specifies new submission requirements for “cyber devices” (emphasis added):
(b) The sponsor of an application or submission described in subsection (a) shall—
(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—
(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
You may have noticed that much of subsection (b) revolves around postmarket cybersecurity requirements for medical devices. There is a good reason for this—postmarket expectations have not been as well defined and, because they were not required by law, were often treated as an afterthought by medical device manufacturers. What Section 524B makes clear is that, moving forward, medical device manufacturers will have to consider postmarket cybersecurity from the very earliest stages of device development and commit to supporting the security of fielded medical devices moving forward.
What About RTA Guidance?
Enforcement of Section 524B began on March 29, 2023, which means that all FDA submissions moving forward must meet the requirements. In its RTA Guidance, FDA indicated that it does not plan to issue refuse to accept judgments on submissions made prior to October 1, 2023; they will work with device developers during this transition period to help them correct submissions in process.
However, this does not mean that FDA is delaying enforcement; rather, the agency is giving device manufacturers time to revise and correct submissions that do not initially meet requirements of Section 524B. After October 1, submissions for cyber devices that do not meet the new standard are likely to face an RTA judgment. (See FDA’s helpful Cybersecurity FAQs for additional clarification.)
Wait, Is This Really New?
Cybersecurity has been part of the medical device submission process for some time, going back as far as 2013, when the Food and Drug Administration (FDA) released its first draft premarket submission guidance for medical device cybersecurity. FDA finalized postmarket cybersecurity guidance for medical devices in 2016.
What’s new is that Section 524B is an amending statute of the FD&C Act. Accordingly, the requirements specified in Section 524B are legally binding for medical device manufacturers. New statutes are much rarer than new guidance, and they set the stage for future legally binding regulation and non-binding guidance. While guidance can set clear expectations and describe an agency’s current thinking, only regulations and statutes have the force of law.
Manufacturers should also expect to see new regulations and guidance language evolving in response to Section 524B. Most immediately, FDA can be expected to clarify terms that are not well defined in the statute such as “uncontrolled risk,” “reasonable assurance,” and “timely manner.” More regulations are also likely to follow to more specifically define the cybersecurity elements that will be required in new submissions.
Section 3305 of Omnibus contains several subsections that contain supporting actions for federal agencies:
Not later than December 29, 2024, FDA is to release revised premarket security guidance (subsection (e));
Not later than June 27, 2023, FDA is to update cybersecurity informational resources (subsection (f)); and
Not later than December 29, 2023, the Government Accountability Office (GAO) is to publish a report identifying cybersecurity challenges for medical devices, including legacy devices (subsection (g)).
Getting Ready for Your Next Submission
The medical device cybersecurity landscape is likely to continue to shift over the next 12-24 months as FDA puts out new guidance and evolves regulatory requirements in response to the new statutory language. The GAO report later this year will also have a role in shaping future guidance and regulation. In the meantime, medical device manufacturers should expect that FDA will be fully enforcing these requirements from here on out.
Staying on top of cybersecurity requirements for medical devices can be a challenge. MedSec works with medical device developers to plan, implement, and maintain their cybersecurity programs. We can provide pre-submission assistance, technical expertise, and guidance to ensure a smooth submission process and minimize the chances of an RTA on cybersecurity grounds. And with the MedSec Partner Program, you’ll always stay up-to-date with regulatory and guidance changes that impact your devices.
Contact us to schedule a consultation.
As MedSec's CEO, Michelle is responsible for providing strategic leadership, training and education to the medical device industry, and thought leadership in the area of medical device cybersecurity practices and process. She also participates in a variety of domestic and international standards, as well as relevant industry and governmental initiatives to support security within the healthcare industry.
Chuck is a CISSP with more than 36 years of experience with an extensive background in systems engineering, cybersecurity, medical device regulations, and international standards. Chuck works with MedSec senior leadership to develop effective strategies for programs and policy. He currently serves in several AAMI and ISO working groups.
MedSec is uniquely prepared to meet the specific challenges of medical device and healthcare cybersecurity. MedSec partners with medical device manufacturers and healthcare delivery organizations to address cybersecurity in medical devices throughout all stages of the device lifecycle. MedSec leverages its cybersecurity expertise, coupled with its intimate knowledge of the healthcare regulatory and operating environments, to offer support in design, architecture, verification, penetration testing, risk assessments, regulatory filings and SBOM development.