How to Achieve Compliance to the Section 524B Amendment of the FD&C Act

OVERVIEW

The 2023 Amendment to Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act) is a provision that was added to the law by the Consolidated Appropriations Act, 2023 ("Omnibus"). The section requires medical device manufacturers take steps to ensure the cybersecurity of their products, especially high-risk devices. We will subsequently explain why the regulation is important and how to ensure device manufacturers are compliant.

WHY SECTION 524B IS IMPORTANT

Medical devices play an important role in patient care and their use has been increasingly ubiquitous in recent years. With the growth of connected devices and the internet of things (IoT), medical devices are also becoming more vulnerable to cyberattacks. Cybersecurity risks can lead to serious consequences for patients, such as compromised personal information, loss of device functionality, or even patient harm.

To address these risks, Section 524B requires that medical device manufacturers establish and maintain a comprehensive cybersecurity risk management program for their devices. The program must be designed to identify, assess, and manage cybersecurity risks throughout the device's lifecycle, from design and development to post-market surveillance.

HOW TO ENSURE COMPLIANCE

There are three fundamental requirements as part of the Section 524B amendment.

REQ 1: “Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”

In order to show compliance to the first requirement, a device manufacturer can follow the following guidelines:

Once a vulnerability is detected, the next step is to assess its potential impact on patient safety and device functionality. The FDA recommends using the Common Vulnerability Scoring System (CVSS) to assess the severity of the vulnerability. CVSS assigns a score to a vulnerability based on its potential impact, taking into consideration factors including the level of access required to exploit the vulnerability, the required user interaction, and the potential impact on confidentiality, integrity, and availability of the affected system. The score ranges from 0 to 10, with higher scores representing more severe vulnerabilities.

The FDA encourages manufacturers to establish a process for receiving and responding to vulnerability reports from security researchers, government agencies, and other stakeholders. The process should include clear instructions for submitting vulnerability reports, timelines for responding to reports, and procedures for communicating with stakeholders about the vulnerability.

Once vulnerabilities have been identified and assessed, manufacturers should prioritize their response based on the severity of the vulnerability and the potential impact on patient safety. Manufacturers should develop a plan for addressing each vulnerability, which may include developing and releasing a patch, providing guidance to users on how to mitigate the risk, or taking other appropriate actions.

Cybersecurity risks are constantly evolving, and it is essential to implement ongoing monitoring and risk management practices to detect and address new vulnerabilities as they arise. This may include ongoing vulnerability scanning, regular security updates, and other measures to minimize the risk of cyberattacks.

Manufacturers should implement a process that reports any cybersecurity vulnerabilities that could compromise the essential clinical performance of a medical device, or that could compromise patient safety, to the FDA as soon as possible. This reporting should include a description of the vulnerability, an assessment of its impact, and any actions taken to address it.

Manufacturers should provide documented training to their employees and stakeholders on the importance of cybersecurity and the steps they can take to mitigate cyber risks. This may include training on secure coding practices, regular cybersecurity awareness training, and other measures.

REQ 2: “Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems”

In order to show compliance to the second requirement, a device manufacturer can follow the following guidelines:

A team responsible for developing and implementing the risk management program is paramount. This team should include representatives from various departments, including engineering, quality assurance, regulatory affairs, and information technology.

A comprehensive cybersecurity risk management plan that outlines the steps to be taken to manage cybersecurity risks throughout the device's lifecycle. This plan should include specific procedures for risk assessment (including vendor risk management), mitigation, and ongoing monitoring and review. This process identifies potential cybersecurity threats and vulnerabilities associated with the device and related systems. This assessment should include an evaluation of the device's intended use, potential attack vectors, and the likelihood and impact of risks to patient safety.

A device manufacturer should implement the identified cybersecurity controls and mitigation strategies, including regular updates device's software and firmware, establishing access controls, implementing device physical security, using modern data encryption technologies, and providing ongoing training and support to end-users. 

Regularly monitoring and evaluating the effectiveness of the cybersecurity risk management program is important. This may include conducting regular vulnerability assessments and testing incident response protocols to ensure they are effective and up-to-date.

A post-market surveillance plan should include procedures for monitoring and analyzing cybersecurity risks and vulnerabilities associated with the device and related systems after its been released into the market. This plan should also include procedures for issuing postmarket updates and patches to address identified cybersecurity risks. The plan will include data collection, analysis, risk management, reporting, and review.

Postmarket updates and patches to the device and related systems to address identified cybersecurity risks and vulnerabilities. These updates and patches should be thoroughly tested and validated before release to ensure they do not introduce new cybersecurity risks or negatively impact device performance. This process can be implemented by an over-the-air (OTA) update capability.

REQ 3: Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

This software bill of materials lists all of the software components used in the medical product, including commercial, open-source, and off-the-shelf components. The bill of materials includes the name and version number of each component to enable tracking and tracing of software components throughout the device's lifecycle. This information is important for ensuring compliance with the FDA Section 524B amendment, which requires medical device manufacturers to identify and address cybersecurity risks associated with software components used in their products. By maintaining an accurate and up-to-date software bill of materials, medical device manufacturers can ensure the safety and effectiveness of their products and minimize the risk of harm to patients.

Below is a simplified example of a medical device’s software bill of materials:

Device Name: A Great Monitoring System

Commercial Software Components:

• VxWorks 7 (RTOS)

• Linux kernel version 4.13.128
• OpenSSL cryptographic library version 1.1.1g
• Python programming language version 3.9.1

Off-The-Shelf Software Components:

• Docker containerization platform version 20.11.7

CONCLUSION

The 2023 Amendment to Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act) represents an important step forward in enhancing the safety and effectiveness of medical devices, particularly those related to cybersecurity. By requiring manufacturers to develop and implement robust postmarket surveillance plans, the amendment aims to improve the detection and management of potential safety risks associated with medical devices, including those related to cybersecurity. Additionally, the amendment provides greater clarity and guidance for manufacturers in developing and implementing such plans, helping to ensure that they are effective and consistent across the industry.