The Time is Now: FDA To Begin Enforcing Section 524B of the FD&C Act

Entering a New Era in Medical Cybersecurity

The business of medical care in the United States is one that is heavily regulated from multiple perspectives, including patient safety, privacy of medical data, and an increasing focus on security. Healthcare is critical, and poor security practices can disrupt care and cause harmful outcomes for patients. Everything from quality of treatment to integrity of sensitive data is on the line when it comes to maintaining best security practices. 

At the end of 2022, the Consolidated Appropriations Act of 2023 was passed into law, a massive omnibus spending bill that covered a very large range of priorities and actions for the coming year. Part of that legislation is section 3305, entitled “Ensuring Cybersecurity of Medical Devices.” And part of that, section 524B, mandates that medical device manufacturers, healthcare providers, and many others must develop and establish cybersecurity practices to prevent many risks to patients. 

Taking effect on March 29 of 2023, the FD&C amendments require that premarket submissions are required to meet the cybersecurity needs of Section 524B, a grace period during which the FDA was unlikely to outright issue a Refuse-to-Accept (RTA) judgment on these new designs. That grace period comes to an end on October 1, 2023, and those seeking FDA approval will be likely to receive an RTA judgment if they are not in compliance with the demands of Section 524B. 

In this post, we’ll briefly discuss what Section 524B entails, as well as what you need to know about meeting this critical new requirement and what Ezurio provides to help you navigate cybersecurity compliance. 

Section 524B In Summary

The four primary requirements of Section 524B apply to what the FD&C act refers to as a “cyber device,” which is defined as “a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.” Needless to say, this is a definition that applies to a vast array of connected medical devices, and there are multiple layers to the thought and security planning that keeps these devices safe and compliant. 

The FDA has published full guidance on this in the form of the following guidance document: “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act”

The four requirements are as follows: 

• (1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;

• (2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—

        o (A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

        o (B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;

• (3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and 

• (4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

In short, this guidance requires OEMs to formulate a comprehensive plan to address vulnerabilities after a device is released into the field. By including a software bill of materials in that plan, OEMs can clearly demonstrate a full awareness of the software components they use and can demonstrate a plan to identify common vulnerabilities, as well as penetration tests and proactive means of validating the security of their devices. 

What’s Next? 

The period of time from March 29 to October 1 was intended to allow OEMs the time and preparation to update their new submissions to account for cybersecurity compliance, with a preference to not reject noncompliant submissions but to rather allow time to update them to the new standard. However, as of October 1, new submissions that do not account for these cybersecurity concerns are likely to receive an RTA judgment.

What does this mean for OEMs? Most importantly, it means if you’ve already submitted for premarket approval, the time has already come to address the requirements of the new legislation. If you have not submitted, the window is soon to close after which the FDA’s judgment on submissions of this nature will become much more stringent, and puts OEMs at a greater risk of rejection on cybersecurity grounds. 

Where We Help

Choosing manufacturers and design partners with forward-thinking cybersecurity practices and offerings is one way OEMs can put themselves in the best position for success. Ezurio does not directly work OEMs through the FDA approval process. What we do provide, however, is a comprehensive security strategy of our own that OEMs can leverage to simplify the process. Ezurio's (formerly Laird Connectivity) decades of experience in wireless product design have led us to numerous offerings and best practices that can contribute to a cybersecurity plan as required by the FDA. 

Our Summit Suite Security Solutions simplify the process of protecting devices in the field, combining our industry-leading hardware with multiple layers of security software and enterprise connectivity – all from a single partner. Just some of the ways we address the complexities of device security include: 

• FIPS Cryptographic Modules: We offer FIPS 140-2 Level 1 Validated cryptographic modules, with a roadmap to validate to FIPS 140-3 Level 1. This ensures security of data in transit and at rest for government agencies and private enterprises that require FIPS-validated cryptography, a standards-enforced means of securing sensitive data. 
• Chain of Trust Device Security: Layer for layer, security mechanisms ensure only validated software is executed on our Summit Suite-enabled devices. The Chain of Trust includes secure boot architecture, secure device secrets, secure data storage, secure image signing service, and secure programming at the time of manufacture. These features and services provide assurance step-by-step that only trusted code is executed, steeling your devices for deployment in the field. 
• Cloud-based Software Vulnerability Monitoring and Remediation: In partnership with Timesys, Summit Suite-enabled devices’ software bill of materials can be monitored via Vigiles Prime. With full accounting for the software bill of materials on board the devices, OEMs can readily and regularly monitor Common Vulnerabilities and Exposures (CVEs) within software subcomponents and receive notification of new CVEs that apply to the subcomponents. From there our FAE and Product Security Incident Response Team will work with your security and engineering team to create an updated software release to address the CVEs present in your device.
• Secure Connectivity: More specifically to the wireless connection, supported devices enjoy the full Wi-Fi potential of Ezurio's decades of wireless experience. We offer an enterprise-grade connectivity software suite that implements the industry-best WPA3-Enterprise 192-bit encryption, TLS 1.3, and enhanced regulatory support. Our connectivity stack provides reliability, high-performance, and (critically) enhanced development above standard offerings for enhanced security, authentication, roaming, and more. 

The Time is Now For Best Cybersecurity Practices

With the grace period nearly expiring on Section 524B requirements, there’s no time like the present to identify the partners and practices that can best set you up for regulatory approval. Ezurio's system-on-module and wireless module offerings put security first and foremost, with the experience and support to help manufacturers cover these critical requirements. It’s not just about regulatory approval either; it’s about confidence in your devices in the field, confidence in quality of service and care, and confidence in reduced liability in an increasingly connected world. 

Visit https://www.lairdconnect.com/iot-software/summit-suite to learn more about our security solutions.