FDA medical IoT cyber device compliance. FD&C 524b

TL;DR

• FD&C 524b is new FDA legislation for medical cyber device compliance
• Introduced on March 30^th 2023 it is now a firm requirement as of October 1^st 2023
• It demands provision of complex evidence that manufacturers take security seriously

Medical cyber device market

There are over 10,000 medical device companies across the world, 6,500+ of which are headquartered in the United States. While these organizations range from the F500 to smaller start-ups, the combined value of these companies is staggering. The FDA predicts that within the next five years, the medical device market will balloon to over $300 billion dollars annually (source: Statistca). That’s larger than the annual GDP of more than half of the states in the US.

And it’s not just the number of organizations in this space, or the market growth within it that matters, at least from a cybersecurity perspective.

Risks and challenges

The critical development in the medical device space is the growing number of devices that are connected to the internet.

Smart insulin pumps, wearable health trackers, remote monitoring devices, even implantable devices like pacemakers are just some examples of connected devices. But what are the risks and challenges?

1. Security Risks: Medical devices connected to the internet are prime targets for cyberattacks. Hackers can gain unauthorized access to the device, steal sensitive patient data, or even manipulate device functions causing serious consequences.
2. Privacy Concerns: The transmission of sensitive patient data over the internet raises privacy concerns. Protecting patient information is crucial to comply with regulations like HIPAA.
3. Reliability: Internet connectivity issues can affect the reliability of connected medical devices. In critical situations, such as with life-supporting equipment, interruptions in connectivity can be life-threatening.
4. Data Management: Handling and managing the vast amount of data generated by connected devices is a challenge to say the least. Healthcare organizations need efficient data management analysis systems to derive meaningful insights from this data.
5. Regulatory Compliance: Healthcare providers and device manufacturers need to comply with various regulations and standards to ensure device safety and effectiveness.

To be fair, there is tremendous value in smart medical devices. Medical experts universally agree that they have a direct correlation to improved patient engagement, faster diagnoses, and reduced healthcare costs. Given these fantastic benefits, all leading to improved patient outcomes, it’s no wonder why the connected medical device market is surging exponentially.

Food & Drug Administration involvement

This growing trend, often referred to as the Internet of Medical Things (IoMT), has gotten the attention of not just security professionals but also nefarious actors across the world, and more recently, the United States Food & Drug Administration.

The FDA has recognized the cyber risks posed by this uptick in internet connected medical devices. Frankly, there’s too much at risk for them not to. Enter section 524b of the recent FD&C Act. It requires, among other aspects, that manufacturers of cyber devices design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.

What you need to know

Here are a few key facts you and your organization need to know about this new legislation:

1. Who must comply? Anyone who submits a premarket application or submission for a cyber device must submit information to ensure that the device meets the cybersecurity
2. When is this new legislation effective? The go-live date for 524b was March 30^th, 2023. However, the FDA did provide some wiggle room for submissions during the first six months the law was enacted. But as of October 1^st, 2023, the FDA is firm about their new cybersecurity requirements for all submissions.
3. What cybersecurity measures are required under 524b? In short, quite a bit! Submitting organizations will need to prove their cybersecurity efficacy around:
   • A plan to monitor, identify, and address in a reasonable time, post-market cybersecurity vulnerabilities and exploits.
   • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.
   • Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
4. What happens if your submission is rejected? The FDA plans to deliver Refusal to Accept (RTA) decisions to every submission that doesn’t meet all the specific cybersecurity submission guidelines as outlined in section 524b. Organizations will be directed to start essentially from scratch and begin the submission process from the back of the queue. Early conservative estimates suggest that receiving an RTA will set a medical devices go-to-market back six months at a minimum.

Conclusion

As medical cyber devices continue to revolutionize healthcare, the need for robust security measures has never been greater. Not only are the stakes high, but the consequences of overlooking medical device security are mounting in equal measure. By understanding the threat landscape, staying up to date with new legislation, and fostering an overall culture rooted in cyber best practices, the healthcare industry can successfully evolve while protecting patient risk.

I’ve written more on 524b here: Navigate FDA 524b to get your medical cyber device to market.

In the meantime there is plenty you can do to get ahead of security issues resulting from flawed development practises, starting with our secure IoT development guide.