Medical device cybersecurity

On Dec. 29, 2022, Congress passed into law the Consolidated Appropriations Act, 2023. Section 3305 of that act, “Ensuring Cybersecurity of Medical Devices,” includes Section 524B, “Ensuring Cybersecurity of Devices,” which amends the Food, Drug, and Cosmetic Act (FD&C Act). Effective March 29, 2023, medical device manufacturers must meet certain cybersecurity standards. Further, if organizations do not meet said requirements, the U.S. Food and Drug Administration (FDA) will begin refusing to accept premarket submissions beginning Oct. 1, 2023.

To avoid such consequences and to shore up their cybersecurity, organizations can take steps to improve the security of medical devices that they manufacture or use and align with the requirements of the guidance.

Why does medical device cybersecurity matter?

One FDA spokesperson highlighted the criticality of implementing these new cybersecurity standards: “Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally.” For life sciences organizations that either work with medical devices or manufacture them, the risk of not aligning with this guidance could lead to incidents ranging from the exfiltration of patient information to device availability disruptions, resulting in a gap in patient care.

To whom does Section 524B apply?

Section 524B applies to medical device manufacturers, healthcare providers, health systems, third-party device servicers, patient advocates, and organizations that use third-party medical devices to provide services to patients.

What steps should organizations take?

Until Oct.1, 2023, the FDA will work with organizations to enhance any cybersecurity documentation that does not outline plans to remediate identified vulnerabilities. Starting Oct. 1, 2023, the FDA likely will refuse to accept premarket submissions of devices that do not have cybersecurity plans outlined in their product applications.

Organizations can take proactive steps to align with Section 524B guidance, and they can rely on established cybersecurity practices to do so. For example, the National Institute of Standards and Technology (NIST) Special Publication 800-53 provides security and privacy controls for information systems and organizations. If organizations do not already include such controls as part of their information security programs, they should consider adopting NIST security practices.

What does Section 524B require?

FDA guidance, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” outlines four requirements of Section 524B. Following is a summary of those four requirements.

Section 524B requires organizations to submit a plan “to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”

Section 524B requires organizations to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” Organizations also should regularly provide postmarket updates and patches to address known vulnerabilities and mitigate critical vulnerabilities as needed, even if out of cycle.

NIST controls CM2, CM3, and CM9 support such risk mitigation, and organizations can follow this guidance to:

• Establish secure software development processes
• Develop secure configuration and change management processes by confirming the system is hardened following configuration standards
• Track processes to test, review, and approve necessary changes to systems before implementation

Section 524B requires organizations to provide “a software bill of materials, including commercial, open-source, and off-the-shelf software components.”

• It is critical for medical device manufacturers to strengthen security and documentation requirements, and providing a software bill of materials (SBOM) as part of their product submissions and subsequent releases helps to do so. Organizations can use a software composition analysis tool to gather the required information.
• SBOMs should be reviewed and updated as software changes. There are free tools available for companies that cannot purchase a new software solution – these free tools can be used to perform reviews and updates.
• SBOMs can be in the format of customizable dashboards or reports, or they can be exported to spreadsheets.

Section 524B requires organizations to “demonstrate reasonable assurance that the device and related systems are cybersecure.”

NIST controls SC-28, AC-1, and AC-2 can offer direction for organizations as they establish and maintain secure development practices.

• Many medical devices process patient protected health information, so it is important that devices and their associated processes protect data throughout transit and at rest using cryptography.
• Medical devices should enable access controls to prevent unauthorized access and implement the principle of least privilege.

Organizations can take these and other steps to strengthen their overall and medical device cybersecurity and to align with Section 524B.

Medical device manufacturers should incorporate security into their device and software development processes by establishing security standards to which all devices and software must adhere. Organizations that use medical devices also should take steps to align with new cybersecurity standards and strengthen their cyber resilience.

While new standards might seem overwhelming to some, the good news is that Crowe can help. With experienced risk consultants around the world, the Crowe team can help your organization plan, build, and run third-party risk management and cybersecurity programs that fit your business needs.