Cybersecurity insights from industry experts.

What Healthcare Cybersecurity Leaders Should Know About the FDA's Section 524B Guidelines

New cybersecurity regulations from the FDA outline specific steps that medical device companies must take in order to get their devices approved for market.

Bill Reid, Office of the CISO

November 20, 2023

4 Min Read
A person in a white collared shirt with a sober tie typing on a laptop while looking at body charts on tablet.
Source: Metamorworks via Adobe Stock Photo

Recently, the Food and Drug Administration (FDA) issued updated regulations regarding medical devices, specifically related to the cybersecurity requirements of those devices. These new requirements are found in Section 524B, Ensuring Cybersecurity of Devices, of the Food, Drug, and Cosmetic Act (FD&C Act).

The new regulations officially went into effect on October 1, 2023, so chief information security officers (CISOs) and other security leaders working for medical device companies need to prioritize compliance to avoid having their new devices refused by the FDA, under the organization's Refuse to Accept (RTA) policy. 

Who Will be Impacted? 

The new regulations will apply to anyone who "submits a premarket application or submission [...] for a device that meets the definition of a cyber device" — with "cyber device" defined as follows: 

"A device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats."

The updated policy doesn't apply retroactively, so applications submitted to the FDA before March 29, 2023, and devices that have already been approved for use, are not affected. However, changes and updates to the device that require a new round of premarket review will subject the device to the new regulations. 

What's the Purpose of the New Regulation? 

The primary purpose of the new regulation is to recognize the critical role that cybersecurity plays in ensuring the safe and effective use of medical devices. This is an acknowledgement of the convergence of security and quality, with the FDA pushing organizations to look at security design and operational support as an aspect of delivering a quality product. 

As an FDA spokesperson said in a recent statement:

"Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally. [...] [T]hese new authorities will allow FDA to work with manufacturers and other device stakeholders to ensure that cyber devices are designed securely and reduce the likelihood of harm to patients."

For security professionals, this represents a validation that security is not ancillary, but an essential part of the process of building and operating medical devices. This is also an opportunity for medical device manufacturers to work in close alignment with healthcare organizations that use and support these devices in patient care, to ensure that the larger security context is understood and coordinated. Devices are used within a variety of settings and these have an impact on the secure operation of these systems over time.

What Does the New Regulation Require? 

The new regulation requires medical device manufacturers to submit information demonstrating that the device meets certain cybersecurity standards. The new required information includes: 

  • A documented plan to "monitor, identify, and address" cybersecurity vulnerabilities and potential exploits. This plan should include considerations for disclosing those vulnerabilities. 

  • "Design, develop, and maintain" processes to assure that the device and related systems are secure, and to provide appropriate updates and patches to the device and system. 

  • "Provide a software bill of materials" that details the software components involved with the device, including commercial and open source elements. 

Additional guidance for how to achieve the requirements of each of these steps is available on the FDA's FAQ page.

Beyond the straightforward submission requirements, what the new regulation is asking is that security be considered right from the beginning of designing a medical device through to the decommissioning of the device at its end of life.

What Should Impacted Companies Do? 

Security professionals at impacted organizations will need to closely partner with those in engineering to collaborate on design with security in mind. It will require that these security leaders deeply understand the context within which these devices will be used and bring that threat understanding back into the design process to ensure strong control selection and sound risk management.

For many device companies that have no experience in this sort of explicit security work, these new requirements will represent a substantial lift. Company leaders will need to make sure their organizations acquire the new skills and tools they will need to comply with the new guidelines. The answer for many device companies will be to seek a partnership with an experienced security provider such as Google. 

Cyber-risk is an element of overall business risk, which means that medical device companies should understand the impact that good security hygiene will have on their bottom lines. Under these new guidelines, medical device companies will need to build securely, or their devices will simply not reach the market. 524B represents a recognition of the vital role of security in building safe and effective medical products. 

Read more Partner Perspectives from Google Cloud

Read more about:

Partner Perspectives

About the Author

Bill Reid

Office of the CISO, Google Cloud

Bill Reid is part of Google’s Office of the Chief Information Security Officer (CISO) where he serves as a Security Advisor to Google Cloud’s Health and Life Sciences customers, providing guidance on ways to achieve their business goals while adopting a high security bar.  

Prior to Google, he was CISO and VP for National Resilience, a bio-manufacturing company, where he established and ran the Security (Physical, IT, and OT), Privacy, and Compliance organizations. During his tenure, the company grew from several dozen to over 2000 employees with operations in the US and Canada.

Before Resilience, Bill was the Security Leader for Amazon Care, a telehealth and in-person care organization established by AWS.  He built the security and privacy team as part of the launch of the service.  Also at AWS, Bill led the AWS Security Solution Architecture team, working with the company’s enterprise customers, and co-led the global security community of practice.

Earlier, Bill held various CISO roles at healthcare technology and medical device companies.  He was also at Microsoft, where he ran a Microsoft Consulting Services practice, was part of the Trustworthy Computing initiative, and was Director of Product Management for Microsoft Health Solutions Group, working on products like HealthVault, a platform for personal health management.   He began his career in healthcare administration at Group Health Cooperative (now Kaiser) where he served in a number of clinical and financial management roles. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights