February 5, 2024

Is your connected device secure and FDA compliant?

FDA approved stamp

As a medical device company, are you familiar with an FDA regulation called section 524b?

What is Section 524b?

On March 30th, 2023 an act was signed into law that contained a section on contained a section on cybersecurity in medical devices. The section became more commonly known as 524b.

If you are (or even if you’re not), ask yourself these questions:

  1. What is your organization doing about SBOM attestation?
  2. Do you have a way to validate that your deployed device has an up-to-date SBOM?
  3. How do you perform patch management on your devices?
  4. How do you perform vulnerability management?

If you are not familiar with 524b, read on…

This section essentially requires that when sending a premarket submission to the FDA for an IoT Medical Device the manufacturer must demonstrate that this device meets certain cybersecurity requirements, among them:

  • Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
  • Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.

This means that any medical device company who is submitting for a premarket approval (including a 510(k)), or an update to cleared devices with letters to the file for example, must comply with 524b if that device has the capability to connect to the Internet.

If you are a medical device manufacturer, are you ready?

Despite being utilized by the medical industry for more than two decades now, it is still a challenge to deploy and connect medical IoT devices in the field. In fact, it’s harder to connect a device to the hospital network today than when the first IoT platforms were around in the early 2000’s (they weren’t called IoT back then).

I was at a medical IoT conference recently and asked the room of about 100 field service techs what percentage of their deployed devices were connected.  Nobody cited more than 40%.

Hospitals are more mindful of security, and hospital IT continues to play a major role in decision-making regarding connectivity. There is also competition for IoT connectivity available commercially for remote service that doesn’t necessarily depend on network access, such as Apple Facetime and other similar “over the shoulder” tools.  But these require a human in front of the machine.

IoT connectivity is still the main way that service organizations remotely support their devices in the hospital.  It has proven to shorten device downtime, reduce field service costs and minimize disruptions to the hospital.

So if your device has the capability to connect to the Internet, then the FDA considers it a “Cyber Device” and you need to be thinking about 524b.

There are tools and solutions available today that can help make this automatic, scalable, and trouble free.

For more information about Device Authority’s KeyScaler-as-a-Service (KSaaS) platform click HERE


David Bennett