(888) 450-8607 Book Free ConsultBook Now

Cybersecurity

Section 524B: The Medical Device Cybersecurity Requirements You Can't Ignore

By Andre Butler  ·  October 2024  ·  ← All Insights

Medical device cybersecurity Section 524B FDA compliance

Photo by Nguyễn Duy Hưng on Unsplash

On March 29, 2023, FDA began refusing to accept premarket submissions for cybersecurity-capable medical devices that do not meet the requirements of Section 524B of the Federal Food, Drug, and Cosmetic Act. If your 510(k), De Novo, or PMA submission includes any device with software or network connectivity — and that now describes the vast majority of devices in development — you cannot afford to treat cybersecurity as an afterthought.

What Section 524B Actually Requires

Section 524B, enacted as part of the Consolidated Appropriations Act of 2023, establishes statutory cybersecurity requirements for "cyber devices" — any device that contains software, is intended to connect to the internet or a network, or contains a technological characteristic that could be vulnerable to cybersecurity threats. In practice, this captures nearly every connected medical device.

The law requires manufacturers to submit to FDA:

  • A plan to monitor, identify, and address cybersecurity vulnerabilities and exploits post-market
  • Processes and procedures to provide a reasonable assurance that the device is secure, to make available post-market updates and patches, and to disclose vulnerabilities in a coordinated manner
  • A Software Bill of Materials (SBOM) — a formal inventory of all software components, including commercial, open-source, and off-the-shelf software
  • Any other information FDA determines necessary to ensure cybersecurity

The Software Bill of Materials Requirement

The SBOM requirement is the one that most commonly catches companies off guard. An SBOM is a machine-readable, structured inventory of every software component in your device — including third-party libraries, open-source components, operating system versions, and firmware. It needs to identify component names, versions, suppliers, and known vulnerabilities (typically cross-referenced against the National Vulnerability Database).

Why does FDA care? Because a significant percentage of medical device cyberattacks exploit known vulnerabilities in third-party components that manufacturers never tracked. If you do not know what is in your software, you cannot patch it. And if you cannot patch it, patient safety is at risk.

FDA recommends using established SBOM formats including CycloneDX and SPDX. Your SBOM must be updated whenever the software changes — meaning it needs to be a living document, not a one-time deliverable.

What FDA's Cybersecurity Guidance Documents Require

FDA's 2023 cybersecurity guidance document ("Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions") significantly expands on Section 524B's statutory requirements. Key additions include:

  • Threat Modeling: A structured analysis of potential attack surfaces, threat actors, and attack scenarios. FDA expects STRIDE or similar frameworks applied systematically to the device architecture.
  • Cybersecurity Risk Assessment: Combining threat model outputs with probability and impact analysis — integrated with your ISO 14971 risk management process, not siloed from it.
  • Security Architecture Documentation: Data flow diagrams, trust boundaries, authentication mechanisms, encryption protocols, and audit logging capabilities.
  • Security Testing Evidence: Penetration testing results, static code analysis, dynamic analysis, and fuzz testing results — with documented findings and their disposition.

Common Deficiency Patterns in 510(k) Cybersecurity Reviews

Based on FDA's published refuse-to-accept decisions and deficiency letters since March 2023, the most common cybersecurity failures in premarket submissions are:

  • SBOM missing entirely or covering only first-party software (omitting open-source and third-party components)
  • Threat model that is generic and not device-specific — using a template without mapping it to actual device architecture
  • Cybersecurity risk assessment that is disconnected from the primary safety risk management file
  • No post-market monitoring plan or a plan so vague it provides no meaningful commitment
  • Security testing performed only on the device in isolation, not in its intended network environment

Pre-Submission Strategy for Cybersecurity

If your device is connected and you have not yet discussed cybersecurity with FDA, a Pre-Submission (Q-Sub) meeting is strongly recommended before you invest in full cybersecurity documentation. FDA's Division of Digital Health and FDA's Digital Health Center of Excellence have been active in Q-Sub responses for cybersecurity, and they will give you direct feedback on whether your security architecture and documentation plan are aligned with current review expectations.

The cost of redesigning security architecture after a deficiency letter — when you may be six to twelve months into your market timeline — vastly exceeds the cost of getting it right before submission.

Andre Butler

Principal Consultant — ADB Consulting & CRO Inc.

Andre Butler has 20+ years of hands-on FDA regulatory experience guiding medical device companies through 510(k), PMA, De Novo, AI/ML SaMD, and FDA 483 response engagements. He specialises in Section 524B cybersecurity compliance and ISO 13485 quality management systems, with a track record across cardiovascular, orthopedic, diagnostic, and software-as-a-medical-device categories.

Struggling with Section 524B Cybersecurity Requirements?

ADB Consulting helps connected device manufacturers build defensible cybersecurity packages for FDA submissions. Book a free discovery call to map your compliance path.

Schedule Free Discovery Call

Or call directly: (888) 450-8607