Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act) emerged after recognizing the need for robust cybersecurity in medical devices.
In short: Section 524B of the FD&C Act turned more than a decade of voluntary cybersecurity guidance into a mandatory requirement. A string of high-profile incidents—WannaCry, URGENT/11, and SweynTooth—exposed how vulnerable connected medical devices had become, and the PATCH Act of 2022 ultimately gave the FDA the authority to enforce premarket cybersecurity expectations. This article traces that history and explains what manufacturers must now do to comply.
Background and Predecessors to 524B
Vulnerability of medical devices was known as early as 2008, when an investigative paper analyzed the security and privacy properties of an implantable cardioverter defibrillator (ICD). The researchers reverse engineered the ICD’s communications protocol and implemented software radio attacks that compromised patient safety and privacy.
In 2012, the U.S. Government Accountability Office (GAO) released a medical devices report recommending that the U.S. Food and Drug Administration (FDA) develop a more comprehensive plan for the review and surveillance of medical devices and incorporate multiple aspects of information security.
In 2014, the FDA issued guidance titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (which was updated to the current Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions). The original guidance provided recommendations but was not mandatory; it relied on manufacturers to voluntarily incorporate cybersecurity measures.
In 2016, the FDA released the guidance Postmarket Management of Cybersecurity in Medical Devices, which focuses on cybersecurity maintenance after devices are on the market. It emphasizes the need for ongoing monitoring and risk management, but it’s not mandatory to use this approach.
As can be expected, the adoption of robust cybersecurity practices varied widely among manufacturers. Some proactively implemented them while others lagged. Continued vulnerabilities and incidents reinforce the need for stringent regulatory oversight.
Why voluntary guidance wasn’t enough: For nearly a decade, the FDA’s cybersecurity expectations were recommendations rather than requirements. Adoption was uneven, leaving connected and legacy devices exposed. Treating device security as an ongoing program—not a one-time submission—is the throughline that connects every incident below. A disciplined approach to third-party risk management across embedded software and component suppliers is now central to that program.
Cybersecurity Incidents That Led to Writing Section 524B
WannaCry Ransomware Attack
In May 2017, the WannaCry ransomware attack spread rapidly across the globe and affected many industries, including healthcare. WannaCry exploited a vulnerability in the Windows operating system, known as EternalBlue, which was leaked from the U.S. National Security Agency (NSA). The ransomware encrypted files on infected systems, rendered them inaccessible, and demanded ransom payments in Bitcoin to decrypt the files.
It's estimated that 40% of healthcare organizations suffered a WannaCry attack in a six-month period. The attack affected old and unmanaged medical devices, led to the cancellation of medical procedures, delayed patient care, and caused significant operational disruptions.
WannaCry highlighted the vulnerabilities in medical devices that rely on outdated or unpatched software. It made healthcare providers recognize the need for robust cybersecurity measures, including timely software updates and patches to protect against known vulnerabilities.
URGENT/11 Vulnerabilities
In 2019, security researchers discovered a set of 11 zero-day vulnerabilities, collectively known as URGENT/11, in the TCP/IP software library developed by Interpeak, which is used in various operating systems for embedded devices. These vulnerabilities affected the IPnet stack, which is widely used in real-time operating systems (RTOS) and embedded systems, including medical devices.
URGENT/11 vulnerabilities could be exploited to take control of affected medical devices (e.g., infusion pumps, patient monitors, and imaging systems), disrupt device functionality, gain unauthorized access to sensitive patient data, and potentially cause harm to patients.
The widespread impact of URGENT/11 underscores the importance of third-party software component security and understanding the cybersecurity risks associated with embedded systems in medical devices. There is an undeniable need for comprehensive risk assessments and security measures in the design and development of medical devices.
SweynTooth Vulnerabilities
In early 2020, a series of vulnerabilities known as SweynTooth were discovered in Bluetooth Low Energy (BLE) software development kits (SDKs) from various vendors that affected medical devices like pacemakers, glucose monitors, and insulin pumps.
SweynTooth vulnerabilities could be exploited to crash devices, bypass security mechanisms, and take control of affected devices. Those that relied on BLE for communication were at risk of potentially compromised patient safety because of disrupted device functions.
Thoroughly tested security measures for communication protocols used in medical devices is imperative. There must be mechanisms to update and patch vulnerabilities in deployed medical devices and to ensure ongoing cybersecurity.
Each incident pointed to the same lesson: device security is not a feature shipped once at clearance—it is a lifecycle obligation that has to be designed in, monitored, and patched for as long as the device is in use.
How Section 524B of the FD&C Act was Developed
Stakeholders in healthcare, cybersecurity, and patient advocacy voiced their concerns about voluntary cybersecurity measures. They called out the potential risks to patient safety and the integrity of healthcare systems because of vulnerable medical devices. Recommendations for more structured and enforceable cybersecurity requirements came from industry consortiums like the Healthcare and Public Health Sector Coordinating Council (HPHSCC).
The FDA was responsive to these concerns and maintained ongoing dialogue with stakeholders to understand the challenges and gaps in the voluntary framework. The FDA’s engagement included hosting workshops and public meetings and establishing working groups focused on medical device cybersecurity.
Legislative Sponsorship and Drafting
Recognizing the need for legislative action, several lawmakers took the initiative to draft more stringent cybersecurity requirements. The Protecting and Transforming Cybersecurity Health Care Act (PATCH Act) of 2022 (H.R. 7084) advocated for strengthening cybersecurity requirements for medical devices by mandating specific premarket submission information to ensure their safety and effectiveness throughout their lifecycle.
The Cybersecurity in Medical Devices Frequently Asked Questions (FAQ) page on the FDA website provides clear and enforceable guidelines for medical device manufacturers to enhance the security posture of medical devices and ensure patient safety.
From voluntary guidance to mandatory law: the 524B timeline
- 2008 — Proof of concept: Researchers demonstrate radio attacks against an implantable cardioverter defibrillator, exposing patient-safety risk.
- 2012 — GAO report: Calls on the FDA to build a comprehensive plan for device review, surveillance, and information security.
- 2014 / 2016 — FDA guidance: Premarket and postmarket cybersecurity guidance published—recommendations only, not mandatory.
- 2017–2020 — Real-world incidents: WannaCry, URGENT/11, and SweynTooth show how widely connected and embedded devices can be compromised.
- 2022 — PATCH Act (H.R. 7084): Legislative push to mandate premarket cybersecurity submission requirements.
- Section 524B — Enforceable mandate: Cybersecurity becomes a condition of premarket submission, with lifecycle expectations for patching and monitoring.
Take Action to Secure Your Medical Devices
The passage of Section 524B of the FD&C Act mandates stringent cybersecurity requirements but adhering to these regulations can be challenging. Meeting them well means connecting secure device design, validated software, and ongoing risk monitoring into a single program rather than a checklist completed at submission. Approaches like Computer Software Assurance (CSA) and disciplined data integrity practices help manufacturers demonstrate that secure, controlled software underpins device safety and effectiveness.
USDM Life Sciences specializes in helping medical device manufacturers meet these regulatory standards. Our cybersecurity experts ensure that your devices are compliant and secure from emerging threats, protect patient safety, and maintain operational integrity. Pairing that expertise with medical device cybersecurity and life sciences cybersecurity services gives manufacturers a path to sustained compliance instead of one-time remediation.
Explore nine steps to meet 524B requirements—download the white paper Understanding FD&C 524B.
FAQ: Section 524B and Medical Device Cybersecurity
What is Section 524B of the FD&C Act?
Section 524B of the Federal Food, Drug, and Cosmetic Act establishes mandatory cybersecurity requirements for medical devices. It requires manufacturers to provide specific information in premarket submissions to demonstrate that a device is reasonably secure throughout its lifecycle, replacing the earlier framework of voluntary FDA guidance.
What incidents drove the creation of 524B?
Several high-profile events exposed the vulnerability of connected and embedded medical devices: the 2017 WannaCry ransomware attack that disrupted healthcare operations worldwide, the 2019 URGENT/11 zero-day vulnerabilities affecting embedded TCP/IP software, and the 2020 SweynTooth vulnerabilities in Bluetooth Low Energy SDKs used in devices like pacemakers and insulin pumps.
How does 524B differ from earlier FDA cybersecurity guidance?
The FDA’s 2014 and 2016 cybersecurity guidance documents offered recommendations that manufacturers were free to adopt voluntarily. Adoption varied widely. Section 524B, propelled by the PATCH Act of 2022, makes cybersecurity a mandatory, enforceable condition of premarket submission rather than an optional best practice.
What is the PATCH Act?
The Protecting and Transforming Cybersecurity Health Care Act (PATCH Act) of 2022 (H.R. 7084) advocated for strengthening cybersecurity requirements for medical devices by mandating specific premarket submission information to help ensure device safety and effectiveness across the product lifecycle.
How can manufacturers prepare to comply with 524B?
Compliance is most durable when secure device design, validated and controlled software, ongoing risk monitoring, and third-party component security are managed as one continuous program. USDM Life Sciences helps medical device manufacturers assess gaps, document premarket cybersecurity expectations, and maintain security posture after devices reach the market.
Don’t wait for the next cybersecurity threat. Contact USDM Life Sciences to tailor a cybersecurity and compliance approach that secures the future of your medical technology.