Why Medical Device Cybersecurity Is Now a Regulatory Priority
Medical devices are increasingly connected to the internet, hospital networks, and other medical devices to provide features that improve health care and help providers treat patients. However, this connectivity also increases cybersecurity risks. The increase in cybersecurity threats and vulnerabilities has made the Federal government sharpen its focus on medical device cybersecurity.
What FD&C Act Section 524B Requires
On Dec. 29, 2022, the U.S. Congress passed into law the Consolidated Appropriations Act, 2023, which added to the Federal Food, Drug, and Cosmetic Act (FD&C Act) Section 524B regarding cybersecurity for medical device submissions. Effective Mar. 29, 2023, medical device manufacturers must meet certain cybersecurity standards; otherwise, beginning Oct. 1, 2023, the U.S. Food and Drug Administration (FDA) may refuse to accept 510(k) premarket submissions that do not meet the standards.
The new cybersecurity provisions are an important step toward ensuring patient safety and cybersecurity in medical devices. Sponsors (manufacturers, developers, or distributors) making premarket submissions for cybersecurity devices must be aware of these requirements and take necessary steps to comply with them to ensure their devices are cybersecure and that medical device submissions to the FDA are not refused. The recent changes also make the failure to comply with such requirements a prohibited act under the FD&C Act Section 524B, which could lead to future enforcement actions.
What's Inside the White Paper
- Why cybersecurity matters for medical devices — how connectivity to the internet, hospital networks, and other devices expands the attack surface.
- Cybersecurity risks for medical devices — the threats and vulnerabilities driving heightened Federal and FDA scrutiny.
- FD&C Act Section 524B in context — what the Consolidated Appropriations Act, 2023 added and the Mar. 29 and Oct. 1, 2023 effective dates that govern 510(k) submissions.
- 9 steps to meet FD&C 524B requirements — a practical path for sponsors to make compliant premarket submissions.
The USDM point of view: For life sciences manufacturers, medical device cybersecurity is no longer optional engineering hygiene — it is a gate on market access. Under FD&C 524B, an FDA submission can be refused outright, and non-compliance becomes a prohibited act exposing sponsors to enforcement. Treating cybersecurity as a built-in part of the quality and submission process — rather than a late-stage add-on — protects both patient safety and your path to market. USDM helps sponsors operationalize that discipline through a broader medical device cybersecurity, life sciences cybersecurity, and continuous compliance program.
Who Contributed to This White Paper
This white paper was developed by USDM Life Sciences experts:
- Brian Rankin, Information Security Consultant, USDM Life Sciences
- Roger Davy, VP of Consulting, USDM Life Sciences
Connected devices rarely exist in isolation. The same disciplines that govern device cybersecurity — risk assessment, vendor oversight, and validated controls — also underpin third-party risk management and data integrity across regulated systems.
Frequently Asked Questions About FD&C 524B
What is FD&C Act Section 524B?
Section 524B is a cybersecurity provision added to the Federal Food, Drug, and Cosmetic Act by the Consolidated Appropriations Act, 2023, which Congress passed on Dec. 29, 2022. It establishes cybersecurity requirements that medical device manufacturers must meet in connection with FDA premarket submissions.
When did the requirements take effect?
The requirements became effective Mar. 29, 2023. Beginning Oct. 1, 2023, the FDA may refuse to accept 510(k) premarket submissions that do not meet the standards.
Who must comply with Section 524B?
Sponsors — manufacturers, developers, or distributors — making premarket submissions for cybersecurity devices must be aware of these requirements and take the necessary steps to comply, so that their devices are cybersecure and their FDA submissions are not refused.
What happens if a manufacturer does not comply?
The FDA may refuse to accept a non-compliant 510(k) premarket submission. The changes also make failure to comply a prohibited act under FD&C Act Section 524B, which could lead to future enforcement actions.
Why has cybersecurity become a focus for medical devices?
Medical devices are increasingly connected to the internet, hospital networks, and other devices. That connectivity improves care but also increases cybersecurity risks, prompting the Federal government and FDA to sharpen their focus on medical device cybersecurity to protect patient safety.
Build Cybersecurity Into Your Submission Strategy
Meeting FD&C 524B is part of a larger compliance picture that spans validated systems, software assurance, and governed AI. Explore how USDM connects these disciplines through Computer Software Assurance (CSA) and AI governance and compliance.
Download the white paper to learn more about FD&C 524B requirements, the cybersecurity risks facing medical devices, and the 9 steps to compliant premarket submissions. Have questions about your device portfolio? Contact USDM Life Sciences to talk with our cybersecurity and regulatory experts.