What FDA's Section 524B Means for Mobile Medical App Developers

mHealth apps, also known as mobile medical apps, have become significantly more popular in recent years, with market value expected to reach US$ 38.47B by 2029, up from US$ 5.37B in 2021. However, the increased opportunity to bring healthcare closer to the customer side requires a bigger focus by developers on their cybersecurity posture. Early last year, a report from the US Department of Health and Human Services (HSS) highlighted a 69% increase in cyber-attacks targeting healthcare in the first half of 2022 compared to 2021.

Recognizing the growing need for more robust medical device cybersecurity, the Food and Drug Administration (FDA) continues to take a range of steps to provide clarity for developers about their cybersecurity expectations. For instance, in March 2023, the FDA amended Section 3305 of the Consolidated Appropriations Act 2023 (CAA 2023) by adding Section 524B, “Ensuring Cybersecurity of Devices.” This new section gives the FDA the authority to establish cybersecurity standards for premarket submissions for medical devices connected to a network or transmit or receive data electronically.

In this blog, we will discuss what this means for mobile medical app developers, specifically on:

1. How it affects the approval of mobile medical apps by the FDA for public use;
2. The resources that are available for developers in meeting this new requirement; and
3. The importance of thorough mobile app security practices in achieving and maintaining compliance.

How did the FDA regulate mobile medical apps before?

Prior to the passing of the Omnibus Appropriations Act at the end of 2022, the FDA did not have the statutory authority to require information on cybersecurity measures implemented by mHealth applications as part of the 510(k) premarket submissions of cyber devices - which includes mHealth/mobile medical applications. Instead, the FDA relied on its general authority under the Food, Drugs, and Cosmetics (FD&C) Act to regulate their safety and effectiveness. These guidelines were non-binding and served as mere recommendations for developers on cybersecurity best practices suggested by the FDA.

What changes?

The introduction of Section 524B is a significant change in the regulatory landscape for cybersecurity in medical devices, including mobile apps that are used to monitor, diagnose, or treat medical conditions. It gives the FDA the authority to mandate mobile medical app developers “submit information to ensure that cyber devices meet the cybersecurity requirements” in their 510(k) premarket submissions.

The FDA will now require developers to design, develop and maintain the cybersecurity aspects of their mobile medical apps both during premarket submissions and postmarket surveillance. In other words, developers will now be required to explicitly plan, apply and maintain an adequate level of cybersecurity on their apps, as long as they are available for public use.

The FDA may refuse to accept (RTA) any submissions that do not comply with this new requirement. This RTA policy will take effect on October 1, 2023, giving developers time to prepare their premarket submissions accordingly. Additionally, this section also authorizes the FDA to further establish cybersecurity standards for medical devices and to enforce them through inspections, recalls, injunctions, civil penalties, and criminal prosecution.

What resources are available for developers on the new requirement?

The cybersecurity recommendations provided by the FDA remain the same and have been extensively described in several guidance documents, including:

1. 2014 guidance on “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”;
2. 2016 guidance on “Postmarket Management of Cybersecurity in Medical Devices”; and
3. 2022 guidance on “Policy for Device Software Functions and Mobile Medical Applications.”

You can visit the FDA’s Frequently Asked Questions (FAQ) page for more information.

The increasing importance of mobile app security

This change reflects the FDA’s growing recognition of the importance and complexity of ensuring robust security in mHealth/mobile medical apps. The best cybersecurity capabilities at the device and OS level can be neutralized if an attacker can easily analyze the application code, understand its operation, and possibly reverse engineer it. Insufficiently protected mobile apps are vulnerable to various types of attacks, tampering, and code injection that could alter the app’s behavior. This could result in risks to patient’s health and safety and threatens the company brand and revenue.

Guardsquare offers a suite of products that enable mobile medical app developers to protect applications against such attacks and meet the FDA’s requirements, from pre-market submission all the way to post-market surveillance.

Our Android and iOS protection solutions, DexGuard and iXGuard, respectively, protect your mHealth/mobile medical apps against tampering through multiple layers of code hardening and Runtime Application Self-Protection (RASP) checks. Guardsquare’s polymorphic security approach resets the clock for threat actors by automatically ensuring no two releases are protected the same way. This, in turn, renders the knowledge they gain from prior attacks useless.

AppSweep, Guardsquare’s Mobile Application Security Testing Tool, helps you identify and fix security issues and dependencies during the development process by providing actionable recommendations and insights, in alignment with OWASP MASVS categories. This free mobile app scanning tool can be easily integrated into your CI/CD pipeline, allowing you to continuously ensure the security posture of your applications in a timely manner.

Our real-time monitoring solution, ThreatCast, helps developers to fulfill the FDA’s postmarket surveillance requirements. ThreatCast provides you with real-time insights into different types of threats your mobile medical apps are facing, including debugging and hooking tools, repackaging attempts, escalation of privilege, emulators, virtual environments, and many more. This allows you to proactively analyze attack attempts and adjust your security strategy promptly and accordingly. ThreatCast is available for free for the first application for all DexGuard and iXGuard customers.

By implementing Guardsquare solutions into your mobile medical app development cycle, you can shift your focus to improving your app's functionality without sacrificing its usability, while remaining compliant with the increasingly more stringent regulatory requirements.

Get started on your path to achieving FDA compliance by scanning your mobile medical app for free using AppSweep.