May 31, 2019
New York Law Journal
The Internet occupies a central role in the field of medical technology, and an increasing number of medical devices rely on the use of connected networks. While connected medical devices offer a range of benefits to both patients and providers, they also present a host of cybersecurity risks. New threats are identified with regularity. For example, in March, the U.S. Food and Drug Administration (FDA) identified security vulnerabilities in a major device manufacturer’s implantable cardiac devices which potentially exposed the devices to remote control by unauthorized users; in April, cybersecurity researchers presented what is thought to be the first clear evidence that malicious attackers have the capability to remotely alter medical imaging, with potentially life-threatening consequences; the examples go on.
In recent years, it appears that several government agencies have made concerted efforts to coordinate their approach to connected medical device cybersecurity. These coordinated efforts offer valuable insight for manufacturers of connected devices by highlighting issues of particular concern for both regulatory authorities and the connected medical device industry more generally. This article will discuss several critical lessons that manufacturers of connected medical devices can learn from recent unprecedented coordination among the FDA, the Department of Health and Human Services Office of Inspector General (HHS-OIG) and the Department of Homeland Security (DHS), respectively, as well as the increasingly important role the Federal Trade Commission (FTC) has come to occupy with respect to the cybersecurity of connected medical devices.
Coordination between the FDA and HHS-OIG Highlights the Importance of Considering Connected Medical Device Cybersecurity during both Pre-Market and Post-Market Review
In the Fall of 2018, HHS-OIG performed a comprehensive assessment of FDA’s cybersecurity review process for connected medical devices, citing concerns over research indicating connected devices cleared or approved by the FDA remained susceptible to cybersecurity threats if left unmanaged. The HHS-OIG’s review culminated in two separate audit reports, collectively recommending that the FDA take steps to improve its overall approach to the cybersecurity of connected medical devices. In OIG Report OEI-09-16-0020, FDA Should Further Integrate Its Review of Cybersecurity into the Premarket Review Process for Medical Devices, the OIG ultimately concluded that the agency should more fully integrate cybersecurity analysis into its 510(k) and pre-market approval submission process. In OIG Report A-18-16-30530, The Food and Drug Administration’s Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices, the HHS-OIG found that the FDA’s processes for addressing ongoing, post-market cybersecurity threats were deficient because their policies and procedures did not adequately address handling post-market medical device cybersecurity events, and because the agency had neither adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices, nor established standard written procedures to address the recall of medical devices vulnerable to cyber threats in several district offices.
While HHS-OIG’s audit was specifically directed at the FDA’s own internal practices and policies regarding cybersecurity of connected medical devices, there are a number of important lessons that manufacturers of connected medical devices can learn with respect to their own approach. HHS-OIG’s focus on the FDA’s pre-market review process highlights the importance for manufacturers to carefully consider cybersecurity measures during the design and development phase of a connected medical device. Since the release of the HHS-OIG’s report, it appears that the FDA has increased its focus on the assessment of the cybersecurity of medical devices during the pre-submission review process, and has emphasized that device manufacturers have a responsibility to identify and document potential security vulnerabilities, likelihood of risk, and suitable mitigation strategies for connected medical devices in their pre-market submissions to the FDA.
Additionally, because the HHS-OIG audit specifically identified deficiencies with respect to the FDA’s post-market approach to connected medical device cybersecurity, it is likely that manufacturers with connected devices already on the market will encounter increased scrutiny from the FDA with respect to how diligently they monitor nascent cybersecurity risks, how frequently they update their cybersecurity measures, and how in line they remain with industry best practices for the detection, prevention, and management of cybersecurity threats.
The FDA has also recently emphasized that it will take a “total product lifecycle” approach to the regulation of medical devices, which involves evaluating the safety and efficacy of a medical device from pre-market design through post-market approval, as well as assessing a manufacturer’s overall commitment to creating a culture of cybersecurity. In response, manufacturers of connected devices should take a holistic approach to cybersecurity by focusing not only on the security mechanisms associated with a particular device, but also on bigger picture organizational issues such as operational transparency, risk management, and responsiveness to user feedback and real-world performance indicators.
Partnership between the FDA and DHS May Raise the Standard for Industry Best Practice
While the FDA and the DHS have worked together informally on medical device cybersecurity for many years, in the Fall of 2018, they formalized an agreement to collectively strengthen their respective responses to cybersecurity threats involving connected medical devices. A key goal of the partnership is to facilitate the exchange of information between the agencies regarding known security risks and preventive measures, in part to increase the speed and efficiency with which the FDA can distribute information to device manufacturers on how to respond to cybersecurity threats.
This collaboration between FDA and DHS may have an impact on the standards to which connected device manufacturers are held regarding industry best practices. The more quickly and efficiently information regarding cybersecurity is distributed, the more quickly both regulatory authorities and end-users will expect device manufacturers to update their products and policies in response. Manufacturers that fail to timely respond to known security threats risk both regulatory and reputational exposure and, as will be discussed in the following section, may be in violation of the FTC’s prohibition on unfair and deceptive practices. Accordingly, and particularly in light of this collaboration between the FDA and the DHS, it is critically important for connected device manufacturers to ensure they have mechanisms in place to actively monitor cybersecurity communications, especially from the FDA, as well as robust policies and procedures to quickly respond to newly identified cybersecurity threats.
FTC Involvement Emphasizes the Importance of Transparency and Accuracy Regarding the Cybersecurity of Connected Medical Devices
Although the FTC, unlike HHS-OIG and DHS, has not coordinated directly with the FDA, in recent years it has nevertheless become a key player in the field of connected medical devices due to its authority under the Federal Trade Commission Act (FTC Act), which prohibits unfair and deceptive practices. As applied to the cybersecurity context, the FTC Act prohibits companies from making false or misleading representations regarding their privacy practices. Failure to take reasonable security measures, particularly in response to known security threats, can also constitute an unfair and deceptive practice in violation of the FTC Act.
The FTC has made it clear that device manufacturers have a responsibility under the FTC Act to actively monitor connected medical devices for potential cybersecurity threats and vulnerabilities. The FTC expects device manufacturers to maintain an adequate process for reviewing and addressing security vulnerability reports from security researchers and academics and to update their products as necessary to mitigate potential threats. In practice, this means that manufacturers of connected devices have an affirmative obligation to ensure consumers are aware of the company’s privacy practices. This includes drafting and maintaining privacy policies that accurately reflect the cybersecurity risks customers may encounter when using a given connected medical device and that fairly represent how the company protects against and responds to cybersecurity incidents.
The FTC has stated on numerous occasions that the agency does not expect perfect security; it recognizes that the use of all connected equipment, including medical devices, will always pose certain cybersecurity risks. However, the FTC has stressed that it does expect businesses, including medical device manufacturers, to take reasonable measures to protect against well-known, foreseeable risks and to at least employ industry-standard best practices for managing cybersecurity threats and incidents.
We expect to see an increase in scrutiny over the cybersecurity of connected medical devices in the near future, particularly if the FDA continues with its recent efforts to coordinate with other government agencies. Additionally, due to the iterative nature and rapid pace of development of the connected medical device industry, we also expect to see continued updates to the FDA’s regulatory approach to the review and oversight of connected medical devices. It is critical for manufacturers of connected medical devices to remain up to date on government initiatives regarding these issues and to ensure they maintain their compliance with evolving standards in the industry.
Linda A. Malek is a partner at Moses & Singer LLP and Chair of the firm’s Healthcare and Privacy & Cybersecurity practice groups. Nora L. Schmitt is an associate in the firm’s Healthcare and Privacy & Cybersecurity practice groups.
Reprinted with permission from the May 31, 2019 edition of the New York Law Journal © 2019 ALM Media Properties, LLC. All rights reserved.