Navigating FDA's Updated Cybersecurity Guidance for Medical Devices

The FDA recently released updated guidance on cybersecurity in medical devices, implementing new regulatory references that are more closely aligned with global cybersecurity systems than with traditional U.S. Standards.

While these recommendations serve as guidance, companies and manufacturers in the medical device sector are curious about potential future enforcement directions.

Former Director of Privacy and Technology Enforcement for the Texas Attorney General’s Office and Acting Legal Advisor for Commissioner Simington at the Federal Communications Commission (FCC), Tyler Bridegan, Privacy and Cybersecurity Partner at Womble Bond Dickinson, has conducted and defended hundreds of government investigations. Recently, he discussed the updated guidance further with Healthcare Innovation.

The new guidance appears centered on medical devices. How does this affect the overall healthcare space?

The FDA issued this under level two guidance. I think there's been a push, over almost the past decade, from the FDA to keep refining and putting more cyber-related guardrails in place.

They first kicked off this process in 2016.  Cyber-attacks have continually been on the rise, but I think it became more of a government focus, on a somewhat bipartisan basis, that there needed to be more done to protect and harden the cybersecurity measures in place for potentially sensitive areas or sensitive use cases, such as medical devices.

It’s my understanding that cybersecurity is now a key component of these medical devices.

I think it's just assumed everything is connected in some form or fashion. There was a lot of discussion about the Internet of Things and connecting different devices, including medical devices. With that, the FDA wanted to make sure that there are at least some standards in place and expectations. They issued this new guidance, which builds off their prior rules. It refines their prior rules further.

From a federal government standpoint, across agencies, it's expected, if not required, that there's some sort of cyber protection in place. They are like controls that companies have in place.

Do you foresee a future enforcement, and what would it look like?

I think it's definitely possible. The FDA is focused on pre-market submission. That is their opportunity to give a thumbs-up or thumbs-down on whether cyber protections are sufficient.

I'd be curious how there could hypothetically be enforcement. Under the False Claims Act, that has been sort of how the Department of Defense, Department of War, has proceeded. If you're a defense contractor, you enter into an agreement with the Defense Department, you are submitting certain representations as part of that. I could see a legal theory that, if a representation is made as part of the FDA pre-market submission process and is ultimately not true on the cyber front, that that would be a potential route for the FDA to refer it to the DOJ.

Did anything stand out for you in this guidance?

Cybersecurity is a constant moving target. The guidance is still relatively high-level. Their expectations are pretty consistent with what people would say are best practices across industries: doing risk assessments, actual testing such as penetration testing, and broader cybersecurity testing.

The FDA focuses on incorporating secure design practices on the front end. They put a greater emphasis on making sure companies front-load, that is, thinking of incorporating cybersecurity protections into controls, into product design. They're principles-based.

Given cyber threats to the healthcare industry, this guidance must be highly anticipated.

Healthcare has long been the target of threat actors because that data is valuable. The pre-market submission process deserves extra attention from the FDA. If you have a pacemaker that's connected to the Internet, there are serious, very quick implications.

The healthcare sector, more broadly, has always had very valuable data that threat actors have targeted.

If you track the FTC's Health Breach Notification Rule, I don't think we've seen any enforcement under it yet. But that will be coming.

From the federal government, there have been big areas where I think enforcement has been active: healthcare and healthcare fraud, as well as cybersecurity. It's been active on both the rulemaking and the enforcement front. I expect the FDA's cybersecurity focus will probably dovetail into some sort of enforcement with other agencies, whether it be the DOJ or FTC, under the Health Breach Notification Rule.

How does this guidance fit into the federal government's sectoral approach to heightened cybersecurity requirements?

In March, the White House released its cybersecurity plan, which is a very quick read. My interpretation is that it was a green light for agencies to blaze ahead on any cybersecurity rulemaking or enforcement. I think, to the extent any federal agency hasn't started cybersecurity rulemaking, I would not be surprised to see several start them. I think enforcement will continue to increase. The FDA’s release was shortly after the White House’s. I expect more and more agencies to continue to push ahead on either cyber-related rulemakings and guidance or enforcement, or both.

What do you foresee for the future?

Anytime there's a war breaking out with a nation-state that has strong cyberattack capabilities… there's always a wave of cyberattacks. We have seen a huge increase in scams, which also coincides with big global events. I think Iran has strong capabilities. China, I think, is the biggest threat in the world and is known for having a wait-and-see approach. They don't indicate that they've gotten into systems. The long-standing belief is that they already have access to a lot of systems, but don't make any noise. Companies aren't necessarily aware that Chinese-backed groups have access at this point. I think Iran is most likely targeting measures to disrupt critical infrastructure.

City and county systems have become an increasingly frequent target for threat actors. We'll see what the administration's encouragement of companies to take a more offensive approach to cyberattacks or cybersecurity looks like. There are a lot of liability concerns from companies that do that. There are a variety of laws that could potentially be violated. We'll see how companies ultimately navigate that risk, but it would be a pretty big shift from the responsive posture they've taken to a more offensive approach. The FBI has repositioned itself over the years as an ally of companies. Companies and clients are creating relationships with the FBI in their cyber teams, because that information sharing can be particularly valuable for understanding what risks companies should be on the lookout for in the types of attacks.

Do you have any advice for healthcare leaders?

Immediate steps for companies are to make sure that they're sending reminders to employees to be on the lookout for suspicious activity. At the end of the day, a lot of breaches are human error. A lot of breaches don't require a ton of sophistication.

If systems are moving slowly, that might indicate that there's a threat actor in the system trying to zip a lot of files. There are these signs that a lot of people might just dismiss as an inconvenient tech issue, that could actually be signs of a cyberattack happening or getting ready to happen.

Provide employees with clear reporting mechanisms to raise those concerns, reminding people to contact IT or a legal department if they see something suspicious, making that process as easy as possible, because just keeping it on people's radar is really the most immediate thing that you can do at the end of the day.

On the IT front, make sure you have backups of information. If you have backups of that data or information, that can at least lessen the blow. Having good current backups of systems that are safe from the attack is an important thing to have in your pocket, to get back up and running in a timely manner.