CyberVitals: Moving from Idiosyncratic to Systemic Enforcement

Contributor: Vidya Murthy, WEMBA’42 
To learn more about Vidya, click here.

 

The last quarter of 2023 saw the confluence of many policy initiatives reaching implementation. Where the enforcement of cybersecurity quality was somewhat dependent on clinical type and reviewed assigned to a submission, the Food and Drug Administration (FDA) has implemented multiple frameworks to systemically enforce cybersecurity baselines across all submissions.

In particular, the mandatory use of the Electronic Submission Template and Resource (eSTAR) for 510(k)s and deNovo submissions means automatic verification of cybersecurity diligence for all submissions. When combined with the final premarket cybersecurity guidance, medical device manufacturers must embed security considerations across their entire product development lifecycle.

Why is this different?

It’s not surprising to see the emphasis on security by the FDA, but given its statutory authority, this means device makers do not have the option of disagreeing/attempting to contextualize decisions made. This takes the burden off FDA reviewers and instead puts the requirement back on manufacturers. Similar to how health systems have used procurement decisions to drive security to the forefront, the regulator is delaying devices going to market if not sufficiently considerate of security principles.

Additional consideration of the False Claims Act (FCA) to the increased cybersecurity-related disclosures means added scrutiny for device manufacturers. Historically, there have been multiple FCA claims against electronic health records in the past, and the government has stated cybersecurity continues to be a major area of focus for FCA-related investigations.

Scale of Impact

Similar to how enforcement of cybersecurity is shifting from individualist to ingrained, attackers have also shifted strategies. Increasingly, there have been widespread, deeply embedded vulnerabilities emerging from the hacker community (ex. Ripple/20Bluekeep, WannaCry). If we think of hacking as a business, the return on investment for a systemic issue that spans devices and industries vs. an idiosyncratic hack in a single device in a single instance is obvious math. 

This translates into attacks on health systems, which have seen an increase in the scale of attacks. As noted, 385 million patient records have been impacted from 2010 to 2022. And recent data shows the frequency of attacks is lower, but the number of records compromised has increased. Additionally, we cannot forget that if a health system becomes victim to a ransomware campaign, it can inhibit the ability to update electronic health records and use devices that rely on connectivity for making calculations (such as devices used in radiation oncology and sophisticated surgical robots).

What should we do going forward?

With the current administration, and its commitment to prioritizing cybersecurity in government procurement, ‘hoping’ you get through the FDA is not a strategy.  Any new technology will bring its own set of pros and cons. Connected medical devices are no different. They are an exciting innovation in the healthcare industry that allow patients to customize their care, offer constant and easy monitoring for doctors, and open the industry to new medical discoveries. And like any other industry or technology, they can be harmful if placed in the wrong hands. If devices are secure by design, it helps to alleviate potential problems down the line.


Contact Vidya at: [email protected]