Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
There has been a flurry of activity in policy and legislation in the last 6 months focusing on healthcare cybersecurity - the implication of which could fundamentally change the landscape.
President Biden issued an executive order in May of 2021 that mandates the recalibration of critical infrastructure cyber defenses to the growing maturity of adversaries. The ongoing conflict in Ukraine prompted the President to issue an additional statement in March 2022 focusing on the imperative nature of cybersecurity for our nation’s critical infrastructure to continue operating.
The Senate rapidly followed this announcement with the introduction of the Healthcare Cybersecurity Act of 2022 in March. If passed, formal collaboration and reporting will be established, including education efforts and strategies for addressing risks facing the healthcare sector.
And mere days later, Senators introduced the Protecting and Transforming Cyber Health Care (PATCH) Act, which expands regulations for medical device manufacturers to ensure mitigations are sufficiently in place through the existing Food and Drug Administration (FDA) approval process.
The FDA believes "cyberattacks against hospital systems and networks can directly result in harm to patients." Perhaps not obviously, the FDA is the governing agency over the security of medical devices as it pertains to patient safety and the market approval process.
With all this activity, it should not be surprising that within days of Senate activity, the FDA issued an update to the cybersecurity guidance that informs how medical device manufacturers should contemplate designing security into the operation of their devices. While noted to be guidance, by definition, guidance is reflective of current interpretation of existing regulatory requirements. And device manufacturers have already reported that otherwise clinically effective devices are facing regulatory challenges as a result of lack of cybersecurity considerations.
This guidance update recalibrates cybersecurity as a process independent from clinical development, and instead embeds the technical security requirements into the quality management system. Shifting focus from ‘nice to have’ to ‘demonstrated consideration’ is no small feat and will impact every stage of device development.
In addition to the FDA expectations of device manufacturers, the FDA requested a budget increase as well. The latest appropriation request demonstrates the FDA is seeking an increase of $5M to have a budget of $5.5M dedicated to cybersecurity.
It is clear the connectivity which many device manufacturers have prized for enabling innovation is no longer to be taken without risk management considerations by any stakeholder.
Looking down the road five years, the regulator and consumer of medical devices will continue to mature in both assessment of risk and willingness to tolerate deviation from a baseline. If device manufacturers do not earnestly begin adopting better cybersecurity practices for devices, they will face a delayed release to market.
Contact Vidya at: [email protected]