August 12, 2025 • 37 mins
The FDA has begun urging manufacturers to treat cybersecurity risk management as a material business concern. Hal Porter, Director of Consulting Services, Clearwater, speaks with Allyson Maur, Associate, McGuireWoods, about the implications of the FDA’s growing focus on cybersecurity as a core component of medical device safety and financial risk and what that shift means for legal, compliance, and risk professionals. They discuss how manufacturers and providers should navigate these expectations, how legal teams can prepare for regulatory scrutiny, and how cyber risk in the device ecosystem is quickly becoming a board-level issue. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=3Y9R5kwRqeU
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitclearwatersecurity.com.
SPEAKER_01 (00:17):
Welcome to this episode of Speaking of Health
Law.
I'm Hal Porter, Director ofConsulting Services at
Clearwater Security, where wehelp organizations across the
healthcare ecosystem move to amore secure, compliant, and
resilient state so they canachieve their mission.
Today, I'm joined byMcGuire-Woods attorney Allison
Maurer, and we're going to diveinto the implications of the
FDA's growing focus oncybersecurity as a core
(00:40):
component of medical devicesafety and financial risk.
With FDA urging manufacturers totreat cybersecurity risk
management as a materialbusiness concern, this
discussion explores what thatshift means from legal,
compliance, and riskprofessionals.
Allison and I will examine howmanufacturers and providers
should navigate theseexpectations, how legal teams
(01:03):
can prepare for regulatoryscrutiny, and how cyber risk in
the device ecosystem is quicklybecoming a board-level issue.
Allison, it's great to speakwith you.
Before we dive in, can you sharea little bit about yourself and
the work you're doing at McGuireWoods?
SPEAKER_02 (01:17):
Absolutely.
Thanks for having me.
So I sit in my wire woods, I sitin the New York office, and I
sit in the healthcare practice,the life sciences practice, and
the data privacy practice.
A lot of the data privacy workthat I do is in the field of
advising medical devicemanufacturers, pharmaceutical
manufacturers, life sciencescompanies, as well as
(01:39):
traditional healthcareproviders, but often in the
context of things like clinicaltrials and life sciences related
matters.
So I have a deep background inHIPAA as well as the emerging
sector in AI and med devicedevelopment.
So happy to be here.
Thanks for having me.
SPEAKER_01 (01:57):
Awesome.
Well, thank you very much.
Let's go ahead and jump into theconversation.
So to start us off, can you giveus a high level overview of
FDA's recent guidance related tocybersecurity and medical
devices and maybe why this issuch a significant development
from a legal perspective?
SPEAKER_02 (02:13):
Sure.
Happy to.
So June 26th, we're prettyrecent, close to recording this
podcast, FDA dropped their, andthis is a mouthful, so bear with
me, guidance on cybersecurityand medical devices, quality
system considerations, and thecontent of pre-market
submissions.
That just rolls right off thetongue.
This one follows up to the prior2023 guidance about pre-market
(02:37):
cybersecurity and specificallysoftware bills of materials or
what we call SBOMs.
So the 2020 guidance is reallyexpanding pretty significantly
on the definition of what FDAconsiders to be a cyber device.
And we'll talk a little bit moreabout that in detail, which
includes software, softwarefunctions, anything that
(02:59):
contains software that hasprogrammable logic.
So the AI guidance that we'lltalk about, too, sort of comes
into play here.
And it really covers thespectrum of devices that are,
you know, the guidance is reallyspecific to devices that require
submission, things like 510ks,DeNovos, pre-market
authorizations, investigationaldevices, human device
(03:21):
exceptions, as well as biologicsand INDs, investigational new
drugs that might have a softwarecomponent.
It also applies to 510 exemptclass one devices, devices that
FDA typically considers to bepretty low risk.
But if it has a softwarecomponent or if it is software
and it's a device where it hasthe ability to get to the
(03:42):
internet, that's also going tobe included under this guidance.
So the 2023 guidance, FDA reallyshared their expectations around
building cybersecurity intolifecycle management and
indicated at the time that theywould use enforcement discretion
when evaluating whether or not aproduct met those sufficient
cybersecurity controls.
(04:04):
So this guidance kind of stepsthat up a notch and really talks
about these expectations now areno longer nice to haves.
This is mandatory.
This is truly a human securityelement.
It's no longer just a cyber,this nebulous cyber safety
incident.
So it includes a requirement tocontinually update your software
(04:25):
bill of materials, which isreally interesting.
So if you're using software thathas open source, you really have
to track this and you have tomaintain a live living list of
what's in your system and updateit and make sure that you're
accounting for all of thecomponents in your device.
Understanding where those maybeopen source components Softwares
(04:47):
may be in their lifecycle phase,making sure you're doing your
patches, you're doing yourupdates, you're really making
sure that you're keeping trackand you know what's happening
with each one of your elementsin your device.
So the guidance also talks aboutanything in a device or
(05:08):
component that is capable ofconnecting to the internet.
So we're talking Wi-Fi-enabled,Bluetooth-enabled devices.
near field communications, radiofrequency.
So anything that touches or hasthe potential to touch the
internet, if you're capable ofbeing connected some way, even
(05:28):
if that's currently disabled, ifyou're capable, then you're
within this guidance.
Excellent.
SPEAKER_01 (05:35):
So why do you think FDA is now framing cybersecurity
as a material financial andbusiness risk rather than just a
technical or compliance issue?
SPEAKER_02 (05:43):
Yeah, I think that we've seen a lot of movement in
this area.
There have been a number ofcyber incidents over the years,
and more and more they're reallycoming after the healthcare
sector.
And this really feels likealmost a touchpoint where FDA
has said, okay, look, this ishuman safety now.
(06:04):
where this is not about data.
This isn't about privacy.
This is a true human safetyconcern.
And I think some of this reallygoes back decades at this point
to, if you all remember, DickCheney had his defib replaced,
(06:24):
and there was some concern atthe time that, oh, wow, this has
its Bluetooth enabled, its Wi-Fienabled.
We maybe need to shut this off.
This is not only a nationalsecurity risk, it's a human
risk, but a little bit of itgoes back that far.
So as we're seeing the threatactors get more sophisticated,
there is more concern aboutreally the physical threat that
(06:50):
there is to people who maybehave an implantable device or
even devices that maybe they'renot implanted, but there is
significant risk here.
And we've seen attacks, we'vegot the WannaCry attack a few
years ago, We have someincidents in other countries and
other systems orhospital-specific systems where
(07:10):
hospitals have been takenoffline, and there has been
legitimate safety risk topatients.
So I think FDA is sort of atthis point now where they've
acknowledged that this is morethan just This is more than just
a minimal risk.
This is something that we reallyhave to address.
And it feels like it's almostthe equivalent of
(07:32):
biocompatibility and safetytesting for a drug that you
really need to prove your deviceis safe and cybersecurity is a
function of that safety.
SPEAKER_01 (07:44):
Excellent.
You know, and you kind oftouched on it a few moments ago,
but a cyber device is nowclearly defined under Section 7
of the new guidance, along withspecific recommendations under
FD&C Act Section 542B, where itspecifies that manufacturers'
obligations and cybersecurityrequirements to medical devices,
which was kind of lacking in theoriginal draft of 2023 and the
(08:07):
subsequent 2023, or excuse me,2022, and the subsequent 2023
guidance update.
How could or does this level ofspecificity affect device makers
from a legal perspective?
SPEAKER_02 (08:20):
Yeah, great question.
So I think it really establishesthat the risk starts a little
bit at the beginning, and youreally need to take this cradle
to grave approach when you'redeveloping a new product or when
you're iterating on a productthat is already in the
marketplace.
And this is sort of, it's almosta super guidance.
Now, we all know FDA guidance istechnically non-binding, but
(08:43):
this is really the point whereFDA has clarified, you know, we
expect this now.
This is mandatory.
This isn't You know, we're notback in 1996 where nobody knows
what the internet's really goingto do.
And they're really emphasizingthat this is no longer a bolt-on
situation.
You can't build a system andthen just bolt on patches and,
(09:06):
you know, cyber as anafterthought.
This really has to be from theground up, cradle to grave,
beginning to end process.
It really needs to be part ofyour design DNA at this point.
Companies have to incorporaterisk analysis.
They have to incorporate threatmodeling as part of their design
(09:27):
plans.
So we're at this point where FDAis saying, look, if you're
submitting an application, youreally need to think through the
potential negative outcomes hereand really look at this
holistically.
So these are no longer nice tohaves.
These are mandatories.
And from an enforcementperspective, it's really
interesting to see that FDA hasbasically put their stake in the
(09:48):
ground and said, We're donehere.
No more Mr.
Nice Guy a little bit.
We've had this industry for solong.
You have to acknowledge thatthis is part of the process.
We're still seeing hacks andevents literally this week.
There was another one with theShareFile incident and that
(10:13):
happened.
has potential to impactgovernment systems, have
potential to impact somehealthcare systems.
So it's really this function ofyou have to consider at the
outset, really even your veryearly conversations, even before
you have conversations with FDA,that this now has to be part of
your company's DNA.
(10:33):
This is a material businessrisk.
FDA has indicated it's amaterial business risk.
And from a legal and liabilitystandpoint, you have to
consider, is failure to secureyour device adequately now a
tort?
Is there negligence here?
Is there gross negligence?
Is this now willful misconductif you have knowledge that
(10:56):
there's potentially a threatsomewhere out there, or perhaps
you didn't threat modeladequately, you didn't think
through the process?
And is there sort of this new,not that Not that gross
negligence and willfulmisconduct are new standards of
legal liability, but does thatnow apply to the device design?
And from a healthcare providerperspective or a health system
(11:20):
perspective, if you're using adevice, have you done your due
diligence to determine whetheror not this is something that
may expose your system or mayexpose your patients?
And then is that are we lookingat malpractice here that, you
know, well doc recommended adevice or implanted a device
that maybe didn't have thepatches and the updates didn't
do the check.
So there's sort of this, thisbreadth of risk now that having
(11:45):
this, having FDA essentiallysay, look, this is a, this is a
material business risk.
We expect you to address this.
It almost shifts the paradigm alittle bit in terms of legal
liability and the steps thateveryone within the, the
universe of developer to enduser really needs to take into
(12:05):
consideration the potentialnegative effects if there is a
cyber incident.
SPEAKER_01 (12:11):
Absolutely.
And Allison, you know, in ourprevious conversations, I really
liked the way that you framed itin one comment where medical
device manufacturers reallyshould be taking the approach of
built-in, not bolt-on.
And I've got over 30 years ofexperience in IT and started off
as a software engineer doingenterprise development.
(12:31):
And through that and throughdevelopment, I've watched that
mature and that evolve, thatwhole progress of where it used
to be the focus on securitybeing bolt-on to where Now it's
a part of the discovery phaseand every other element of the
software development lifecyclephase.
And it sounds like devicemanufacturers are starting to
come around to that and reallyshould be taking that approach
(12:53):
in their development and devicemanufacturing.
SPEAKER_02 (12:58):
And it's funny you say discovery phase as an
attorney, though I'm not alitigator, you know, that that
makes me think, you know,litigation discovery also.
Was there something that wasdiscovered somewhere along the
line that you either ignored ordownplayed or maybe forgot to
look at that industry standardnow says you should look at?
And does that play into, youknow, hopefully never, but a
(13:19):
wrongful death suit or some typeof malpractice or some other
type of liability in the eventof a failure?
So, yeah, making sure thatyou're documenting this
appropriately.
And if you find something thatthat you're really drilling down
and figuring out have weaddressed all the possible
threats here?
SPEAKER_01 (13:37):
Absolutely.
You know, we focused a lot onFDA so far, but from a legal
standpoint, how does thisguidance fit into a broader
regulatory environmentsurrounding medical device
manufacturers?
Should device makers bepreparing for more enforcement
activities in space, not justfrom FDA, but from other
regulatory bodies?
SPEAKER_02 (13:57):
Oh, I absolutely think so.
So we've seen a lot of movementin this area over the past few
years.
So from the FDA perspective,we've got the AI guidance in
terms of incorporating AI intoyour medical devices and
tracking the life cycle andmaking sure that if you're doing
material updates to your AI,that you're reporting that to
(14:19):
FDA.
And that's something forconsideration too, is you're
developing your devices oryou're enhancing your devices.
Everybody's talking about AIright now but is it really
appropriate for everything?
Is it appropriate for yourdevice?
And we can talk about that alittle bit later, but we've got
the AI guidance from FDA.
So their eye is on that.
We've also got recent updates tothe quality systems regulations
(14:41):
in January, 2024.
So FDAs, again, though theydon't address cybersecurity
specifically in the QSR, It isreally focused on good
manufacturing practice andbringing the quality system
regulations up to date with theISO standards.
I think it's ISO 13485, 13485,which is more of a global
(15:04):
standard.
So FDA's eye is on the ball ondevices.
They're acknowledging thatthere's advancement here that
maybe is outpacing what theregulations are.
So then we have DOJ's cyberrule.
which is going to be reallyinteresting to see how this kind
of affects medical device andthe pharma industry and
healthcare generally, whichreally prohibits sharing large
(15:28):
amounts of sensitive data withcompanies that are owned either
in whole or in part by a companythat is located in a country of
concern.
So we've got a lot of got a lotof med device developers and a
lot of drug developers who aspart of the development process
or for devices, if they havecomponents that are developed or
(15:50):
maybe maintained or data isbeing sent overseas to a company
that's in one of these countriesor is maybe owned by a company
that's located in one of thesecountries, sort of what is that
going to do to the developmentprocess and to the sharing
process?
And are those the types oftransactions that are
contemplated under the rule oris the rule so vague that it
(16:12):
maybe didn't think through thehealthcare consequences of
prohibiting sharing personalhealth data?
in the med device context, youknow, personal health data is
including, and I'm reading fromthe rule, physical measurements
and health attributes, such asbodily functions, height and
weight, vital signs, symptoms,and allergies.
So my Apple watch, you know, notsupposed to be sending that type
(16:35):
of data, your aura ring.
And if you're, you know, yourphysician has prescribed you
even a medical device app, likea behavioral health app, we're
not really sure maybe where thatdata is going.
So we can do a whole separatesession on the DOJ rule, but so
we know that DOJ is watchingthose types of, you know, the
transfers of data, theirsensitivity about sharing
(16:56):
sensitive data, not to mentiongenetic data.
So then, The White House justthis week dropped their AI
guidance with about 90recommendations for reducing
what they're callingbureaucratic red tape,
fast-tracking AI development andAI infrastructure.
We want to be the leaders in AIinfrastructure, but it feels
like there may be a little bitof a disconnect with what the
(17:19):
regulatory agencies are seeingwith both DOJ and FDA trying to
lock it down a little bit andsay, hey, we need to take risk
here seriously.
So it's going to be interestingto see how that plays out and we
need to be aware of.
So then we've always got HIPAAnerd over here, OCR, Office for
Civil Rights, who they'reincreasing their enforcement in
(17:40):
the cyberspace.
Again, all of these ransomwareattacks, all of these bad
actors, all of these shutdowns,OCR has basically drawn their
line in the sand too, and said,look, it's been a really long
time.
We wrote HIPAA in 96.
We've been seeing this increase.
You can no longer bury your headin the sand here.
(18:00):
So from a healthcare systemperspective, who's implementing
medical devices in their system,and again, things like connected
MRIs and sonograms, you'vereally got to consider that OCR
has They haven't said we've hadenough, but they've said we've
had enough.
The fines are getting bigger.
They're starting to do auditsand those audits are showing
(18:22):
where the weaknesses is.
And it's been a really longtime.
It's time for everybody to getup to speed.
So it's going to be interestingto see if OCR and FDA sort of
work hand in hand here, becauseI do think there is going to be
a little overlap.
But I think really we're at thepoint where If you haven't had
an attack, you will.
And, you know, we say that allthe time and how I'm sure you
(18:43):
say too, it's not a matter of ifit's when these days.
And, you know, so the crossagency guidance is really
showing that as a whole, there'ssort of now this trend with the
agencies of, okay, oops, wedidn't know doesn't play
anymore.
There's no more you know,ignorance is not an excuse, um,
(19:04):
that we really have to beprepared that there's probably
going to be enforcement frommultiple places.
And I wouldn't be surprised tosee FTC get involved as well.
As far as false and misleading,you've advertised your product
to be compliant.
You've advertised your medicalsystems and your EHR to be
compliant.
Um, While EHR likely technicallyoutside the definition of
(19:25):
medical device, but clinicaldecision support software too,
there's going to be a lot ofoverlap here.
And if you've got a med devicethat has represented that it's
compliant and it gets hacked andsomebody dies, you've got a
spiral of...
you know, of OCR enforcement,DOJ enforcement, potentially FTC
enforcement and FDA.
So I think it's here to stay andnot that necessarily agencies
(19:48):
look for somebody to make anexample of, but I don't want to
be the guy who makes the firstmistake here and gets
multi-agency pile on.
SPEAKER_01 (19:57):
and no one wants to be the guy.
So with regard, you know, wefocused a lot on the medical
device manufacturers, but withregard to healthcare providers
who rely heavily on thesedevices, what legal
considerations should they beconsidering and thinking about
when evaluating or contractingfor connected medical
(20:17):
technologies?
SPEAKER_02 (20:19):
Yeah.
In a risk context, management,vendor risk management, and
system fragmentation are reallysome of the big factors here.
So we're already seeing it.
And it's, again, this bolt-onversus built-up from the ground
system where we're seeing a lotof clients in the space have
these conversations too.
Do we buy another thing or do webuild our own?
(20:41):
But we've got significantfragmentation.
Your MRI is on a differentsystem than your ultrasound,
than is on your x-rays.
You've got medical devices inthe surgical room, you've got
EHR systems, how do those talkto each other?
Are they built on differentsystems?
Are they able to communicatesecurely with one another?
(21:01):
So looking at fragmentation,really looking at your Wi-Fi and
your Bluetooth enabled.
So you go into the hospital andyou go to visit and you sign
into the visitor Wi-Fi.
Well, what else is on thevisitor Wi-Fi?
Do you have controls in place tomake sure that nobody's tapping
into your non-visitor Wi-Fi?
Do you have VPNs?
(21:21):
Are these open networks?
Where is the data going?
Is it encrypted?
And really kind of making surethat the systems and the
communication systems are alsosecured.
And you've also got to...
potential where you have animplantable medical device or
even a wearable.
Your doctor has prescribed, dothe Oura Ring, we wanna check
your sleep patterns, whatever.
(21:42):
So you go into your doctor or ifyou have an app that is on an
iPad for behavioral health orthere's a few medical device
apps that are out there.
So you go into your doctor'soffice and he says, okay, let's
download your data.
What network is that beingdownloaded on?
Where is it going?
What's happening to that data?
My iPad's logged into the guestWi-Fi.
(22:02):
Again, so you really have tokind of take that holistic
approach of looking at all theentry points and the potential
bad actor entry points andmaking sure that the system as a
whole is completely secure.
And then as you're evaluatingnew systems and are you
building, are you bolting onthings like AI?
(22:24):
Again, everybody's talking AI,AI, AI, it's the catch word of
the day, but is it reallynecessary for what you want to
accomplish?
And is it really going to makesomething better or is it
compatible with your goals?
Whose goals?
Is it the healthcare system'sgoals?
Is it the doctor's goals?
Is it the radiologist's goals?
(22:45):
And making sure those goals arealigned and making sure that
whatever devices you'reimplementing are necessary and
you're not just buying thegreatest, you know, shiny object
that really doesn't get youwhere you want to go.
And we are seeing that a lot inthe industry right now, that
there is a lot of this debateof, you know, you've got
(23:05):
somebody who I really want touse this new cool tool.
but somebody higher up in thesystem says, yeah, but what's
the end impact?
And, you know, you've got apractice group who's saying,
yeah, but we really want to useit.
And somebody higher up issaying, but no, it's not
consistent with everything else.
So you've got to make sure allof your players are on the same
page.
And then, you know, just makingsure, you're evaluating your
(23:27):
vendors, the folks who are doingyour EMR systems, the folks who
are doing your Wi-Fi and yourVPN and all of the medical
device vendors and sort ofvetting their vendors.
You have to ask the questionnow, are you using open source
software?
Show me your SOC 2 audit.
It's no longer takingeverybody's word for it that,
oh, yes, we comply with HIPAA.
(23:48):
We are HIPAA compliant.
Those are like my favoritewords.
Nobody's 100% HIPAA compliant.
So, you know, really doing yourdiligence and thinking it
through and not just trying tobe first to market or first in
the neighborhood with the newcool shiny toy.
You have to do your diligenceand figure out, are your vendors
compliant?
Because if they're not, that'sgoing to flow up to you and
(24:10):
you're going to have a biggerproblem on your hands down the
road.
SPEAKER_01 (24:14):
Yeah, definitely.
Like we saw with the changehealthcare incident last year.
So absolutely.
We're starting to...
More and more across thehealthcare ecosystem, we're
seeing cyber risk discussed atthe board level.
So how does FDA's framing ofcybersecurity as a business risk
affect how boards and legalteams should be approaching
(24:36):
oversight and governance,specifically in medtech
companies?
SPEAKER_02 (24:40):
Sure.
Again, you're on notice.
This is now cyber's immaterialrisk.
And I think for publicly heldcompanies in particular, SEC
said a few years back, cyber'simmaterial risk.
And we're at that point nowwhere it really needs to be part
of the company's true cultureand DNA.
(25:00):
And it needs to come from thetop down and it needs to come
from the bottom up.
Everybody in the organizationhas to understand, particularly
in a med device developmentsituation that this is now human
safety.
Again, this isn't data, not thedata breaches are fun by any
means, not the data breachesdon't cause harm, but this is
(25:23):
genuine risk.
And as we talked about earlier,a little bit of legal liability
here that FDA has said, look,this is a physical safety
concern.
So somebody dies because youdidn't update your product,
That's a fantastic lawsuit.
And that's gonna be somethingthat would be devastating to a
(25:45):
company.
So you have to really, andagain, it's this malpractice
type of thing, gross negligence,willful misconduct.
So everybody really needs totake it a little bit more
seriously.
And we are starting to seeboards are inviting their CISOs,
your chief information securityofficers to meetings and asking
for presentations.
(26:05):
Where are we on cyber?
and really trying to take thismore seriously.
And from a design perspective,from a functional day-to-day,
you really need to have thosepeople in your meetings when
you're doing concept review.
Hey, we think we wanna do this,what do you think?
Or we're thinking about makingthis upgrade, what do you think?
And have them engaged throughoutthe process.
(26:26):
And as far as SEC for publiccompanies too, the reporting,
One thing that I think we'regoing to see a real shift in,
and it's starting to happen alittle bit now, is reporting in
your S1s and your F1s and all ofyour quarterly and your annual
filings, that this is no longerthe squishy, vague, oh, we might
be subject to something havingto do with data privacy and
(26:49):
cyber.
There could be a hack and oops,we might lose some data and
there might be some fines.
I think we're going to see thosedisclosures start to get beefed
up a little bit more and reallyaddress the real risk that this
cyber event is not just aboutdata anymore.
It's about, it's about truesafety.
So I think we're going to, we'regoing to see that and it'll be
(27:10):
interesting to see, particularlyin the next round of reporting,
if, if those risk factors arestarting to get beefed up.
But I think, you know, again, ithas to be really a top down
investment and in the medicaldevice space, we're starting to
see the boards are, are havingor they're starting to get it.
(27:31):
And it's not just one lone ITguy sitting in a closet
somewhere who's trying to getsomebody to understand how
important this is.
It's really a big shift andCISOs are playing a bigger role.
SPEAKER_01 (27:44):
Yeah.
And, you know, of all the thingsthat we've covered, quite a bit
of material, I guess, you know,the next question I would have
is what kind of practical stepswould you recommend for legal
and compliance teams that arelooking to get ahead of all of
these new expectations,especially in terms of
collaboration with, like youmentioned, cybersecurity
(28:04):
leadership and clinicalleadership?
SPEAKER_02 (28:07):
Yeah.
Step one, evaluate what you haveand where your gaps are.
data map, system map, ID map,device map, figure out what you
have and where you are.
And then within those devices,figure out all your components.
Are all of your open sourcelicenses okay?
What software are you using?
If you're looking to improve amarket that's currently on the
(28:30):
marketplace, you really need togo back to your design specs and
your design master files Andtake a look at what we've got.
What's in there?
And are we relying on outdatedprograms or outdated software?
And do we need to patch from theground up?
Get IT involved early and often.
Like we said, not just theCISOs, but the guys who are
boots on the ground.
(28:50):
What are we seeing?
What are the...
What are the pings and theattacks that we might be seeing
in the background?
Things like that.
Really trying to get a sense forwhere the vulnerabilities are.
And then a deep dive into who'sbuilding your components.
You have to understand yourvendors.
You have to understand.
And I think particularly withopen source software, that may
be a potential vulnerabilitythere that companies may look
(29:13):
again and say, maybe we don'tuse open source because you
know, one of the risks is you'reputting out your list of all of
your components and, you know,look, we know who's using what
open source for which devices.
Does that disclose a potentialvulnerability there?
So understand your software billof materials, really track that,
(29:34):
keep that up to date.
That almost needs to be a dailytask for somebody, making sure
that all of your patches are in.
And then, you know, you reallyhave to the threat modeling is a
really interesting requirementunder the new guidance.
So FDA is almost saying you haveto tabletop test your device.
You have to think of all of thecrazy things you can think of
(29:54):
and then go one step farther.
Because if you missed it andthere's a problem, we may pull
your product, we may reject yourapplication in the first place.
So you really have to thinkthrough this mental exercise of,
okay, where do we havevulnerabilities?
Maybe not to the extent ofhiring a white hat hacker to
(30:16):
figure out how to hack into yourdevice, but there needs to be
more sensitivity to the factthat there are multiple entry
points for failure.
And We're in a world currentlywhere Silicon Valley culture is
really driving a lot of this.
And it's the move fast and breakthings model.
And with medical devices, Ithink FDA is really saying you
(30:38):
can't take that approachanymore.
You can't move fast and breakthings.
You still have to break thingsto figure out how to fix the
things, but you got to do thatbefore it's on the market.
And there's no more, build theconcept and then fix the mess
later.
It really has to be ground up,you know, it has to be part of
(30:59):
the true design of the product.
And then engage all yourstakeholders.
Engage your users.
Talk to the folks who are goingto use your product.
Talk to folks who, you know,say, look, go to the FDA early
and often request a meeting andsay, we're thinking of doing XYZ
for this device.
you know, what do you think weneed to cover that we haven't
(31:20):
covered already?
Try to have a two-wayconversation and engage experts.
Look, there are folks who dothis for a living.
Clearwater is one of them.
You know, you absolutely, yousee things that are out in the
marketplace that other folksdon't see.
As attorneys who handle cyberincidents, we see some really
interesting things, things thatyou wouldn't think of.
(31:40):
And I can only imagine the typesof things that Clearwater and
other consultants are seeing ona daily basis.
You know what's out there.
You know before a lot of otherswhat threats are, are being
repeated, sort of who thoseactors are, where those
vulnerabilities are that maybeyou didn't think through.
So engage, just like when you'redesigning a pharmaceutical
(32:02):
product or a med device now thatisn't connected, you have
regulatory experts, you kind ofneed to bring in a cybersecurity
regulatory expert at this pointto help with that design
process.
And really just kind of keepyour finger on the pulse of
what's going on in themarketplace, where others are
getting caught.
where there's opportunity to dobetter and there's opportunity
(32:25):
to do more and just really tryto stay ahead of the threat
actors, which is becoming harderand harder to do on a daily
basis.
SPEAKER_01 (32:36):
Absolutely.
And yeah, it goes back to thatbuilt-in, not bolt-on approach.
Definitely.
So in looking at all of this andkind of Looking to the future,
maybe what's on the horizon,with the increased focus and
visibility on cyber risk, arethere any additional regulatory
(32:58):
or legal developments that youthink may impact how
cybersecurity and medicaldevices are treated, either by
FDA or other agencies?
SPEAKER_02 (33:07):
Absolutely.
OCR.
OCR is going to be continued tobe out there.
They're going to try to keep up.
I think that we're going to seeOCR try to maybe flex their
muscles a little bit more inthis space.
Be interesting to see sort ofhow they reconcile the
interoperability rule with someof these these guidance
recommendations.
And, you know, we're stillwaiting for some formal real
(33:28):
formal enforcement.
on the interoperability rule.
We know there are a lot ofcomplaints.
There's a little bit oflitigation that's out there
right now.
So really trying to keep an eyeon what OCR is going to do with
that and DOJ.
Centers for Medicare andMedicaid Services, CMS.
So reimbursement.
You're reimbursing for a medicaldevice, particularly now one
that's out there that'sapproved.
(33:51):
You're claiming it's safe.
If you have a breach and itcauses a physical harm, do we
have a false claim?
act violation now because you'veclaimed it to do one thing.
It did not do that one thing.
It had a safety failure.
So do we start to see CMS say,hey, a device failure when, you
(34:12):
know, it's an enabled device,it's a cyber device, you know,
someone was harmed.
Are we looking at callbacks?
Are we looking at, you know,enforcement action for false
claims?
So I think that's going to bereally interesting to watch too.
And same thing with DOJ.
you know, do we have falserepresentations?
And then are we looking at, youknow, you're causing false
claims?
Is there sort of downward spiralthere, misrepresentation?
(34:35):
And FCC.
So we're dealing with near fieldcommunications as it is now.
If you have a medical devicethat's, you know, NFC or radio,
you have to test forinterference.
That is going to continue to beexpected.
And it might be interesting tosee if FCC steps in and issues
guidance that sort of bolstersFDA's guidance and sort of how
(34:57):
that works alongside with the AIframework too.
The president's proposal for AI,we're gonna have to wait and see
sort of what comes from that,but I think there's gonna be a
little bit more developmentthere and maybe a little bit
more pushback.
Appreciate that sometimes FDAand the agencies are seen as red
tape, but when we're dealingwith physical safety, I think
(35:20):
there's maybe a little bit offriction there.
And the AI legislation on thestate level.
A lot of the states are pushingnow to control how AI is used,
particularly in medical device,health field, You know, there's
a lot of activity on the statelevel that I think is going to
continue.
And then, you know, look, globaleconomy, we've got GDPR to deal
(35:43):
with.
We've got the EU AI Act to dealwith.
There are other countries whoare trying to be on the
forefront of this and trying toinstall some controls here and
really set the boundaries andhealth data in particular is
highly sensitive data.
It's a high risk application forAI.
So how do we reconcile that ifyou're developing a medical
(36:03):
device that is either, you know,for the U.S.
and you want to expand globallyor you're trying to develop it
globally off the bat?
So you really have to take thosetypes of situations into
consideration that there may beothers who are more advanced
than we are in terms ofmonitoring cyber devices and
(36:24):
development.
So it's going to be interestingto watch what happens, but I do
think there's going to be a lotmore activity in the next few
years.
SPEAKER_01 (36:33):
Excellent.
Well, Alison, that wraps up ourtoday's conversation about FDA's
recently published guidance onmedical device security.
Thank you so much for yourexcellent insights.
Thank you to our audience aswell for listening.
We hope that you found thisepisode helpful in advancing
your understanding of theevolving regulatory environment
(36:53):
and have a great rest of yourday.
SPEAKER_02 (36:55):
Thank you, Hal.
SPEAKER_00 (37:01):
If you enjoyed this episode, be sure to subscribe to
AHLA's Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit
americanhealthlaw.org.
And stay updated on breakinghealthcare industry news from
the major media outlets withAHLA's Health Law Daily Podcast,
(37:21):
exclusively for AHLA Premiummembers.
To subscribe and add thisprivate podcast feed to your
podcast app, go toAmericanHealthLaw.org slash
Daily Podcast.
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitclearwatersecurity.com.
SPEAKER_01 (00:17):
Welcome to this episode of Speaking of Health
Law.
I'm Hal Porter, Director ofConsulting Services at
Clearwater Security, where wehelp organizations across the
healthcare ecosystem move to amore secure, compliant, and
resilient state so they canachieve their mission.
Today, I'm joined byMcGuire-Woods attorney Allison
Maurer, and we're going to diveinto the implications of the
FDA's growing focus oncybersecurity as a core
(00:40):
component of medical devicesafety and financial risk.
With FDA urging manufacturers totreat cybersecurity risk
management as a materialbusiness concern, this
discussion explores what thatshift means from legal,
compliance, and riskprofessionals.
Allison and I will examine howmanufacturers and providers
should navigate theseexpectations, how legal teams
(01:03):
can prepare for regulatoryscrutiny, and how cyber risk in
the device ecosystem is quicklybecoming a board-level issue.
Allison, it's great to speakwith you.
Before we dive in, can you sharea little bit about yourself and
the work you're doing at McGuireWoods?
SPEAKER_02 (01:17):
Absolutely.
Thanks for having me.
So I sit in my wire woods, I sitin the New York office, and I
sit in the healthcare practice,the life sciences practice, and
the data privacy practice.
A lot of the data privacy workthat I do is in the field of
advising medical devicemanufacturers, pharmaceutical
manufacturers, life sciencescompanies, as well as
(01:39):
traditional healthcareproviders, but often in the
context of things like clinicaltrials and life sciences related
matters.
So I have a deep background inHIPAA as well as the emerging
sector in AI and med devicedevelopment.
So happy to be here.
Thanks for having me.
SPEAKER_01 (01:57):
Awesome.
Well, thank you very much.
Let's go ahead and jump into theconversation.
So to start us off, can you giveus a high level overview of
FDA's recent guidance related tocybersecurity and medical
devices and maybe why this issuch a significant development
from a legal perspective?
SPEAKER_02 (02:13):
Sure.
Happy to.
So June 26th, we're prettyrecent, close to recording this
podcast, FDA dropped their, andthis is a mouthful, so bear with
me, guidance on cybersecurityand medical devices, quality
system considerations, and thecontent of pre-market
submissions.
That just rolls right off thetongue.
This one follows up to the prior2023 guidance about pre-market
(02:37):
cybersecurity and specificallysoftware bills of materials or
what we call SBOMs.
So the 2020 guidance is reallyexpanding pretty significantly
on the definition of what FDAconsiders to be a cyber device.
And we'll talk a little bit moreabout that in detail, which
includes software, softwarefunctions, anything that
(02:59):
contains software that hasprogrammable logic.
So the AI guidance that we'lltalk about, too, sort of comes
into play here.
And it really covers thespectrum of devices that are,
you know, the guidance is reallyspecific to devices that require
submission, things like 510ks,DeNovos, pre-market
authorizations, investigationaldevices, human device
(03:21):
exceptions, as well as biologicsand INDs, investigational new
drugs that might have a softwarecomponent.
It also applies to 510 exemptclass one devices, devices that
FDA typically considers to bepretty low risk.
But if it has a softwarecomponent or if it is software
and it's a device where it hasthe ability to get to the
(03:42):
internet, that's also going tobe included under this guidance.
So the 2023 guidance, FDA reallyshared their expectations around
building cybersecurity intolifecycle management and
indicated at the time that theywould use enforcement discretion
when evaluating whether or not aproduct met those sufficient
cybersecurity controls.
(04:04):
So this guidance kind of stepsthat up a notch and really talks
about these expectations now areno longer nice to haves.
This is mandatory.
This is truly a human securityelement.
It's no longer just a cyber,this nebulous cyber safety
incident.
So it includes a requirement tocontinually update your software
(04:25):
bill of materials, which isreally interesting.
So if you're using software thathas open source, you really have
to track this and you have tomaintain a live living list of
what's in your system and updateit and make sure that you're
accounting for all of thecomponents in your device.
Understanding where those maybeopen source components Softwares
(04:47):
may be in their lifecycle phase,making sure you're doing your
patches, you're doing yourupdates, you're really making
sure that you're keeping trackand you know what's happening
with each one of your elementsin your device.
So the guidance also talks aboutanything in a device or
(05:08):
component that is capable ofconnecting to the internet.
So we're talking Wi-Fi-enabled,Bluetooth-enabled devices.
near field communications, radiofrequency.
So anything that touches or hasthe potential to touch the
internet, if you're capable ofbeing connected some way, even
(05:28):
if that's currently disabled, ifyou're capable, then you're
within this guidance.
Excellent.
SPEAKER_01 (05:35):
So why do you think FDA is now framing cybersecurity
as a material financial andbusiness risk rather than just a
technical or compliance issue?
SPEAKER_02 (05:43):
Yeah, I think that we've seen a lot of movement in
this area.
There have been a number ofcyber incidents over the years,
and more and more they're reallycoming after the healthcare
sector.
And this really feels likealmost a touchpoint where FDA
has said, okay, look, this ishuman safety now.
(06:04):
where this is not about data.
This isn't about privacy.
This is a true human safetyconcern.
And I think some of this reallygoes back decades at this point
to, if you all remember, DickCheney had his defib replaced,
(06:24):
and there was some concern atthe time that, oh, wow, this has
its Bluetooth enabled, its Wi-Fienabled.
We maybe need to shut this off.
This is not only a nationalsecurity risk, it's a human
risk, but a little bit of itgoes back that far.
So as we're seeing the threatactors get more sophisticated,
there is more concern aboutreally the physical threat that
(06:50):
there is to people who maybehave an implantable device or
even devices that maybe they'renot implanted, but there is
significant risk here.
And we've seen attacks, we'vegot the WannaCry attack a few
years ago, We have someincidents in other countries and
other systems orhospital-specific systems where
(07:10):
hospitals have been takenoffline, and there has been
legitimate safety risk topatients.
So I think FDA is sort of atthis point now where they've
acknowledged that this is morethan just This is more than just
a minimal risk.
This is something that we reallyhave to address.
And it feels like it's almostthe equivalent of
(07:32):
biocompatibility and safetytesting for a drug that you
really need to prove your deviceis safe and cybersecurity is a
function of that safety.
SPEAKER_01 (07:44):
Excellent.
You know, and you kind oftouched on it a few moments ago,
but a cyber device is nowclearly defined under Section 7
of the new guidance, along withspecific recommendations under
FD&C Act Section 542B, where itspecifies that manufacturers'
obligations and cybersecurityrequirements to medical devices,
which was kind of lacking in theoriginal draft of 2023 and the
(08:07):
subsequent 2023, or excuse me,2022, and the subsequent 2023
guidance update.
How could or does this level ofspecificity affect device makers
from a legal perspective?
SPEAKER_02 (08:20):
Yeah, great question.
So I think it really establishesthat the risk starts a little
bit at the beginning, and youreally need to take this cradle
to grave approach when you'redeveloping a new product or when
you're iterating on a productthat is already in the
marketplace.
And this is sort of, it's almosta super guidance.
Now, we all know FDA guidance istechnically non-binding, but
(08:43):
this is really the point whereFDA has clarified, you know, we
expect this now.
This is mandatory.
This isn't You know, we're notback in 1996 where nobody knows
what the internet's really goingto do.
And they're really emphasizingthat this is no longer a bolt-on
situation.
You can't build a system andthen just bolt on patches and,
(09:06):
you know, cyber as anafterthought.
This really has to be from theground up, cradle to grave,
beginning to end process.
It really needs to be part ofyour design DNA at this point.
Companies have to incorporaterisk analysis.
They have to incorporate threatmodeling as part of their design
(09:27):
plans.
So we're at this point where FDAis saying, look, if you're
submitting an application, youreally need to think through the
potential negative outcomes hereand really look at this
holistically.
So these are no longer nice tohaves.
These are mandatories.
And from an enforcementperspective, it's really
interesting to see that FDA hasbasically put their stake in the
(09:48):
ground and said, We're donehere.
No more Mr.
Nice Guy a little bit.
We've had this industry for solong.
You have to acknowledge thatthis is part of the process.
We're still seeing hacks andevents literally this week.
There was another one with theShareFile incident and that
(10:13):
happened.
has potential to impactgovernment systems, have
potential to impact somehealthcare systems.
So it's really this function ofyou have to consider at the
outset, really even your veryearly conversations, even before
you have conversations with FDA,that this now has to be part of
your company's DNA.
(10:33):
This is a material businessrisk.
FDA has indicated it's amaterial business risk.
And from a legal and liabilitystandpoint, you have to
consider, is failure to secureyour device adequately now a
tort?
Is there negligence here?
Is there gross negligence?
Is this now willful misconductif you have knowledge that
(10:56):
there's potentially a threatsomewhere out there, or perhaps
you didn't threat modeladequately, you didn't think
through the process?
And is there sort of this new,not that Not that gross
negligence and willfulmisconduct are new standards of
legal liability, but does thatnow apply to the device design?
And from a healthcare providerperspective or a health system
(11:20):
perspective, if you're using adevice, have you done your due
diligence to determine whetheror not this is something that
may expose your system or mayexpose your patients?
And then is that are we lookingat malpractice here that, you
know, well doc recommended adevice or implanted a device
that maybe didn't have thepatches and the updates didn't
do the check.
So there's sort of this, thisbreadth of risk now that having
(11:45):
this, having FDA essentiallysay, look, this is a, this is a
material business risk.
We expect you to address this.
It almost shifts the paradigm alittle bit in terms of legal
liability and the steps thateveryone within the, the
universe of developer to enduser really needs to take into
(12:05):
consideration the potentialnegative effects if there is a
cyber incident.
SPEAKER_01 (12:11):
Absolutely.
And Allison, you know, in ourprevious conversations, I really
liked the way that you framed itin one comment where medical
device manufacturers reallyshould be taking the approach of
built-in, not bolt-on.
And I've got over 30 years ofexperience in IT and started off
as a software engineer doingenterprise development.
(12:31):
And through that and throughdevelopment, I've watched that
mature and that evolve, thatwhole progress of where it used
to be the focus on securitybeing bolt-on to where Now it's
a part of the discovery phaseand every other element of the
software development lifecyclephase.
And it sounds like devicemanufacturers are starting to
come around to that and reallyshould be taking that approach
(12:53):
in their development and devicemanufacturing.
SPEAKER_02 (12:58):
And it's funny you say discovery phase as an
attorney, though I'm not alitigator, you know, that that
makes me think, you know,litigation discovery also.
Was there something that wasdiscovered somewhere along the
line that you either ignored ordownplayed or maybe forgot to
look at that industry standardnow says you should look at?
And does that play into, youknow, hopefully never, but a
(13:19):
wrongful death suit or some typeof malpractice or some other
type of liability in the eventof a failure?
So, yeah, making sure thatyou're documenting this
appropriately.
And if you find something thatthat you're really drilling down
and figuring out have weaddressed all the possible
threats here?
SPEAKER_01 (13:37):
Absolutely.
You know, we focused a lot onFDA so far, but from a legal
standpoint, how does thisguidance fit into a broader
regulatory environmentsurrounding medical device
manufacturers?
Should device makers bepreparing for more enforcement
activities in space, not justfrom FDA, but from other
regulatory bodies?
SPEAKER_02 (13:57):
Oh, I absolutely think so.
So we've seen a lot of movementin this area over the past few
years.
So from the FDA perspective,we've got the AI guidance in
terms of incorporating AI intoyour medical devices and
tracking the life cycle andmaking sure that if you're doing
material updates to your AI,that you're reporting that to
(14:19):
FDA.
And that's something forconsideration too, is you're
developing your devices oryou're enhancing your devices.
Everybody's talking about AIright now but is it really
appropriate for everything?
Is it appropriate for yourdevice?
And we can talk about that alittle bit later, but we've got
the AI guidance from FDA.
So their eye is on that.
We've also got recent updates tothe quality systems regulations
(14:41):
in January, 2024.
So FDAs, again, though theydon't address cybersecurity
specifically in the QSR, It isreally focused on good
manufacturing practice andbringing the quality system
regulations up to date with theISO standards.
I think it's ISO 13485, 13485,which is more of a global
(15:04):
standard.
So FDA's eye is on the ball ondevices.
They're acknowledging thatthere's advancement here that
maybe is outpacing what theregulations are.
So then we have DOJ's cyberrule.
which is going to be reallyinteresting to see how this kind
of affects medical device andthe pharma industry and
healthcare generally, whichreally prohibits sharing large
(15:28):
amounts of sensitive data withcompanies that are owned either
in whole or in part by a companythat is located in a country of
concern.
So we've got a lot of got a lotof med device developers and a
lot of drug developers who aspart of the development process
or for devices, if they havecomponents that are developed or
(15:50):
maybe maintained or data isbeing sent overseas to a company
that's in one of these countriesor is maybe owned by a company
that's located in one of thesecountries, sort of what is that
going to do to the developmentprocess and to the sharing
process?
And are those the types oftransactions that are
contemplated under the rule oris the rule so vague that it
(16:12):
maybe didn't think through thehealthcare consequences of
prohibiting sharing personalhealth data?
in the med device context, youknow, personal health data is
including, and I'm reading fromthe rule, physical measurements
and health attributes, such asbodily functions, height and
weight, vital signs, symptoms,and allergies.
So my Apple watch, you know, notsupposed to be sending that type
(16:35):
of data, your aura ring.
And if you're, you know, yourphysician has prescribed you
even a medical device app, likea behavioral health app, we're
not really sure maybe where thatdata is going.
So we can do a whole separatesession on the DOJ rule, but so
we know that DOJ is watchingthose types of, you know, the
transfers of data, theirsensitivity about sharing
(16:56):
sensitive data, not to mentiongenetic data.
So then, The White House justthis week dropped their AI
guidance with about 90recommendations for reducing
what they're callingbureaucratic red tape,
fast-tracking AI development andAI infrastructure.
We want to be the leaders in AIinfrastructure, but it feels
like there may be a little bitof a disconnect with what the
(17:19):
regulatory agencies are seeingwith both DOJ and FDA trying to
lock it down a little bit andsay, hey, we need to take risk
here seriously.
So it's going to be interestingto see how that plays out and we
need to be aware of.
So then we've always got HIPAAnerd over here, OCR, Office for
Civil Rights, who they'reincreasing their enforcement in
(17:40):
the cyberspace.
Again, all of these ransomwareattacks, all of these bad
actors, all of these shutdowns,OCR has basically drawn their
line in the sand too, and said,look, it's been a really long
time.
We wrote HIPAA in 96.
We've been seeing this increase.
You can no longer bury your headin the sand here.
(18:00):
So from a healthcare systemperspective, who's implementing
medical devices in their system,and again, things like connected
MRIs and sonograms, you'vereally got to consider that OCR
has They haven't said we've hadenough, but they've said we've
had enough.
The fines are getting bigger.
They're starting to do auditsand those audits are showing
(18:22):
where the weaknesses is.
And it's been a really longtime.
It's time for everybody to getup to speed.
So it's going to be interestingto see if OCR and FDA sort of
work hand in hand here, becauseI do think there is going to be
a little overlap.
But I think really we're at thepoint where If you haven't had
an attack, you will.
And, you know, we say that allthe time and how I'm sure you
(18:43):
say too, it's not a matter of ifit's when these days.
And, you know, so the crossagency guidance is really
showing that as a whole, there'ssort of now this trend with the
agencies of, okay, oops, wedidn't know doesn't play
anymore.
There's no more you know,ignorance is not an excuse, um,
(19:04):
that we really have to beprepared that there's probably
going to be enforcement frommultiple places.
And I wouldn't be surprised tosee FTC get involved as well.
As far as false and misleading,you've advertised your product
to be compliant.
You've advertised your medicalsystems and your EHR to be
compliant.
Um, While EHR likely technicallyoutside the definition of
(19:25):
medical device, but clinicaldecision support software too,
there's going to be a lot ofoverlap here.
And if you've got a med devicethat has represented that it's
compliant and it gets hacked andsomebody dies, you've got a
spiral of...
you know, of OCR enforcement,DOJ enforcement, potentially FTC
enforcement and FDA.
So I think it's here to stay andnot that necessarily agencies
(19:48):
look for somebody to make anexample of, but I don't want to
be the guy who makes the firstmistake here and gets
multi-agency pile on.
SPEAKER_01 (19:57):
and no one wants to be the guy.
So with regard, you know, wefocused a lot on the medical
device manufacturers, but withregard to healthcare providers
who rely heavily on thesedevices, what legal
considerations should they beconsidering and thinking about
when evaluating or contractingfor connected medical
(20:17):
technologies?
SPEAKER_02 (20:19):
Yeah.
In a risk context, management,vendor risk management, and
system fragmentation are reallysome of the big factors here.
So we're already seeing it.
And it's, again, this bolt-onversus built-up from the ground
system where we're seeing a lotof clients in the space have
these conversations too.
Do we buy another thing or do webuild our own?
(20:41):
But we've got significantfragmentation.
Your MRI is on a differentsystem than your ultrasound,
than is on your x-rays.
You've got medical devices inthe surgical room, you've got
EHR systems, how do those talkto each other?
Are they built on differentsystems?
Are they able to communicatesecurely with one another?
(21:01):
So looking at fragmentation,really looking at your Wi-Fi and
your Bluetooth enabled.
So you go into the hospital andyou go to visit and you sign
into the visitor Wi-Fi.
Well, what else is on thevisitor Wi-Fi?
Do you have controls in place tomake sure that nobody's tapping
into your non-visitor Wi-Fi?
Do you have VPNs?
(21:21):
Are these open networks?
Where is the data going?
Is it encrypted?
And really kind of making surethat the systems and the
communication systems are alsosecured.
And you've also got to...
potential where you have animplantable medical device or
even a wearable.
Your doctor has prescribed, dothe Oura Ring, we wanna check
your sleep patterns, whatever.
(21:42):
So you go into your doctor or ifyou have an app that is on an
iPad for behavioral health orthere's a few medical device
apps that are out there.
So you go into your doctor'soffice and he says, okay, let's
download your data.
What network is that beingdownloaded on?
Where is it going?
What's happening to that data?
My iPad's logged into the guestWi-Fi.
(22:02):
Again, so you really have tokind of take that holistic
approach of looking at all theentry points and the potential
bad actor entry points andmaking sure that the system as a
whole is completely secure.
And then as you're evaluatingnew systems and are you
building, are you bolting onthings like AI?
(22:24):
Again, everybody's talking AI,AI, AI, it's the catch word of
the day, but is it reallynecessary for what you want to
accomplish?
And is it really going to makesomething better or is it
compatible with your goals?
Whose goals?
Is it the healthcare system'sgoals?
Is it the doctor's goals?
Is it the radiologist's goals?
(22:45):
And making sure those goals arealigned and making sure that
whatever devices you'reimplementing are necessary and
you're not just buying thegreatest, you know, shiny object
that really doesn't get youwhere you want to go.
And we are seeing that a lot inthe industry right now, that
there is a lot of this debateof, you know, you've got
(23:05):
somebody who I really want touse this new cool tool.
but somebody higher up in thesystem says, yeah, but what's
the end impact?
And, you know, you've got apractice group who's saying,
yeah, but we really want to useit.
And somebody higher up issaying, but no, it's not
consistent with everything else.
So you've got to make sure allof your players are on the same
page.
And then, you know, just makingsure, you're evaluating your
(23:27):
vendors, the folks who are doingyour EMR systems, the folks who
are doing your Wi-Fi and yourVPN and all of the medical
device vendors and sort ofvetting their vendors.
You have to ask the questionnow, are you using open source
software?
Show me your SOC 2 audit.
It's no longer takingeverybody's word for it that,
oh, yes, we comply with HIPAA.
(23:48):
We are HIPAA compliant.
Those are like my favoritewords.
Nobody's 100% HIPAA compliant.
So, you know, really doing yourdiligence and thinking it
through and not just trying tobe first to market or first in
the neighborhood with the newcool shiny toy.
You have to do your diligenceand figure out, are your vendors
compliant?
Because if they're not, that'sgoing to flow up to you and
(24:10):
you're going to have a biggerproblem on your hands down the
road.
SPEAKER_01 (24:14):
Yeah, definitely.
Like we saw with the changehealthcare incident last year.
So absolutely.
We're starting to...
More and more across thehealthcare ecosystem, we're
seeing cyber risk discussed atthe board level.
So how does FDA's framing ofcybersecurity as a business risk
affect how boards and legalteams should be approaching
(24:36):
oversight and governance,specifically in medtech
companies?
SPEAKER_02 (24:40):
Sure.
Again, you're on notice.
This is now cyber's immaterialrisk.
And I think for publicly heldcompanies in particular, SEC
said a few years back, cyber'simmaterial risk.
And we're at that point nowwhere it really needs to be part
of the company's true cultureand DNA.
(25:00):
And it needs to come from thetop down and it needs to come
from the bottom up.
Everybody in the organizationhas to understand, particularly
in a med device developmentsituation that this is now human
safety.
Again, this isn't data, not thedata breaches are fun by any
means, not the data breachesdon't cause harm, but this is
(25:23):
genuine risk.
And as we talked about earlier,a little bit of legal liability
here that FDA has said, look,this is a physical safety
concern.
So somebody dies because youdidn't update your product,
That's a fantastic lawsuit.
And that's gonna be somethingthat would be devastating to a
(25:45):
company.
So you have to really, andagain, it's this malpractice
type of thing, gross negligence,willful misconduct.
So everybody really needs totake it a little bit more
seriously.
And we are starting to seeboards are inviting their CISOs,
your chief information securityofficers to meetings and asking
for presentations.
(26:05):
Where are we on cyber?
and really trying to take thismore seriously.
And from a design perspective,from a functional day-to-day,
you really need to have thosepeople in your meetings when
you're doing concept review.
Hey, we think we wanna do this,what do you think?
Or we're thinking about makingthis upgrade, what do you think?
And have them engaged throughoutthe process.
(26:26):
And as far as SEC for publiccompanies too, the reporting,
One thing that I think we'regoing to see a real shift in,
and it's starting to happen alittle bit now, is reporting in
your S1s and your F1s and all ofyour quarterly and your annual
filings, that this is no longerthe squishy, vague, oh, we might
be subject to something havingto do with data privacy and
(26:49):
cyber.
There could be a hack and oops,we might lose some data and
there might be some fines.
I think we're going to see thosedisclosures start to get beefed
up a little bit more and reallyaddress the real risk that this
cyber event is not just aboutdata anymore.
It's about, it's about truesafety.
So I think we're going to, we'regoing to see that and it'll be
(27:10):
interesting to see, particularlyin the next round of reporting,
if, if those risk factors arestarting to get beefed up.
But I think, you know, again, ithas to be really a top down
investment and in the medicaldevice space, we're starting to
see the boards are, are havingor they're starting to get it.
(27:31):
And it's not just one lone ITguy sitting in a closet
somewhere who's trying to getsomebody to understand how
important this is.
It's really a big shift andCISOs are playing a bigger role.
SPEAKER_01 (27:44):
Yeah.
And, you know, of all the thingsthat we've covered, quite a bit
of material, I guess, you know,the next question I would have
is what kind of practical stepswould you recommend for legal
and compliance teams that arelooking to get ahead of all of
these new expectations,especially in terms of
collaboration with, like youmentioned, cybersecurity
(28:04):
leadership and clinicalleadership?
SPEAKER_02 (28:07):
Yeah.
Step one, evaluate what you haveand where your gaps are.
data map, system map, ID map,device map, figure out what you
have and where you are.
And then within those devices,figure out all your components.
Are all of your open sourcelicenses okay?
What software are you using?
If you're looking to improve amarket that's currently on the
(28:30):
marketplace, you really need togo back to your design specs and
your design master files Andtake a look at what we've got.
What's in there?
And are we relying on outdatedprograms or outdated software?
And do we need to patch from theground up?
Get IT involved early and often.
Like we said, not just theCISOs, but the guys who are
boots on the ground.
(28:50):
What are we seeing?
What are the...
What are the pings and theattacks that we might be seeing
in the background?
Things like that.
Really trying to get a sense forwhere the vulnerabilities are.
And then a deep dive into who'sbuilding your components.
You have to understand yourvendors.
You have to understand.
And I think particularly withopen source software, that may
be a potential vulnerabilitythere that companies may look
(29:13):
again and say, maybe we don'tuse open source because you
know, one of the risks is you'reputting out your list of all of
your components and, you know,look, we know who's using what
open source for which devices.
Does that disclose a potentialvulnerability there?
So understand your software billof materials, really track that,
(29:34):
keep that up to date.
That almost needs to be a dailytask for somebody, making sure
that all of your patches are in.
And then, you know, you reallyhave to the threat modeling is a
really interesting requirementunder the new guidance.
So FDA is almost saying you haveto tabletop test your device.
You have to think of all of thecrazy things you can think of
(29:54):
and then go one step farther.
Because if you missed it andthere's a problem, we may pull
your product, we may reject yourapplication in the first place.
So you really have to thinkthrough this mental exercise of,
okay, where do we havevulnerabilities?
Maybe not to the extent ofhiring a white hat hacker to
(30:16):
figure out how to hack into yourdevice, but there needs to be
more sensitivity to the factthat there are multiple entry
points for failure.
And We're in a world currentlywhere Silicon Valley culture is
really driving a lot of this.
And it's the move fast and breakthings model.
And with medical devices, Ithink FDA is really saying you
(30:38):
can't take that approachanymore.
You can't move fast and breakthings.
You still have to break thingsto figure out how to fix the
things, but you got to do thatbefore it's on the market.
And there's no more, build theconcept and then fix the mess
later.
It really has to be ground up,you know, it has to be part of
(30:59):
the true design of the product.
And then engage all yourstakeholders.
Engage your users.
Talk to the folks who are goingto use your product.
Talk to folks who, you know,say, look, go to the FDA early
and often request a meeting andsay, we're thinking of doing XYZ
for this device.
you know, what do you think weneed to cover that we haven't
(31:20):
covered already?
Try to have a two-wayconversation and engage experts.
Look, there are folks who dothis for a living.
Clearwater is one of them.
You know, you absolutely, yousee things that are out in the
marketplace that other folksdon't see.
As attorneys who handle cyberincidents, we see some really
interesting things, things thatyou wouldn't think of.
(31:40):
And I can only imagine the typesof things that Clearwater and
other consultants are seeing ona daily basis.
You know what's out there.
You know before a lot of otherswhat threats are, are being
repeated, sort of who thoseactors are, where those
vulnerabilities are that maybeyou didn't think through.
So engage, just like when you'redesigning a pharmaceutical
(32:02):
product or a med device now thatisn't connected, you have
regulatory experts, you kind ofneed to bring in a cybersecurity
regulatory expert at this pointto help with that design
process.
And really just kind of keepyour finger on the pulse of
what's going on in themarketplace, where others are
getting caught.
where there's opportunity to dobetter and there's opportunity
(32:25):
to do more and just really tryto stay ahead of the threat
actors, which is becoming harderand harder to do on a daily
basis.
SPEAKER_01 (32:36):
Absolutely.
And yeah, it goes back to thatbuilt-in, not bolt-on approach.
Definitely.
So in looking at all of this andkind of Looking to the future,
maybe what's on the horizon,with the increased focus and
visibility on cyber risk, arethere any additional regulatory
(32:58):
or legal developments that youthink may impact how
cybersecurity and medicaldevices are treated, either by
FDA or other agencies?
SPEAKER_02 (33:07):
Absolutely.
OCR.
OCR is going to be continued tobe out there.
They're going to try to keep up.
I think that we're going to seeOCR try to maybe flex their
muscles a little bit more inthis space.
Be interesting to see sort ofhow they reconcile the
interoperability rule with someof these these guidance
recommendations.
And, you know, we're stillwaiting for some formal real
(33:28):
formal enforcement.
on the interoperability rule.
We know there are a lot ofcomplaints.
There's a little bit oflitigation that's out there
right now.
So really trying to keep an eyeon what OCR is going to do with
that and DOJ.
Centers for Medicare andMedicaid Services, CMS.
So reimbursement.
You're reimbursing for a medicaldevice, particularly now one
that's out there that'sapproved.
(33:51):
You're claiming it's safe.
If you have a breach and itcauses a physical harm, do we
have a false claim?
act violation now because you'veclaimed it to do one thing.
It did not do that one thing.
It had a safety failure.
So do we start to see CMS say,hey, a device failure when, you
(34:12):
know, it's an enabled device,it's a cyber device, you know,
someone was harmed.
Are we looking at callbacks?
Are we looking at, you know,enforcement action for false
claims?
So I think that's going to bereally interesting to watch too.
And same thing with DOJ.
you know, do we have falserepresentations?
And then are we looking at, youknow, you're causing false
claims?
Is there sort of downward spiralthere, misrepresentation?
(34:35):
And FCC.
So we're dealing with near fieldcommunications as it is now.
If you have a medical devicethat's, you know, NFC or radio,
you have to test forinterference.
That is going to continue to beexpected.
And it might be interesting tosee if FCC steps in and issues
guidance that sort of bolstersFDA's guidance and sort of how
(34:57):
that works alongside with the AIframework too.
The president's proposal for AI,we're gonna have to wait and see
sort of what comes from that,but I think there's gonna be a
little bit more developmentthere and maybe a little bit
more pushback.
Appreciate that sometimes FDAand the agencies are seen as red
tape, but when we're dealingwith physical safety, I think
(35:20):
there's maybe a little bit offriction there.
And the AI legislation on thestate level.
A lot of the states are pushingnow to control how AI is used,
particularly in medical device,health field, You know, there's
a lot of activity on the statelevel that I think is going to
continue.
And then, you know, look, globaleconomy, we've got GDPR to deal
(35:43):
with.
We've got the EU AI Act to dealwith.
There are other countries whoare trying to be on the
forefront of this and trying toinstall some controls here and
really set the boundaries andhealth data in particular is
highly sensitive data.
It's a high risk application forAI.
So how do we reconcile that ifyou're developing a medical
(36:03):
device that is either, you know,for the U.S.
and you want to expand globallyor you're trying to develop it
globally off the bat?
So you really have to take thosetypes of situations into
consideration that there may beothers who are more advanced
than we are in terms ofmonitoring cyber devices and
(36:24):
development.
So it's going to be interestingto watch what happens, but I do
think there's going to be a lotmore activity in the next few
years.
SPEAKER_01 (36:33):
Excellent.
Well, Alison, that wraps up ourtoday's conversation about FDA's
recently published guidance onmedical device security.
Thank you so much for yourexcellent insights.
Thank you to our audience aswell for listening.
We hope that you found thisepisode helpful in advancing
your understanding of theevolving regulatory environment
(36:53):
and have a great rest of yourday.
SPEAKER_02 (36:55):
Thank you, Hal.
SPEAKER_00 (37:01):
If you enjoyed this episode, be sure to subscribe to
AHLA's Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit
americanhealthlaw.org.
And stay updated on breakinghealthcare industry news from
the major media outlets withAHLA's Health Law Daily Podcast,
(37:21):
exclusively for AHLA Premiummembers.
To subscribe and add thisprivate podcast feed to your
podcast app, go toAmericanHealthLaw.org slash
Daily Podcast.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!