Cybersecurity and medical devices: What physicians need to know

The Food and Drug Administration (FDA) has drafted new guidance related to medical device cybersecurity and the relationship with HIPAA.

Building on previous writings from 2014, the FDA issued an updated draft guidance Oct. 18, 2018, entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff.

The guidance defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” Translated into “HIPAA language,” this requires the availability and integrity of the device-and its data-remain intact.

The broad scope of the guidance encompasses FDA medical device premarket submissions for effective cybersecurity risk management, continued cybersecurity management to reduce the risk of physical harm to patients, and satisfying HIPAA requirements.

While not binding at the moment, the guidance is important because it references laws that are in effect. The guidance incorporates HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule as well as the Federal Food, Drug, and Cosmetic Act (and related laws, e.g., the Medical Device Amendments of 1976) for branding and labeling provisions.

The guidance identifies two types of devices, Tier 1 and Tier 2. Tier 1 devices are said to carry a higher cybersecurity risk and have two associated criteria:

• capable of connecting (e.g., wired or wirelessly) to another medical or non-medical product, a network, or the Internet and

• a cybersecurity incident affecting the device that could result in patient harm to multiple patients.

Tier 1 devices include pacemakers, brain stimulators, and nerve stimulators. The guidance makes sense given the parts of the body that are affected by the devices.

By way of contrast, a Tier 2 device is “[a] medical device for which the criteria for a Tier 1 device are not met.” This includes an electronic device that creates, receives, maintains, or transmits protected health information (PHI) or is used in medical treatment but does not impact a body part vital to life.

The guidance recommends complying with the National Institute of Standards and Technology (NIST) and the Federal Information Processing Standards (FIPS). This should not come as a surprise for two reasons. First, the government is required to use these standards internally. Second, both NIST and FIPS are expressly stated in a variety of laws and regulations, including the HIPAA Final Omnibus Rule.

There is a specific section in the guidance entitled Maintain Confidentiality of the Data. The FDA intertwines HIPAA and the obligations between a covered entity and a business associate as well as maintaining data confidentiality. In this context, confidentiality falls under the HIPAA umbrella.

For the purposes of this guidance, other harms such as loss of confidential PHI are not considered patient harms. Although protecting the confidentiality of PHI is beyond the scope of this document, it should be noted that manufacturers and/or other entities, depending on the facts and circumstances, may be obligated to protect the confidentiality, integrity, and availability of PHI throughout the product lifecycle in accordance with applicable federal and state laws, including HIPAA.

Therefore, while physicians may not be involved with the cybersecurity of the device, they are still obligated to comply with HIPAA and the HITECH Act. Standards such as HIPAA Authorizations that give patients both notice and the right to opt out of having their PHI sold to a pharmaceutical company or medical device manufacturer, a comprehensive annual Risk Assessment, and a Business Associate Agreement are all required. Physicians should do their due diligence on companies in relation to those entities’ compliance with the FDA, HIPAA, and the HITECH Act.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.