Cybersecurity risks of medical devices

Manufacturers, patients, and providers alike play a critical role in mitigating the risks of cybersecurity incidents related to medical device. It is critical to implement appropriate technical safeguards, patient education, and provider training to mitigate potential adverse events, which could lead to adverse patient outcomes – even death. According to the U.S. Food and Drug Administration (FDA), “[b]y carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage emerging cybersecurity risks, manufacturers can reduce cybersecurity risks posed to devices and patients.” Importantly, the FDA collaborates with other government agencies proactively (i.e., the Department of Homeland Security (DHS)) and other government agencies on the enforcement side, if there is a cybersecurity-related medical device incident. Manufacturers could be subject to enforcement actions by federal agencies such as the U.S. Department of Health and Human Services – Office for Civil Rights (HHS-OCR), the Federal Bureau of Investigation (FBI), the Federal Trade Commission (FTC), and the U.S. Department of Justice (DOJ). Appreciating both the “offense” and “defense” side of the coin is critical for manufacturers and their boards to assess fiduciary duties, liabilities, and enterprise risk management.

In a recent FAQ, the FDA highlighted some common misconceptions about its role compared with the device manufacturer. Below is a chart, which highlights a few key items.

In March 2023, the FDA released notice in the Federal Register that section 524B was being added to the Federal Food, Drug, and Cybersecurity Act pursuant to the Consolidated Appropriations Act, 2023 (“Omnibus”) Section 3305 – “Ensuring Cybersecurity of Medical Devices”. October 1, 2023 is a date to mark on the calendar, because as the FDA stated,

FDA generally intends not to issue "refuse to accept" (RTA) decisions for premarket submissions submitted for cyber devices based solely on information required by section 524B of the FD&C Act before October 1, 2023, but instead, work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. Beginning October 1, 2023, FDA expects that sponsors of such cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.

One of the key take-aways for manufacturers is the requirement to comply with federal regulations. Failure to comply with federal regulations selling defective medical devices, including those that use a software algorithm known to have a material defect, can lead to liability under the False Claims Act. This exact scenario happened to Alere, Inc. in 2021 when it paid $38.75 million to resolve allegations that it “violated the False Claims Act by billing, and causing others to bill, the Medicare program for defective rapid point-of-care testing devices.” Hence, manufacturers and providers alike are put on notice that this type of conduct is material and that they have an obligation to comply with the laws, regulations, and guidance.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.