As the Calendar Turns, Cybersecurity Remains Key Focus of Digital Health Enforcement

As we turn into the New Year, we offer a few items of interest in digital and telehealth regulation, enforcement, and compliance that may provide some helpful guideposts for stakeholders.

In 2022, the chief regulating entities—FDA, FTC, and DOJ—all continued to forge policies to help bridge the rapidly moving waters between traditional regulatory concerns about safety and effectiveness on one side and cybersecurity, data privacy, and identity integrity on the other. To date, regulatory enforcement litigation focused on actual or imminent patient harm has taken a backseat to cybersecurity as FDA continues to update and implement its oversight framework. But a compromised device is a threat to patient safety, so that timeline could change in the event of an adverse event that imperils consumer health. Until that happens, interested parties in this space continue to face many of the same cybersecurity threats as other data-tech entities.

In mid-November, FDA collaborated with the MITRE Corporation to publish an update to the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The Playbook is a guide for healthcare delivery organizations to respond to cybersecurity incidents that threaten device function and, potentially, patient safety. It emphasizes building partnerships with local health and law enforcement authorities, so organizations can mitigate any breaches, especially those that can potentially cripple smaller, less resourced providers.

Among other things, the Playbook encourages preparedness, provides some considerations for impacts and downtime, and adds a resource appendix to give users more tools and resources. It is another effort from CDRH’s Digital Health Center of Excellence to provide structure and guidance to participants across the connected device playing field, including both delivery organizations as well as manufacturers. CDRH is building an extensive library of similar reports and white papers as it prepares its final guidance for medical device cybersecurity, scheduled to come out next Fall.

Combination products are sharing the digital moment with those classified solely as medical devices. Combination products might be part drug, part device, or part software or hardware. Those different pieces create a complex regulatory puzzle, and cybersecurity failings in them can quickly descend into the same depths of functionality and threats to patient safety.

Remarks at the November AFDO/RAPS Combination Products Summit highlight the complexities of connected combination products. The current Team Lead for Injection Devices in CDRH’s Division of Drug Delivery and General Hospital Devices and Human Factors noted that depending on the product, the pre-market path for a connected combination product might require an IND, IDE, or a determination that it is a medical device data system, which are not regulated as devices. Post-market, combination products potentially face the same enforcement scrutiny as single-entity medical devices. FDA counsels that, as is the case with any other electronic device, seemingly small, routine steps like software maintenance and updates are ways companies can address possible vulnerabilities that could lead to adverse events.

FDA has shown a willingness to intervene in this space. One example is the Warning Letter FDA sent to Medtronic in late 2021 concerning a vulnerability in insulin infusion pumps. Another is the June 2022 Letter to Health Care Providers about a cybersecurity vulnerability affecting Illumina medical devices for clinical diagnostic use in sequencing a person’s DNA or testing for various genetic conditions.

Digital providers and manufacturers not only have the concerns of the FDA to consider, but those of the FTC as well. Where evidence supports, the FTC views data security breaches as violations of the FTC Act as unfair and deceptive advertising practices. The theory here is that if digital device makers tell customers their data is safe, but in fact it is not, and if a breach occurs, those makers may face liability.

This was a topic at the December Food and Drug Law Institute conference on Current Developments in Digital Health Technology and Regulation. Speakers from both the FTC’s Division of Privacy and Identity Protection and DOJ’s Consumer Protection Branch expressed a continued willingness to bring suits against firms that fall short in their data integrity efforts, citing cases against SkyMed and Flo Health as examples of their work that also touch upon FDCA concerns. Another takeaway from this conference was that CDRH received high marks from commentators across many panels about both the quality and quantity of the Agency’s efforts to develop and align regulatory expectations in this area.

Healthcare delivery organizations are facing increasing pressure from cyberattacks due to the sector’s profitability and the increasing number of accessible endpoints that advancing technology provide. Thus, cybersecurity is tightly intertwined with safety and effectiveness, and government regulators seem willing to invest in the resources to detect cybersecurity problems that affect the regulatory landscape. Moving forward, it seems likely that those issues will become even more prominent during both the pre-market process as well as in post-market monitoring and use to guard against data breaches and adverse events. More updates will follow here as trends develop in 2023.