Heart rate and blood glucose monitors, automated drug delivery equipment, implanted devices and handheld fitness trackers are all members of the massive IoT - Internet of Things. They are not often considered computers subject to federal data privacy and cybersecurity laws. But they have IP (internet protocol) addresses, access to the internet, usually via WiFi, and they transmit highly sensitive individually identifiable medical data. Now, they also have federal regulatory oversight, and HIPAA compliance is just the tip of a much larger and more rigorous set of federal cybersecurity standards.
The new Consolidated Appropriations Act of 2023, Section 3305, grants authority to regulate cybersecurity of medical devices to the FDA - U.S. Food and Drug Administration, working with the U.S. Cybersecurity Infrastructure and Security Agency, established in 2018 and part of the U.S. Department of Homeland Security.
The new regulatory cybersecurity standards over medical devices will begin at their premarket submission. Entrepreneurs currently designing, building, and/or submitting devices of any type, even premarket, to be used by patients of any diagnosis, must stop now and turn their attention to complying with robust cybersecurity protection standards over patient health data that is either created by or passing through their device.
Key questions include who owns the healthcare data, and who is storing it. Regulators want to know how the data is secured, who has legitimate interests in the data, and whether any companies are using or selling the data for any purposes that are in their own best pecuniary interests. The lifecycle of the data must be defined, and destruction of data timed and verified.
Cubersecurity standards will also apply to the electronic health record systems of health providers, and the networks of medical facilities that are linked to devices through medical data transfers, uploads, downloads, and transmissions.
Regulators are updating the FDA's 2014 medical device guidance, and that of past laws including the 1990 Safe Medical Devices Act, and Section 3060 of the 21st Century Cures Act of 2016.
This new FDA authority... will help to bring the healthcare industry one step closer to better cybersecurity and patient safety.