Part 2: HHS Wall of Shame Analysis 2009–2023 — Changing Regulatory Environment

‍By Vidya Murthy, Medcrypt COO and Axel Wirth, Medcrypt CSS

As we demonstrated in Part 1 of this blog as well as reported in public media through the coverage of individual security events (domestic and international), healthcare delivery systems are increasingly under attack, resulting in compromise of sensitive data, ability to deliver care, and ensure the safety of their patients. Consequently, in the last 18 months there has been added emphasis to specifically raise the bar for cybersecurity in healthcare in general and for medical device cybersecurity in specific.

This includes:

• In December of 2022, the “Protecting and Transforming Cyber Health Care Act of 2022” (PATCH Act) was signed into law and went into effect in Oct. 2023. This law compels medical device manufacturers to demonstrate that their products meet security requirements before being approved for use, supply a Software Bill of Materials (SBOM), and have a plan in place to monitor and disclose vulnerabilities and provide timely updates.
• The FDA cybersecurity spending bill was approved (Section 524B) in 2022’s Omnibus Reform Act, giving the FDA authority to enforce cybersecurity and expressly requiring a comprehensive cybersecurity risk management program.
• On September 27, 2023, FDA released its final guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”, defining FDA security requirements for devices and its expectations on how to manage security during the device’s lifecycle.
• On October 1, 2023 the FDA began to refuse to accept applications of new medical devices, if they fail to address the requirements of section 524B, through the use of their novel electronic submission template (eSTAR).
• On top of this, The US Government Accountability Office (GAO) released a report on medical device cybersecurity to identify limitations in federal agencies’ authority, explore challenges in accessing federal support, and provide recommendations to the government on improving coordination in this space.
• The Department of Health and Human Services (HHS) published a set of 10 essential and 10 enhanced healthcare-specific Cybersecurity Performance Goals (CPGs). Although voluntary for now, they intend to help healthcare organizations prioritize implementation of high-impact cybersecurity practices, prepare for and respond to cyber threats, adapt to the evolving threat landscape, and build a more resilient sector.

Collectively, the developing legal and regulatory strategy is taking a two-pronged approach by improving the security maturity of devices and systems hospitals are buying while also raising the bar on improving the security posture of the environment they operate in, i.e., the hospital networks. The overall trend is to move away from having healthcare delivery organizations (HDOs) solely carry the burden to ensure and manage the security of devices within their network. The growing momentum between regulators, the government, and consumers is to increase the de facto security that comes with devices.

Enforcement is Really Happening

October 1, 2023 saw the implementation of the eSTAR program by the FDA. While this may seem tangential, it does act as an entry gate and enforcement step for manufacturers to demonstrate that they are meeting FDA cybersecurity requirements. If those requirements cannot be demonstrated, the submission does not “Pass Go” and the review process will not begin. This transition moves enforcement from idiosyncratically relying on the reviewer, to now being systemically enforced across submissions. Anecdotally, we have observed a 700% increase in rejection due to security alone when compared to the prior quarter.

Additionally, other agencies have started to establish mature security expectations and have demonstrated their willingness to enforce. Early in January, the Federal Trade Commission (FTC) sought action against a CEO and CFO for poor data protection practices. Equally interesting is the notion that the FTC is enforcing action against the CEO for the next ten years, regardless of place of employment. This quite obviously cements security practices as ‘set at the top.’

Lastly, the Securities Exchange Commission (SEC) rule requiring disclosure of material cybersecurity incidents went into effect mid-December of 2023. Interestingly, ransomware gangs have taken advantage of this rule by directly filing to the SEC when a company refused to negotiate after a ransomware attack, i.e., a material breach.

Cybersecurity as Business Opportunity, not Business Problem

At its simplest — cybersecurity can be seen as a partner in growing revenue opportunities, rather than the historic view of it being a cost center without value. When the leadership team does not strategically utilize security and risk management to make informed decisions, security will almost assuredly result in the perception of a cost center and will not be able to meet today’s market needs and legal and regulatory expectations.

While there have been several publicly cited instances of stock value loss after a breach, in addition to reputation and legal impact, at the end of the day, patient safety is the ultimate goal of any security program. The ability for connected healthcare to fundamentally change care delivery is widely discussed, and with novel data opportunities emerging requires a responsible sharing of responsibilities and mature security table stakes.

Regulation will keep maturing, including expected updates of the HIPAA Security Rule — but if healthcare waits until the regulators show up, the challenge in meeting mature expectations will be insurmountable. By starting the process of understanding and aligning security initiatives with business opportunities, the mindset around security can start to shift and the business can take advantage of this new legal and regulatory environment.

Looking for support meeting FDA cybersecurity requirements to secure medical devices by design and improve patient safety? Connect with Medcrypt for the ways we can help your organization. Email us at info@medcrypt.com and visit our website.

‍