By Sara Farnsworth, Medcrypt Information Security Manager
The U.S. Supreme Court’s decision last week to strike down the Chevron doctrine is forecasted to create upheaval in the cybersecurity regulatory landscape, but medical device cybersecurity enjoys a unique legal status that means it should remain unscathed.
The doctrine of “Chevron deference” comes from a 40-year-old SCOTUS decision that defined the relationship between the three branches of government. When Congress enacts a statute that is unclear, which they do with regularity, executive agency regulations interpret those statutes where they are ambiguous or silent. Congress has for many decades operated under the assumption that it can pass vague statutes and rely on the executive branch to figure those out. Under Chevron, courts were told to defer to those regulatory agencies’ interpretations of statutes as long as they were reasonable, under the rationale that those agencies, staffed with subject matter experts, were best positioned to make those decisions — or at least better positioned than judges would be.
Now that Chevron is no longer the law of the land, we are likely to see a massive wave of legal battles challenging all manner of federal regulations, including those governing cybersecurity. The courts are now empowered to determine the meaning of unclear statutes themselves, without deference to regulators.
How might this affect medical device cybersecurity? In December 2022, a cybersecurity political miracle happened when Congress passed an actual statute establishing in astonishing detail (for a statute!) what medical device manufacturers must do to secure medical devices and FDA’s authority to regulate that. This seemed to be the first time Congress had acted to impose any cybersecurity requirements on non-governmental systems or entities since 2005. It was a rare and promising development for the security of our medical devices. At the time, I had just signed the employment contract for my new dream job working to help Medcrypt secure medical devices, and I fist-pumped in celebration at the late-December “Christmas gift” we had received: the solid, clear authority of a statute in a regulatory environment that I understood was likely to become very messy.
At the time of the bill’s passage, legal experts already understood that the Chevron doctrine was critically endangered and that if it was struck down, our regulatory system would be upended. While regulations of all stripes are now much more vulnerable to overrule by courts, the 2022 congressional action adding section 524(b) to the FD&C Act meant that FDA authority to regulate medical devices now rests upon the much more unassailable authority of Congress’s constitutional lawmaking power.
Meanwhile, we still have the framework of statutes and regulations in place that were formulated during the many decades when Congress operated under the assumption that they could pass broad and vague statutes and rely on regulators to work out the details. So we’re anticipating a morass of lawsuits assailing all manner of regulatory authority, including cybersecurity regulations in general. But medical device security regulation will be uniquely insulated from these challenges, because it now relies on remarkably explicit and clear (for Congress anyway!) statutory authority.
Sara Farnsworth is a 2019 graduate of the UNC School of Law and Con Law nerd who manages Information Security at Medcrypt.