The massive appropriations bill signed by President Biden on Dec. 29, 2022, included, among other riders, language requiring the makers of internet-connected medical devices to reasonably ensure that such devices and their related systems are cybersecure. The legislation grants the secretary of health and human services authority to issue regulations, setting requirements for covered devices to be enforced by the Food and Drug Administration (FDA).
The measure is, by my reckoning, the first time since the Energy Policy Act of 2005 that Congress has expressly authorized any agency to regulate the cybersecurity of privately owned and operated systems of any kind. It comes not a moment too soon. As one recent survey bordering on the tautological found, the more connected devices a medical facility has, the higher its risk of experiencing a cyberattack.
Situating Cybersecurity in Existing Regulatory Structures
As I argued when I first wrote about the legislation for Lawfare in June, it offers a promising approach for incremental and sector-specific progress in addressing the widely recognized insecurity of critical infrastructure and products. Among the key features of the bill that recommend it as a model is that it situates cybersecurity within an existing regulatory framework, amending the Food, Drug, and Cosmetic Act to add a new section entitled “Ensuring Cybersecurity of Devices.” This implicitly acknowledges the reality that cybersecurity, despite its significance, is just one risk among many that a regulatory agency must consider and balance in pursuing any mission focused on safety, effectiveness, or reliability in the delivery of a product or service, whether it is health care or drinking water or transportation.
Also, the legislation implicitly endorses a concept that has been deeply embedded in U.S. cybersecurity policy across administrations: that sector-specific agencies (now called sector risk management agencies or SRMAs) must have the lead in addressing the cybersecurity of entities under their jurisdiction. The FDA already oversees the safety and effectiveness of medical devices, and, as I described in June, it has already issued extensive guidance on the cybersecurity of connected medical devices. This legislation, as it is implemented, will transform that nonbinding guidance from recommendations to actual rules.
In deferring to the sectoral expertise of existing agencies such as the FDA, however, this approach leaves open the possibility that the rules for different industries will diverge in unjustified ways, given commonalities of both technology and threat. That is where the Cybersecurity and Infrastructure Security Agency, as a non-regulatory body, the national cyber director, and the much-needed Bureau of Cyber Statistics can add value, by developing evidence-based standards that can nudge the SRMAs toward more harmonized (but not perfectly harmonized) requirements based on insights into what does and what doesn’t work.
A Bit Adulterated, but Still Promising
I’m not privy to the sausage-making that produced some differences between …….