Skip to main content

Medical Device Cybersecurity Regulation

September 25, 2023

Prof. Christopher S. Yoo and Bethany Lee L’22 advocate FDA regulatory action to better address cybersecurity risks of medical devices such as pacemakers.

At The Regulatory Review, Evelyn Tsisin L’24, G’24 explores research and scholarship by Christopher S. Yoo, John H. Chestnut Professor of Law, Communication, and Computer & Information Science and Founding Director of the Center for Technology, Innovation & Competition (CTIC), and Bethany Lee L’22 that urges the U.S. Food and Drug Administration (FDA) to develop a new regulatory framework governing cybersecurity risks associated with medical devices.

Christopher Yoo, John H. Chestnut Professor of Law, Communication, and Computer & Information Science Christopher Yoo, John H. Chestnut Professor of Law, Communication, and Computer & Information ScienceIn the paper, “Optimizing Cybersecurity Risks in Medical Cyber-Physical Devices,” Yoo and Lee maintain that the “FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity.” The authors describe three approaches FDA could take, ultimately recommending “an approach modeled after the Federal Trade Commission’s cost-benefit test.”

From The Regulatory Review:

Yoo and Lee argue that cyber-physical medical devices pose novel challenges to FDA’s traditional approach to evaluating device safety and effectiveness. Unlike other software, cyber-physical devices are embedded in an environment that is unpredictable and unbounded. And unlike traditional hardware devices, risks to patients may stem not just from a malfunction but also from intentional, malicious actors.

Bethany Lee L'22 Bethany Lee L’22Given these factors, it is not possible to eradicate all possible cybersecurity risks for a given device. Instead, Yoo and Lee argue that device developers must establish an optimal level of cybersecurity that is not overly burdensome, costly, or a hindrance to device functionality. But exactly which risks must be mitigated, and which may be considered reasonably acceptable, may remain uncertain to medical device developers in the absence of clear agency guidance on the issue.

FDA has published a series of guidance documents over the last decade focusing on cybersecurity, most recently in 2018. These guidance documents acknowledge that residual risks are unavoidable and that certain acceptance criteria for risks must be established for medical devices to be deemed “trustworthy.”

FDA vaguely defines “trustworthy” medical devices, Yoo and Lee argue, as ones that “(1) are reasonably secure from cybersecurity intrusion and misuse; (2) provide a reasonable level of availability, reliability, and correct operation; (3) are reasonably suited to performing their intended functions; and (4) adhere to generally accepted security procedures.”

What is reasonable is largely up to the manufacturers to decipher when attempting to design safe but innovative products to bring forth for FDA review.

The Regulatory Review is a daily online publication that provides accessible coverage of regulatory policymaking and enforcement issues across a full range of regulatory topics and from a variety of perspectives… . 

Launched in 2009 and operating under the guidance of Cary Coglianese, Edward B. Shils Professor of Law and Professor of Political Science, The Review is edited by students at Penn Carey Law. It is part of the overarching teaching, research, and outreach mission of the Penn Program on Regulation (PPR), which draws together more than 60 faculty from across the University of Pennsylvania.

Read the full piece at The Regulatory Review.