The massive appropriations bill signed by President Biden on Dec. 29, 2022, included, among other riders, language requiring the makers of internet-connected medical devices to reasonably ensure that such devices and their related systems are cybersecure. The legislation grants the secretary of health and human services authority to issue regulations, setting requirements for covered devices to be enforced by the Food and Drug Administration (FDA).
The measure is, by my reckoning, the first time since the Energy Policy Act of 2005 that Congress has expressly authorized any agency to regulate the cybersecurity of privately owned and operated systems of any kind. It comes not a moment too soon. As one recent survey bordering on the tautological found, the more connected devices a medical facility has, the higher its risk of experiencing a cyberattack.
Situating Cybersecurity in Existing Regulatory Structures
As I argued when I first wrote about the legislation for Lawfare in June, it offers a promising approach for incremental and sector-specific progress in addressing the widely recognized insecurity of critical infrastructure and products. Among the key features of the bill that recommend it as a model is that it situates cybersecurity within an existing regulatory framework, amending the Food, Drug, and Cosmetic Act to add a new section entitled “Ensuring Cybersecurity of Devices.” This implicitly acknowledges the reality that cybersecurity, despite its significance, is just one risk among many that a regulatory agency must consider and balance in pursuing any mission focused on safety, effectiveness, or reliability in the delivery of a product or service, whether it is health care or drinking water or transportation.
Also, the legislation implicitly endorses a concept that has been deeply embedded in U.S. cybersecurity policy across administrations: that sector-specific agencies (now called sector risk management agencies or SRMAs) must have the lead in addressing the cybersecurity of entities under their jurisdiction. The FDA already oversees the safety and effectiveness of medical devices, and, as I described in June, it has already issued extensive guidance on the cybersecurity of connected medical devices. This legislation, as it is implemented, will transform that nonbinding guidance from recommendations to actual rules.
In deferring to the sectoral expertise of existing agencies such as the FDA, however, this approach leaves open the possibility that the rules for different industries will diverge in unjustified ways, given commonalities of both technology and threat. That is where the Cybersecurity and Infrastructure Security Agency, as a non-regulatory body, the national cyber director, and the much-needed Bureau of Cyber Statistics can add value, by developing evidence-based standards that can nudge the SRMAs toward more harmonized (but not perfectly harmonized) requirements based on insights into what does and what doesn’t work.
A Bit Adulterated, but Still Promising
I’m not privy to the sausage-making that produced some differences between the device security bill that passed the House in June on an overwhelming, bipartisan vote and what the Senate included in the omnibus. Surely, industry had a role. The definition of a cyber device subject to regulation was narrowed. The House-passed bill defined a cyber device as one that included software, had the ability to connect to the internet, or could be vulnerable to cybersecurity threats, while the bill as enacted applies to devices that include software, can be connected to the internet, and could be vulnerable to cybersecurity threats. I’d be interested to know how much of a difference that makes; it seems that anything with software will be connected to the internet and vulnerable. And, in any case, under both versions, the secretary of health and human services will have the authority to exempt otherwise covered devices. Also, the House-passed bill would have required device makers to include a software bill of materials (SBOM) in the labeling of the device itself, thus opening device makers to liability for misbranding if the SBOM is inaccurate. In contrast, the enacted version drops the misbranding enforcement tool, requiring only that the SBOM be provided to the FDA. There are other tweaks, but the measure does not seem to have been substantially weakened—though I’d be interested to hear thoughts on this assessment from those more directly involved in negotiating the final language.
Public-Private Partnership and Information Sharing Are Not Enough
I have long argued that many federal agencies have, in their organic statutes, the authority to regulate cybersecurity as an element of their legislated mandates to ensure the safety and reliability of the industries, products, and services they oversee. For decades, however, agencies were reluctant to exercise that authority. Instead, they endlessly repeated the mantras of public-private partnership and information sharing—both essential elements of any cybersecurity strategy but demonstrably inadequate by themselves.
The Colonial Pipeline incident in 2021 changed that to some extent, with the Transportation Security Administration issuing binding rules for pipelines and railroads. But other agencies continue to deny that their safety and reliability authority encompasses the disruptions associated with cyberattacks. They were bolstered in that position by the Supreme Court’s June 2022 decision in West Virginia v. Environmental Protection Agency, in which the Court stated that, “in certain extraordinary cases,” regulatory agencies could not issue rules on “major questions” affecting “a significant portion of the American economy” without “clear congressional authorization.”
Beyond Medical Devices: Think Comprehensively, Act Incrementally
The medical device provision points the way forward: make cybersecurity an express mission of the SRMAs. Departments and agencies, at the urging or direction of the White House, should look for opportunities to add cybersecurity to their organic statutes. In many cases, a cut-and-bite amendment of a few words would be enough. Critically, the FDA provision began to move after the agency expressly requested it in its 2023 budget request. And the measure was advanced by initially being included in a measure specific to the FDA, a bill to reauthorize the agency to collect user fees from drug and device manufacturers seeking product approvals. In 2023 and 2024, the list of must-pass vehicles might be limited to two items: the National Defense Authorization Act and the now-normal, down-to-the-wire omnibus appropriations bill. But, as with the medical device provision, the process would best start in the congressional committees of jurisdiction, whose chairs could argue for the measures’ inclusion in the must-pass bills.
The Biden administration is expected to finalize its cybersecurity strategy soon. The details remain to be seen, but the strategy is expected, according to Politico, “to endorse a more aggressive approach to regulation for critical infrastructure companies.” With such an endorsement, the alphabet soup of the federal government, departments, and independent agencies—including the Federal Communications Commission for telecoms, the Centers for Medicare and Medicaid Services for hospitals receiving Medicare and Medicaid payments, the Environmental Protection Agency for drinking water systems, and on and on—should acknowledge the cyber risk their sectors face and propose legislation to expressly add cybersecurity to their safety and reliability authorities.
– Jim Dempsey, Lawfare