Device Lawyers: Report On Cybersecurity Best Practices Coming Soon

September 11, 2018

Device industry and cybersecurity lawyers plan to soon unveil an in-depth report describing a pathway for medical device manufacturers and the wider health care sector to protect against cybersecurity threats. The lawyers -- Paul Rubin and Luke Dembosky, both partners at Debevoise & Plimpton; and John deCraen, senior director of global cyber risk services at Alvarez & Marsal -- said Wednesday (Sept. 5) that coordinated vulnerability disclosures will help device makers assess cybersecurity vulnerabilities and devise remediation strategies.

The lawyers said action is crucial because not having a proper cybersecurity plan in place could mean liability enforcement from FDA, the U.S. Securities and Exchange Commission (for publicly traded companies), the Federal Trade Commission or state attorneys general.

“As companies adopt these programs and as publicly reporting these vulnerabilities becomes more commonplace, there’ll be less of any negative stigma or reaction to those reports.” Rubin told stakeholders at the annual public forum of the Medical Device Innovation Consortium, which retained him and his colleagues to prepare their report. “Hopefully at some point they’ll become analogous to routine software updates,” he said.

If those coordinated vulnerability disclosures are distributed through a network of online portals, the lawyers said, medical device makers could receive feedback on new vulnerabilities from researchers and the public, thereby creating a transparent system that can be readily updated to protect against new threats.

A coordinated vulnerability disclosure, de Craen explained, is a formalized process of obtaining vulnerability information, assessing vulnerabilities, developing remediation strategies and disclosing vulnerabilities. The legal benefits of implementing a policy on the disclosures are extensive, Rubin said, and are better started late than never.

“Where you don’t want to be is having to make very complex ad hoc decisions under duress,” he said. “And that’s why we think it’s critically important for companies to develop CVD programs in advance, establish [standard operating procedures] governing those programs, and then implement them. … If you don’t have a process in advance to address these issues, it could become a morass very quickly.”

The lawyers explained that having cybersecurity procedures in place is an increasingly common requirement in contracts between device companies and hospitals. In light of a rise of successful ransomware attacks, Dembosky said, more plaintiffs have targeted a defendant company’s undisclosed cybersecurity vulnerabilities and procedures.

“What that means for you all is there’s a spotlight cast on ‘Did you know about this vulnerability? What did you do about it? Did you have policies and procedures, and equally important, did you follow them?” Dembosky said.

These days, the lawyers explained, not having a proper cybersecurity plan can prompt federal enforcement. It could incite product liability lawsuits, HIPAA implications, class action lawsuits, and even criminal prosecution in rare cases, they said.

“All of these things are being played out in courtrooms, in regulatory enforcement proceedings across sectors, and the medical device community is certainly a key critical sector where these issues come up,” Dembosky said. “To cast a broad net, spot the issues and be proactive, there’s discomfort in disclosing things early, interacting with security researchers. But if it’s done right, the rewards and benefits in terms of risk reduction far outweigh the risks.”

The lawyers recommended medical device makers bring all levels of their staff on board with the company’s coordinated vulnerability disclosure plan, collaborate with FDA and cybersecurity researchers to develop the plan, and make their vulnerability portal system easy to use for individuals who use smartphones to interact with their medical devices.

Rubin said the upcoming report will contain extensive best practices learned from interviews conducted with FDA, device makers, cybersecurity researchers and trade associations, and describe the legal and non-legal issues implicated with cybersecurity vulnerability information. The lawyers said they hope to organize a webinar with MDIC to go over the report in detail with stakeholders after the report is released.

The goals of the report, Rubin said, are to advance the adoption of coordinated vulnerability disclosures by the medical device industry and promote and inform cybersecurity discussions across the health sector.

“[I]n general we hope it’s a resource for the medical device industry and all stakeholders in the medical device ecosystem,” Rubin said. -- David Roza (