AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Cybersecurity in the Crosshairs: Legal and Financial Risk in FDA-Regulated Medical Devices
The FDA has begun urging manufacturers to treat cybersecurity risk management as a material business concern. Hal Porter, Director of Consulting Services, Clearwater, speaks with Allyson Maur, Associate, McGuireWoods, about the implications of the FDA’s growing focus on cybersecurity as a core component of medical device safety and financial risk and what that shift means for legal, compliance, and risk professionals. They discuss how manufacturers and providers should navigate these expectations, how legal teams can prepare for regulatory scrutiny, and how cyber risk in the device ecosystem is quickly becoming a board-level issue. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=3Y9R5kwRqeU
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit clearwatersecurity.com.
SPEAKER_01:Welcome to this episode of Speaking of Health Law. I'm Hal Porter, Director of Consulting Services at Clearwater Security, where we help organizations across the healthcare ecosystem move to a more secure, compliant, and resilient state so they can achieve their mission. Today, I'm joined by McGuire-Woods attorney Allison Maurer, and we're going to dive into the implications of the FDA's growing focus on cybersecurity as a core component of medical device safety and financial risk. With FDA urging manufacturers to treat cybersecurity risk management as a material business concern, this discussion explores what that shift means from legal, compliance, and risk professionals. Allison and I will examine how manufacturers and providers should navigate these expectations, how legal teams can prepare for regulatory scrutiny, and how cyber risk in the device ecosystem is quickly becoming a board-level issue. Allison, it's great to speak with you. Before we dive in, can you share a little bit about yourself and the work you're doing at McGuire Woods?
SPEAKER_02:Absolutely. Thanks for having me. So I sit in my wire woods, I sit in the New York office, and I sit in the healthcare practice, the life sciences practice, and the data privacy practice. A lot of the data privacy work that I do is in the field of advising medical device manufacturers, pharmaceutical manufacturers, life sciences companies, as well as traditional healthcare providers, but often in the context of things like clinical trials and life sciences related matters. So I have a deep background in HIPAA as well as the emerging sector in AI and med device development. So happy to be here. Thanks for having me.
SPEAKER_01:Awesome. Well, thank you very much. Let's go ahead and jump into the conversation. So to start us off, can you give us a high level overview of FDA's recent guidance related to cybersecurity and medical devices and maybe why this is such a significant development from a legal perspective?
SPEAKER_02:Sure. Happy to. So June 26th, we're pretty recent, close to recording this podcast, FDA dropped their, and this is a mouthful, so bear with me, guidance on cybersecurity and medical devices, quality system considerations, and the content of pre-market submissions. That just rolls right off the tongue. This one follows up to the prior 2023 guidance about pre-market cybersecurity and specifically software bills of materials or what we call SBOMs. So the 2020 guidance is really expanding pretty significantly on the definition of what FDA considers to be a cyber device. And we'll talk a little bit more about that in detail, which includes software, software functions, anything that contains software that has programmable logic. So the AI guidance that we'll talk about, too, sort of comes into play here. And it really covers the spectrum of devices that are, you know, the guidance is really specific to devices that require submission, things like 510ks, DeNovos, pre-market authorizations, investigational devices, human device exceptions, as well as biologics and INDs, investigational new drugs that might have a software component. It also applies to 510 exempt class one devices, devices that FDA typically considers to be pretty low risk. But if it has a software component or if it is software and it's a device where it has the ability to get to the internet, that's also going to be included under this guidance. So the 2023 guidance, FDA really shared their expectations around building cybersecurity into lifecycle management and indicated at the time that they would use enforcement discretion when evaluating whether or not a product met those sufficient cybersecurity controls. So this guidance kind of steps that up a notch and really talks about these expectations now are no longer nice to haves. This is mandatory. This is truly a human security element. It's no longer just a cyber, this nebulous cyber safety incident. So it includes a requirement to continually update your software bill of materials, which is really interesting. So if you're using software that has open source, you really have to track this and you have to maintain a live living list of what's in your system and update it and make sure that you're accounting for all of the components in your device. Understanding where those maybe open source components Softwares may be in their lifecycle phase, making sure you're doing your patches, you're doing your updates, you're really making sure that you're keeping track and you know what's happening with each one of your elements in your device. So the guidance also talks about anything in a device or component that is capable of connecting to the internet. So we're talking Wi-Fi-enabled, Bluetooth-enabled devices. near field communications, radio frequency. So anything that touches or has the potential to touch the internet, if you're capable of being connected some way, even if that's currently disabled, if you're capable, then you're within this guidance. Excellent.
SPEAKER_01:So why do you think FDA is now framing cybersecurity as a material financial and business risk rather than just a technical or compliance issue?
SPEAKER_02:Yeah, I think that we've seen a lot of movement in this area. There have been a number of cyber incidents over the years, and more and more they're really coming after the healthcare sector. And this really feels like almost a touchpoint where FDA has said, okay, look, this is human safety now. where this is not about data. This isn't about privacy. This is a true human safety concern. And I think some of this really goes back decades at this point to, if you all remember, Dick Cheney had his defib replaced, and there was some concern at the time that, oh, wow, this has its Bluetooth enabled, its Wi-Fi enabled. We maybe need to shut this off. This is not only a national security risk, it's a human risk, but a little bit of it goes back that far. So as we're seeing the threat actors get more sophisticated, there is more concern about really the physical threat that there is to people who maybe have an implantable device or even devices that maybe they're not implanted, but there is significant risk here. And we've seen attacks, we've got the WannaCry attack a few years ago, We have some incidents in other countries and other systems or hospital-specific systems where hospitals have been taken offline, and there has been legitimate safety risk to patients. So I think FDA is sort of at this point now where they've acknowledged that this is more than just This is more than just a minimal risk. This is something that we really have to address. And it feels like it's almost the equivalent of biocompatibility and safety testing for a drug that you really need to prove your device is safe and cybersecurity is a function of that safety.
SPEAKER_01:Excellent. You know, and you kind of touched on it a few moments ago, but a cyber device is now clearly defined under Section 7 of the new guidance, along with specific recommendations under FD&C Act Section 542B, where it specifies that manufacturers' obligations and cybersecurity requirements to medical devices, which was kind of lacking in the original draft of 2023 and the subsequent 2023, or excuse me, 2022, and the subsequent 2023 guidance update. How could or does this level of specificity affect device makers from a legal perspective?
SPEAKER_02:Yeah, great question. So I think it really establishes that the risk starts a little bit at the beginning, and you really need to take this cradle to grave approach when you're developing a new product or when you're iterating on a product that is already in the marketplace. And this is sort of, it's almost a super guidance. Now, we all know FDA guidance is technically non-binding, but this is really the point where FDA has clarified, you know, we expect this now. This is mandatory. This isn't You know, we're not back in 1996 where nobody knows what the internet's really going to do. And they're really emphasizing that this is no longer a bolt-on situation. You can't build a system and then just bolt on patches and, you know, cyber as an afterthought. This really has to be from the ground up, cradle to grave, beginning to end process. It really needs to be part of your design DNA at this point. Companies have to incorporate risk analysis. They have to incorporate threat modeling as part of their design plans. So we're at this point where FDA is saying, look, if you're submitting an application, you really need to think through the potential negative outcomes here and really look at this holistically. So these are no longer nice to haves. These are mandatories. And from an enforcement perspective, it's really interesting to see that FDA has basically put their stake in the ground and said, We're done here. No more Mr. Nice Guy a little bit. We've had this industry for so long. You have to acknowledge that this is part of the process. We're still seeing hacks and events literally this week. There was another one with the ShareFile incident and that happened. has potential to impact government systems, have potential to impact some healthcare systems. So it's really this function of you have to consider at the outset, really even your very early conversations, even before you have conversations with FDA, that this now has to be part of your company's DNA. This is a material business risk. FDA has indicated it's a material business risk. And from a legal and liability standpoint, you have to consider, is failure to secure your device adequately now a tort? Is there negligence here? Is there gross negligence? Is this now willful misconduct if you have knowledge that there's potentially a threat somewhere out there, or perhaps you didn't threat model adequately, you didn't think through the process? And is there sort of this new, not that Not that gross negligence and willful misconduct are new standards of legal liability, but does that now apply to the device design? And from a healthcare provider perspective or a health system perspective, if you're using a device, have you done your due diligence to determine whether or not this is something that may expose your system or may expose your patients? And then is that are we looking at malpractice here that, you know, well doc recommended a device or implanted a device that maybe didn't have the patches and the updates didn't do the check. So there's sort of this, this breadth of risk now that having this, having FDA essentially say, look, this is a, this is a material business risk. We expect you to address this. It almost shifts the paradigm a little bit in terms of legal liability and the steps that everyone within the, the universe of developer to end user really needs to take into consideration the potential negative effects if there is a cyber incident.
SPEAKER_01:Absolutely. And Allison, you know, in our previous conversations, I really liked the way that you framed it in one comment where medical device manufacturers really should be taking the approach of built-in, not bolt-on. And I've got over 30 years of experience in IT and started off as a software engineer doing enterprise development. And through that and through development, I've watched that mature and that evolve, that whole progress of where it used to be the focus on security being bolt-on to where Now it's a part of the discovery phase and every other element of the software development lifecycle phase. And it sounds like device manufacturers are starting to come around to that and really should be taking that approach in their development and device manufacturing.
SPEAKER_02:And it's funny you say discovery phase as an attorney, though I'm not a litigator, you know, that that makes me think, you know, litigation discovery also. Was there something that was discovered somewhere along the line that you either ignored or downplayed or maybe forgot to look at that industry standard now says you should look at? And does that play into, you know, hopefully never, but a wrongful death suit or some type of malpractice or some other type of liability in the event of a failure? So, yeah, making sure that you're documenting this appropriately. And if you find something that that you're really drilling down and figuring out have we addressed all the possible threats here?
SPEAKER_01:Absolutely. You know, we focused a lot on FDA so far, but from a legal standpoint, how does this guidance fit into a broader regulatory environment surrounding medical device manufacturers? Should device makers be preparing for more enforcement activities in space, not just from FDA, but from other regulatory bodies?
SPEAKER_02:Oh, I absolutely think so. So we've seen a lot of movement in this area over the past few years. So from the FDA perspective, we've got the AI guidance in terms of incorporating AI into your medical devices and tracking the life cycle and making sure that if you're doing material updates to your AI, that you're reporting that to FDA. And that's something for consideration too, is you're developing your devices or you're enhancing your devices. Everybody's talking about AI right now but is it really appropriate for everything? Is it appropriate for your device? And we can talk about that a little bit later, but we've got the AI guidance from FDA. So their eye is on that. We've also got recent updates to the quality systems regulations in January, 2024. So FDAs, again, though they don't address cybersecurity specifically in the QSR, It is really focused on good manufacturing practice and bringing the quality system regulations up to date with the ISO standards. I think it's ISO 13485, 13485, which is more of a global standard. So FDA's eye is on the ball on devices. They're acknowledging that there's advancement here that maybe is outpacing what the regulations are. So then we have DOJ's cyber rule. which is going to be really interesting to see how this kind of affects medical device and the pharma industry and healthcare generally, which really prohibits sharing large amounts of sensitive data with companies that are owned either in whole or in part by a company that is located in a country of concern. So we've got a lot of got a lot of med device developers and a lot of drug developers who as part of the development process or for devices, if they have components that are developed or maybe maintained or data is being sent overseas to a company that's in one of these countries or is maybe owned by a company that's located in one of these countries, sort of what is that going to do to the development process and to the sharing process? And are those the types of transactions that are contemplated under the rule or is the rule so vague that it maybe didn't think through the healthcare consequences of prohibiting sharing personal health data? in the med device context, you know, personal health data is including, and I'm reading from the rule, physical measurements and health attributes, such as bodily functions, height and weight, vital signs, symptoms, and allergies. So my Apple watch, you know, not supposed to be sending that type of data, your aura ring. And if you're, you know, your physician has prescribed you even a medical device app, like a behavioral health app, we're not really sure maybe where that data is going. So we can do a whole separate session on the DOJ rule, but so we know that DOJ is watching those types of, you know, the transfers of data, their sensitivity about sharing sensitive data, not to mention genetic data. So then, The White House just this week dropped their AI guidance with about 90 recommendations for reducing what they're calling bureaucratic red tape, fast-tracking AI development and AI infrastructure. We want to be the leaders in AI infrastructure, but it feels like there may be a little bit of a disconnect with what the regulatory agencies are seeing with both DOJ and FDA trying to lock it down a little bit and say, hey, we need to take risk here seriously. So it's going to be interesting to see how that plays out and we need to be aware of. So then we've always got HIPAA nerd over here, OCR, Office for Civil Rights, who they're increasing their enforcement in the cyberspace. Again, all of these ransomware attacks, all of these bad actors, all of these shutdowns, OCR has basically drawn their line in the sand too, and said, look, it's been a really long time. We wrote HIPAA in 96. We've been seeing this increase. You can no longer bury your head in the sand here. So from a healthcare system perspective, who's implementing medical devices in their system, and again, things like connected MRIs and sonograms, you've really got to consider that OCR has They haven't said we've had enough, but they've said we've had enough. The fines are getting bigger. They're starting to do audits and those audits are showing where the weaknesses is. And it's been a really long time. It's time for everybody to get up to speed. So it's going to be interesting to see if OCR and FDA sort of work hand in hand here, because I do think there is going to be a little overlap. But I think really we're at the point where If you haven't had an attack, you will. And, you know, we say that all the time and how I'm sure you say too, it's not a matter of if it's when these days. And, you know, so the cross agency guidance is really showing that as a whole, there's sort of now this trend with the agencies of, okay, oops, we didn't know doesn't play anymore. There's no more you know, ignorance is not an excuse, um, that we really have to be prepared that there's probably going to be enforcement from multiple places. And I wouldn't be surprised to see FTC get involved as well. As far as false and misleading, you've advertised your product to be compliant. You've advertised your medical systems and your EHR to be compliant. Um, While EHR likely technically outside the definition of medical device, but clinical decision support software too, there's going to be a lot of overlap here. And if you've got a med device that has represented that it's compliant and it gets hacked and somebody dies, you've got a spiral of... you know, of OCR enforcement, DOJ enforcement, potentially FTC enforcement and FDA. So I think it's here to stay and not that necessarily agencies look for somebody to make an example of, but I don't want to be the guy who makes the first mistake here and gets multi-agency pile on.
SPEAKER_01:and no one wants to be the guy. So with regard, you know, we focused a lot on the medical device manufacturers, but with regard to healthcare providers who rely heavily on these devices, what legal considerations should they be considering and thinking about when evaluating or contracting for connected medical technologies?
SPEAKER_02:Yeah. In a risk context, management, vendor risk management, and system fragmentation are really some of the big factors here. So we're already seeing it. And it's, again, this bolt-on versus built-up from the ground system where we're seeing a lot of clients in the space have these conversations too. Do we buy another thing or do we build our own? But we've got significant fragmentation. Your MRI is on a different system than your ultrasound, than is on your x-rays. You've got medical devices in the surgical room, you've got EHR systems, how do those talk to each other? Are they built on different systems? Are they able to communicate securely with one another? So looking at fragmentation, really looking at your Wi-Fi and your Bluetooth enabled. So you go into the hospital and you go to visit and you sign into the visitor Wi-Fi. Well, what else is on the visitor Wi-Fi? Do you have controls in place to make sure that nobody's tapping into your non-visitor Wi-Fi? Do you have VPNs? Are these open networks? Where is the data going? Is it encrypted? And really kind of making sure that the systems and the communication systems are also secured. And you've also got to... potential where you have an implantable medical device or even a wearable. Your doctor has prescribed, do the Oura Ring, we wanna check your sleep patterns, whatever. So you go into your doctor or if you have an app that is on an iPad for behavioral health or there's a few medical device apps that are out there. So you go into your doctor's office and he says, okay, let's download your data. What network is that being downloaded on? Where is it going? What's happening to that data? My iPad's logged into the guest Wi-Fi. Again, so you really have to kind of take that holistic approach of looking at all the entry points and the potential bad actor entry points and making sure that the system as a whole is completely secure. And then as you're evaluating new systems and are you building, are you bolting on things like AI? Again, everybody's talking AI, AI, AI, it's the catch word of the day, but is it really necessary for what you want to accomplish? And is it really going to make something better or is it compatible with your goals? Whose goals? Is it the healthcare system's goals? Is it the doctor's goals? Is it the radiologist's goals? And making sure those goals are aligned and making sure that whatever devices you're implementing are necessary and you're not just buying the greatest, you know, shiny object that really doesn't get you where you want to go. And we are seeing that a lot in the industry right now, that there is a lot of this debate of, you know, you've got somebody who I really want to use this new cool tool. but somebody higher up in the system says, yeah, but what's the end impact? And, you know, you've got a practice group who's saying, yeah, but we really want to use it. And somebody higher up is saying, but no, it's not consistent with everything else. So you've got to make sure all of your players are on the same page. And then, you know, just making sure, you're evaluating your vendors, the folks who are doing your EMR systems, the folks who are doing your Wi-Fi and your VPN and all of the medical device vendors and sort of vetting their vendors. You have to ask the question now, are you using open source software? Show me your SOC 2 audit. It's no longer taking everybody's word for it that, oh, yes, we comply with HIPAA. We are HIPAA compliant. Those are like my favorite words. Nobody's 100% HIPAA compliant. So, you know, really doing your diligence and thinking it through and not just trying to be first to market or first in the neighborhood with the new cool shiny toy. You have to do your diligence and figure out, are your vendors compliant? Because if they're not, that's going to flow up to you and you're going to have a bigger problem on your hands down the road.
SPEAKER_01:Yeah, definitely. Like we saw with the change healthcare incident last year. So absolutely. We're starting to... More and more across the healthcare ecosystem, we're seeing cyber risk discussed at the board level. So how does FDA's framing of cybersecurity as a business risk affect how boards and legal teams should be approaching oversight and governance, specifically in medtech companies?
SPEAKER_02:Sure. Again, you're on notice. This is now cyber's immaterial risk. And I think for publicly held companies in particular, SEC said a few years back, cyber's immaterial risk. And we're at that point now where it really needs to be part of the company's true culture and DNA. And it needs to come from the top down and it needs to come from the bottom up. Everybody in the organization has to understand, particularly in a med device development situation that this is now human safety. Again, this isn't data, not the data breaches are fun by any means, not the data breaches don't cause harm, but this is genuine risk. And as we talked about earlier, a little bit of legal liability here that FDA has said, look, this is a physical safety concern. So somebody dies because you didn't update your product, That's a fantastic lawsuit. And that's gonna be something that would be devastating to a company. So you have to really, and again, it's this malpractice type of thing, gross negligence, willful misconduct. So everybody really needs to take it a little bit more seriously. And we are starting to see boards are inviting their CISOs, your chief information security officers to meetings and asking for presentations. Where are we on cyber? and really trying to take this more seriously. And from a design perspective, from a functional day-to-day, you really need to have those people in your meetings when you're doing concept review. Hey, we think we wanna do this, what do you think? Or we're thinking about making this upgrade, what do you think? And have them engaged throughout the process. And as far as SEC for public companies too, the reporting, One thing that I think we're going to see a real shift in, and it's starting to happen a little bit now, is reporting in your S1s and your F1s and all of your quarterly and your annual filings, that this is no longer the squishy, vague, oh, we might be subject to something having to do with data privacy and cyber. There could be a hack and oops, we might lose some data and there might be some fines. I think we're going to see those disclosures start to get beefed up a little bit more and really address the real risk that this cyber event is not just about data anymore. It's about, it's about true safety. So I think we're going to, we're going to see that and it'll be interesting to see, particularly in the next round of reporting, if, if those risk factors are starting to get beefed up. But I think, you know, again, it has to be really a top down investment and in the medical device space, we're starting to see the boards are, are having or they're starting to get it. And it's not just one lone IT guy sitting in a closet somewhere who's trying to get somebody to understand how important this is. It's really a big shift and CISOs are playing a bigger role.
SPEAKER_01:Yeah. And, you know, of all the things that we've covered, quite a bit of material, I guess, you know, the next question I would have is what kind of practical steps would you recommend for legal and compliance teams that are looking to get ahead of all of these new expectations, especially in terms of collaboration with, like you mentioned, cybersecurity leadership and clinical leadership?
SPEAKER_02:Yeah. Step one, evaluate what you have and where your gaps are. data map, system map, ID map, device map, figure out what you have and where you are. And then within those devices, figure out all your components. Are all of your open source licenses okay? What software are you using? If you're looking to improve a market that's currently on the marketplace, you really need to go back to your design specs and your design master files And take a look at what we've got. What's in there? And are we relying on outdated programs or outdated software? And do we need to patch from the ground up? Get IT involved early and often. Like we said, not just the CISOs, but the guys who are boots on the ground. What are we seeing? What are the... What are the pings and the attacks that we might be seeing in the background? Things like that. Really trying to get a sense for where the vulnerabilities are. And then a deep dive into who's building your components. You have to understand your vendors. You have to understand. And I think particularly with open source software, that may be a potential vulnerability there that companies may look again and say, maybe we don't use open source because you know, one of the risks is you're putting out your list of all of your components and, you know, look, we know who's using what open source for which devices. Does that disclose a potential vulnerability there? So understand your software bill of materials, really track that, keep that up to date. That almost needs to be a daily task for somebody, making sure that all of your patches are in. And then, you know, you really have to the threat modeling is a really interesting requirement under the new guidance. So FDA is almost saying you have to tabletop test your device. You have to think of all of the crazy things you can think of and then go one step farther. Because if you missed it and there's a problem, we may pull your product, we may reject your application in the first place. So you really have to think through this mental exercise of, okay, where do we have vulnerabilities? Maybe not to the extent of hiring a white hat hacker to figure out how to hack into your device, but there needs to be more sensitivity to the fact that there are multiple entry points for failure. And We're in a world currently where Silicon Valley culture is really driving a lot of this. And it's the move fast and break things model. And with medical devices, I think FDA is really saying you can't take that approach anymore. You can't move fast and break things. You still have to break things to figure out how to fix the things, but you got to do that before it's on the market. And there's no more, build the concept and then fix the mess later. It really has to be ground up, you know, it has to be part of the true design of the product. And then engage all your stakeholders. Engage your users. Talk to the folks who are going to use your product. Talk to folks who, you know, say, look, go to the FDA early and often request a meeting and say, we're thinking of doing XYZ for this device. you know, what do you think we need to cover that we haven't covered already? Try to have a two-way conversation and engage experts. Look, there are folks who do this for a living. Clearwater is one of them. You know, you absolutely, you see things that are out in the marketplace that other folks don't see. As attorneys who handle cyber incidents, we see some really interesting things, things that you wouldn't think of. And I can only imagine the types of things that Clearwater and other consultants are seeing on a daily basis. You know what's out there. You know before a lot of others what threats are, are being repeated, sort of who those actors are, where those vulnerabilities are that maybe you didn't think through. So engage, just like when you're designing a pharmaceutical product or a med device now that isn't connected, you have regulatory experts, you kind of need to bring in a cybersecurity regulatory expert at this point to help with that design process. And really just kind of keep your finger on the pulse of what's going on in the marketplace, where others are getting caught. where there's opportunity to do better and there's opportunity to do more and just really try to stay ahead of the threat actors, which is becoming harder and harder to do on a daily basis.
SPEAKER_01:Absolutely. And yeah, it goes back to that built-in, not bolt-on approach. Definitely. So in looking at all of this and kind of Looking to the future, maybe what's on the horizon, with the increased focus and visibility on cyber risk, are there any additional regulatory or legal developments that you think may impact how cybersecurity and medical devices are treated, either by FDA or other agencies?
SPEAKER_02:Absolutely. OCR. OCR is going to be continued to be out there. They're going to try to keep up. I think that we're going to see OCR try to maybe flex their muscles a little bit more in this space. Be interesting to see sort of how they reconcile the interoperability rule with some of these these guidance recommendations. And, you know, we're still waiting for some formal real formal enforcement. on the interoperability rule. We know there are a lot of complaints. There's a little bit of litigation that's out there right now. So really trying to keep an eye on what OCR is going to do with that and DOJ. Centers for Medicare and Medicaid Services, CMS. So reimbursement. You're reimbursing for a medical device, particularly now one that's out there that's approved. You're claiming it's safe. If you have a breach and it causes a physical harm, do we have a false claim? act violation now because you've claimed it to do one thing. It did not do that one thing. It had a safety failure. So do we start to see CMS say, hey, a device failure when, you know, it's an enabled device, it's a cyber device, you know, someone was harmed. Are we looking at callbacks? Are we looking at, you know, enforcement action for false claims? So I think that's going to be really interesting to watch too. And same thing with DOJ. you know, do we have false representations? And then are we looking at, you know, you're causing false claims? Is there sort of downward spiral there, misrepresentation? And FCC. So we're dealing with near field communications as it is now. If you have a medical device that's, you know, NFC or radio, you have to test for interference. That is going to continue to be expected. And it might be interesting to see if FCC steps in and issues guidance that sort of bolsters FDA's guidance and sort of how that works alongside with the AI framework too. The president's proposal for AI, we're gonna have to wait and see sort of what comes from that, but I think there's gonna be a little bit more development there and maybe a little bit more pushback. Appreciate that sometimes FDA and the agencies are seen as red tape, but when we're dealing with physical safety, I think there's maybe a little bit of friction there. And the AI legislation on the state level. A lot of the states are pushing now to control how AI is used, particularly in medical device, health field, You know, there's a lot of activity on the state level that I think is going to continue. And then, you know, look, global economy, we've got GDPR to deal with. We've got the EU AI Act to deal with. There are other countries who are trying to be on the forefront of this and trying to install some controls here and really set the boundaries and health data in particular is highly sensitive data. It's a high risk application for AI. So how do we reconcile that if you're developing a medical device that is either, you know, for the U.S. and you want to expand globally or you're trying to develop it globally off the bat? So you really have to take those types of situations into consideration that there may be others who are more advanced than we are in terms of monitoring cyber devices and development. So it's going to be interesting to watch what happens, but I do think there's going to be a lot more activity in the next few years.
SPEAKER_01:Excellent. Well, Alison, that wraps up our today's conversation about FDA's recently published guidance on medical device security. Thank you so much for your excellent insights. Thank you to our audience as well for listening. We hope that you found this episode helpful in advancing your understanding of the evolving regulatory environment and have a great rest of your day.
SPEAKER_02:Thank you, Hal.
SPEAKER_00:If you enjoyed this episode, be sure to subscribe to AHLA's Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org. And stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA Premium members. To subscribe and add this private podcast feed to your podcast app, go to AmericanHealthLaw.org slash Daily Podcast.