Scholars are considering the optimal cost-benefit ratio for cybersecurity risks in medical devices.
A shock like electricity hits my heart, but there is no love or nature behind it. Rather, a hacker accessed a pacemaker with wireless capabilities and released a deadly surge. This alarming scenario is just one of the many risks that can arise with cyber-physical devices susceptible to cyber attacks.
In recent research paper, Christopher S. Yu and Bethany Lee in University of Pennsylvania Carey School of Law Urges the U.S. Food and Drug Administration (FDA) to develop a new regulatory framework to manage cybersecurity risks associated with medical devices.
Yu and Lee claim Cyber-physical medical devices appear to pose new challenges to FDA’s traditional approach to evaluating device safety and effectiveness.Unlike other software, cyber-physical devices embedded In an unpredictable and open-ended environment. They also pose potential risks to patients, unlike traditional hardware devices. stem It can be caused not only by malfunctions but also by intentional and malicious attackers.
Considering these factors, the following is not possible: eradicate All possible cybersecurity risks for a specific device. Instead, Yoo and Lee argue that device developers need to: Establish Optimal levels of cybersecurity without undue burden, cost, or disruption to device functionality.But what exactly should the risks be? reducedwhich may be considered reasonably acceptable, may remain uncertain for medical device developers in the absence of clear guidance from government agencies on this issue.
The FDA published A series of guidance documents over the past decade focused on cybersecurity. 2018.These guidance documents admit that residual risks are unavoidable and that certain tolerance criteria for risk need to be established for medical devices to be considered “reliable”;
Yu and Lee say FDA has vague definitions of ‘reliable’ medical devices claim“(1) be reasonably secure from cybersecurity intrusion or misuse; (2) provide reasonable levels of availability, reliability, and correct operation; and (3) perform its intended functions. (4) Comply with generally accepted security procedures.”
What is reasonable is largely up to the manufacturer’s judgment. decipher When trying to design safe but innovative products for FDA review.
Yu and Lee explore Various methods of cost-benefit analysis that agencies can employ to fill this regulatory gap. However, the first hurdle is: convincing The FDA said it has the authority to consider factors other than treatment, such as price increases and development costs.
Laws and regulations that give authority to government agencies Federal Food, Drug, and Cosmetic Act (FDCA), execute the task secure It assesses the safety and effectiveness of devices by “weighing the possible health benefits of using the device against the possible risks of injury or illness from its use.” Although not explicitly stipulated by law, prohibit Economic Considerations as a Policy Issue, FDA base Evaluate benefits and risks based solely on scientific determinants.
F.D.A. deny the possibility that a device or treatment will be disapproved based on cost;Yu and Lee claimHowever, case law, statutory interpretation, and agency-specific policies do not preclude economic considerations, even if the agency is not already acting on them.
Case law in which the U.S. Supreme Court invalidated cost considerations as follows: Whitman v. American Trucking Associations, produced Carve-outs to avoid compliance with rules and standards altogether. For medical device cybersecurity, the cost-benefit analysis looks like this: supplement FDA’s “reasonable assurance of safety and effectiveness” standard.
Legal silence and ambiguity in the FDCA also leans toward permissiveness, Yu and Lee claim. They argue that because the FDCA does not explicitly exclude cost considerations, the FDA’s decision read Judicial determination should provide “reasonable assurance of safety and effectiveness,” including cost considerations.
In fact, another agency has been successful interpreted The Federal Trade Commission (FTC), the law authorizing the use of cost-benefit tests, is silent.of Federal Trade Commission Act Expressly task The FTC says it “prevents and punishes unfair and deceptive practices.”in decide The FTC considers economic costs, regardless of whether the conduct is unfair or permissible because it is balanced against “the interests of consumers or competition.”
when translated When it comes to medical device cybersecurity, tests similar to those employed by the FTC evaluate the costs and benefits of decisions to add or omit certain cybersecurity safety features to particular devices.Benefit from cost reduction and improved functionality at the same time Must However, the costs outweigh the increased security risks, Yu and Lee said. Cyber security functions are offer “Reasonable assurance of safety,” they say, does not require minimal improvements in safety at undue cost.
Yoo and Lee consider other methodologies for cost-benefit analysis, including: Calculating risk and utility Used in medical device product liability tort litigation; Graduated cost-effectiveness ratio It is common in the context of health economics.Yu and Lee Recommendation toHowever, the FDA establishes a cost-effectiveness framework similar to the FTC. Fraud assessmentas it is the easiest to administer and provides the most robust legal means. Justification To enable FDA authority to consider economic costs when evaluating medical devices.
Whatever path an agency takes, unless 100% cybersecurity is achievable, the acceptable level of safety should be determined by some cost-benefit test, Yoo and Lee said. Stated. conclude.