On May 12, President Biden signed an executive order on improving the nation’s cybersecurity (the “Executive Order”). The Executive Order identified six broad initiatives for the improvement of security within federal government information technology systems and called on various federal departments and agencies to assist in building out actionable steps to achieve the Executive Order goals.
In response to the Executive Order, the FDA issued the Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security on May 26, 2021 (the “FDA Position Paper”), which acknowledges that “cybersecurity is crucial for medical device safety and effectiveness.” However, it is important to recognize that currently, the FDA’s ability to regulate cybersecurity extends only to medical devices. Although there has been some past ambiguity around what software meets the definition of a medical device, back-office administrative software and electronic health records (EHRs) were excluded from FDA’s oversight with the passing of the 21st Century Cures Act of 2016.
In the FDA Position Paper, the FDA acknowledges that the healthcare ecosystem will not be cyber secure until “software that does not meet the definition of device, but which supports or is relied on by devices, such as third-party software necessary to achieve the intended use of devices, hospital network software, programs, applications, mobile devices, cloud services, and certain Electronic Health Records (EHRs)/Electronic Medical Records (EMRs) where medical devices pull/push data directly as part of their intended use, are also critical to assuring devices are safe and effective.”1 However, legislative intervention would be required to amend the Federal Food, Drug, and Cosmetic Act before the FDA would have the legislative support necessary to regulate EHRs and enforce cybersecurity across the healthcare ecosystem.
It appears the Biden administration is laying the groundwork to sidestep required legislative action by leveraging the federal government’s substantial purchasing power. The Executive Order states that “The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards….set forth in and issued pursuant to this order.” Federal Information Systems includes systems used or operated by an agency, an agency contractor, or “by another organization on behalf of an agency.” This would by definition include Centers for Medicare and Medicaid Services, an agency that had a total program spend of $1.4 trillion in 2020.2
A trillion-dollar carrot is a large incentive for private companies to develop policies, procedures, responses, and designs that comply with cybersecurity best practices, even absent government regulation.
Companies that wish to contract with the federal government to provide critical software in the healthcare space should be proactively drafting policies and redesigning business as usual to meet the high-level expectations that the Biden administration has outlined around encryption, software development practices, ongoing monitoring requirements, multi-factor authentication, disclosure of open source, and forced disclosure of vulnerabilities and breaches.
[1] Available at https://www.fda.gov/media/149954/download
[2] https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/CMS-Fast-Facts
