California's new cybersecurity law sidesteps most medical devices, lawyers say

A new law being implemented by the most populous U.S. state could attract the eyes of FDA as regulators continue to work through guidance on addressing rising cybersecurity threats to medical devices.

California’s connected devices security law, which took effect Jan. 1, requires manufacturers to equip connected devices with “reasonable security” that protects consumers from attackers gaining access to those devices.

While certain medical device makers — including those covered by some federal laws — may be exempt, the California law does explicitly cover a broad range of so-called Internet of Things (IoT) or connected devices, including wearables and connected home health devices, in addition to computers, security cameras, and smart meters.

And experts say the FDA may be watching the law’s implementation as the agency further develops recommendation on medical device cybersecurity.

“The state lawmakers knew, when they were drafting the law, that the FDA had cybersecurity guidance [it is working on] … States are trying to fill the spaces where you don’t have federal cybersecurity regulation,” Richard Borden, a partner at the law firm of White and Williams, told MedTech Dive.

The FDA did not respond to a query as to how the California law could inform its own federal guidance.

Market research firm IDC estimates close to 42 billion connected devices will generate 79.4 zettabytes of data by 2025. And the connected devices market in North America is forecast by Statista to reach $540 billion by 2022, so the economic impact of the new law could be significant as most major connected device manufacturers sell products in California, a state with an economy bigger than many Western nations.

Report after report in recent years has found healthcare organizations vulnerable to cyber criminals, blamed on over-reliance on legacy systems, employees bending rules about security, among other factors.

The law defines a connected device as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

A connected device manufacturer is required to equip the device with a “reasonable security feature” that is “appropriate to the nature and function of the device; appropriate to the information it may collect, contain, or transmit; [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

One key area of uncertainty surrounds the meaning of “reasonable security feature,” according to Daniel Pepper, partner at the law firm of BakerHostetler.

In addition, “there is still some question as to what the rest of the requirements will need to be to ‘protect the device and any information within from unauthorized access, destruction, use, modification, or disclosure’,” he told MedTech Dive.

The law provides additional detail on the security requirements for a connected device, Pepper said. The device should be equipped with a unique preprogrammed password, and/or it should require a user to generate a new means of authentication before access is granted for the first time.

In addition to ensuring these security measures are implemented, he also advised manufacturers to conduct a comprehensive data security assessment to see whether the device meets National Institute of Standards and Technology security standards.

Potential exemptions

Pepper stressed that medical device manufacturers covered by the Health Insurance Portability and Accountability Act would not be generally subject to the security law’s requirements. The law explicitly says that any entity covered by HIPAA or the state’s Confidentiality of Medical Information Act would not be covered by its provisions.

In many cases, however, a medical device manufacturer might not be considered a covered entity or business associate under HIPAA and would not qualify for this exemption to the connected device law.

According to the Department of Health and Human Services, a medical device company is considered a covered entity under HIPAA “if it furnishes, bills, or is paid for ‘health care’ in the normal course of business. ‘Health care’ under the [HIPAA Privacy] Rule means care, services or supplies related to the health of an individual.”

HHS adds that a medical device company “is not providing ‘health care’ if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.”

In addition to the HIPAA exception, the California connected device security law exempts from its requirements “any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.”

There is also an exemption for “any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” This would mean that medical devices covered by FDA’s cybersecurity guidance would not be covered by the law, according to Borden and Joshua Mooney, partners at White and Williams.

The Advanced Medical Technology Association agreed that medical devices regulated by the FDA would not be subject to the California law, Mark Brager, vice president of communications at Advamed told MedTech Dive.

FDA actions

The FDA has issued several guidance documents related to medical device cybersecurity, the most recent being a draft guidance published in October 2018 on cybersecurity considerations in premarket submissions.

Boston Scientific, GE Healthcare and BD are among manufacturers that protested elements of the guidance, including a proposed structure that would categorize a device into one of two risk-based tiers based on whether it has "standard" or "higher" cybersecurity risk. A proposal for a so-called software bill of materials, which could require manufacturers disclose software components to promote better transparency in the event a security patch is needed, also drew fire from trade group Advamed.

As such, the agency decided to issue another draft guidance incorporating the comments received, FDA spokesperson Kristen Pluchino told MedTech Dive. She could not provide a timetable for when the revised draft guidance would be ready.

Mooney predicted that how California implements its new law will influence how the FDA defines reasonable cybersecurity measures for medical devices.

“If California is aggressive in enforcing this IoT law, the state’s determination of what constitutes reasonableness may end up becoming a source of persuasive authority for the FDA in its decision making,” Mooney told MedTech Dive.

Personal health devices

One area where the law does directly regulate medical technology is personal devices that collect health data, such as wearables and connected home health devices like wearable electrocardiogram monitors.

The California law applies to a range of connected devices, including smartwatches, noted Susan Kohn Ross, partner with the law firm of Mitchell Silberberg & Knupp.

“One of the more interesting questions is what constitutes a medical device. The term ‘medical device’ is generally understood to mean a device which is approved by the FDA as a medical device. Smartwatches would not qualify under that definition, but would be subject to the law,” Ross told MedTech Dive.

Ross advised device manufacturers, regardless of industry, to develop an overall plan that coordinates their response to cybersecurity and data privacy because an increasing number of states and national governments are expanding legal and regulatory requirements in these areas.