On December 28, 2016, the FDA issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The National Health Information Sharing and Analysis Center (NH-ISAC) plays a marquee role in the guidance. NH-ISAC is an information-sharing organization which brings together public and private groups to quickly and efficiently disseminate information about cyber threats to America’s healthcare industry. For companies following the guidance, participating in NH-ISAC provides a subtle benefit: forestalling civil litigation.
At numerous points in the guidance, the FDA strongly encourages companies to participate in NH-ISAC. The guidance indicates that NH-ISAC participation will be a key factor in whether the FDA takes action against companies who do not report vulnerabilities which expose their devices to “uncontrolled risk.”
To encourage ISAC participation, the guidance notes that participants in NH-ISAC or similar organizations “can request that their information be treated as Protected Critical Infrastructure Information.” This type of information “is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002 (6 U.S.C. §§131 et seq.).”
However, the guidance also recommends that medical device companies set up systems for receiving, processing, and responding to complaints relating to cybersecurity vulnerabilities. The guidance cites 21 C.F.R. § 820.198 to support this recommendation, which requires medical device manufacturers to maintain files for complaints about their devices. These files are discoverable in civil litigation. They have obvious value to civil plaintiffs because they may show that the device company knew of a defect and failed to fix it (or did a bad job fixing it). Companies should be alert that, even if they diligently report an issue to NH-ISAC, the steps they took to fix the vulnerability may still come into a civil case if someone files a § 820.198 complaint about the defect.
This dynamic demonstrates how helpful active NH-ISAC participation can be: once a company notices a vulnerability, it enters a race against time until someone submits a complaint about that vulnerability. Marshaling NH-ISAC’s resources provides a safe shortcut in that race – the manufacturer can discover if other stakeholders confronted similar issues, learn how they resolved them, obtain advice about how to neutralize their own vulnerability, and potentially resolve the issue before a § 820.198 complaint comes in. If they can resolve the issue before a complaint is filed, there will be no complaint file – and therefore, no discovery. The information a manufacturer submits to NH-ISAC may mirror what it would be required to put in a discoverable complaint file under § 820.198, but the NH-ISAC information is protected.
Active engagement in NH-ISAC (or centers like it) supports the guidance’s policy of quick, effective, industry-wide resolution of serious risks, fends off FDA enforcement, and stymies plaintiffs.