Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices

Yoo, Christopher S.; Lee, Bethany

Download This Paper

Open PDF in Browser

Add Paper to My Library

Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices

William & Mary Law Review, Vol. 64, p. 1513, 2023

U of Penn, Inst for Law & Econ Research Paper No. 22-20

42 Pages Posted: 25 May 2022 Last revised: 31 May 2023

See all articles by Christopher S. Yoo

Christopher S. Yoo

University of Pennsylvania Carey Law School; University of Pennsylvania - Annenberg School for Communication; University of Pennsylvania - School of Engineering and Applied Science

Bethany Lee

affiliation not provided to SSRN

Date Written: March 29, 2022

Abstract

Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how algorithms would function as they drew on defined inputs. But cyber-physical systems draw on unbounded inputs from the real world. Moreover, with wide networks of cyber-physical medical devices, a single cybersecurity breach could pose lethal dangers to masses of patients.

The U.S. Food and Drug Administration (FDA) is tasked with regulating medical devices to ensure safety and effectiveness, but its regulatory approach—designed decades ago to regulate traditional medical hardware—is ill-suited to the unique problems of cybersecurity. Because perfect cybersecurity is impossible and every cybersecurity improvement entails costs to affordability and health, designers need standards that balance costs and benefits to inform the optimal level of risk. FDA, however, conducts limited cost-benefit analyses, believing that its authorizing statute forbids consideration of economic costs.

We draw on statutory text and case law to show that this belief is mistaken and that FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity. We describe three approaches FDA could take to implement this analysis as a practical matter. Of these three, we recommend an approach modeled after the Federal Trade Commission’s cost-benefit test. Regardless of the specific approach FDA chooses, however, the critical point is that the agency must weigh costs and benefits to ensure the right level of cybersecurity. Until then, medical device designers will face continued uncertainty as cybersecurity threats become increasingly dangerous.

Keywords: Administrative law, government regulation, regulatory standards, cost-benefit analysis, product liability, networked medical devices, cybersecurity, risk, safety and effectiveness, public policy

JEL Classification: K23, K24, K32, L63, L65

Suggested Citation: Suggested Citation

Yoo, Christopher S. and Lee, Bethany, Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices (March 29, 2022). William & Mary Law Review, Vol. 64, p. 1513, 2023, U of Penn, Inst for Law & Econ Research Paper No. 22-20, Available at SSRN: https://ssrn.com/abstract=4118993