Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how algorithms would function as they drew on defined inputs. But cyber-physical systems draw on unbounded inputs from the real world. Moreover, with wide networks of cyber-physical medical devices, a single cybersecurity breach could pose lethal dangers to masses of patients.
The U.S. Food and Drug Administration (FDA) is tasked with regulating medical devices to ensure safety and effectiveness, but its regulatory approach—designed decades ago to regulate traditional medical hardware—is ill-suited to the unique problems of cybersecurity. Because perfect cybersecurity is impossible and every cybersecurity improvement entails costs to affordability and health, designers need standards that balance costs and benefits to inform the optimal level of risk. The FDA, however, conducts limited cost-benefit analyses, believing that its authorizing statute forbids consideration of economic costs.
We draw on statutory text and case law to show that this belief is mistaken and that the FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity. We describe three approaches the FDA could take to implement this analysis as a practical matter. Of these three, we recommend an approach modeled after the Federal Trade Commission’s cost-benefit test. Regardless of the specific approach the FDA chooses, however, the critical point is that the agency must weigh costs and benefits to ensure the right level of cybersecurity. Until then, medical device designers will face continued uncertainty as cybersecurity threats become increasingly dangerous.