In a recent article from Inside Health Policy, Debevoise partners Luke Dembosky and Paul D. Rubin discuss the upcoming, in-depth report on how medical device manufacturers and the wider healthcare sector can best protect against cybersecurity threats. The goals of the report, Mr. Rubin said, are to advance the adoption of coordinated vulnerability disclosures by the medical device industry and promote and inform cybersecurity discussions across the health sector.

In advance of the report, Mr. Dembosky and Mr. Rubin spoke at the Medical Device Innovation Consortium (MDIC) Annual Forum. Mr. Rubin explained that due to the complexity of the issues, and multitude of internal and external stakeholders, medical device companies should position themselves so they do not need to make complex ad hoc cybersecurity decisions under duress. “And that’s why we think it’s critically important for companies to develop coordinated vulnerability disclosure programs in advance, establish [standard operating procedures] governing those programs, and then implement them,” Mr. Rubin said.

Not establishing a comprehensive cyber security plan, one that includes assessing vulnerabilities and developing strategies for remediation and disclosure, could lead to a wide range of enforcement actions, Mr. Dembosky explained. According to Mr. Dembosky, if coordinated cybersecurity vulnerability disclosure programs are implemented correctly, however, “the rewards and benefits in terms of risk reduction far outweigh the risks.”

Rubin said the upcoming MDIC report will contain extensive best practices learned from interviews conducted with FDA, device makers, cybersecurity researchers and trade associations, and describe the legal and non-legal issues associated with cybersecurity vulnerability assessments. The lawyers said they hope to organize a webinar with MDIC to review the granular details of the report with stakeholders after the report is released.