Paul Schmeltzer Of Clark Hill On Why the US Government is Getting Serious About Medical Device Cybersecurity

An Interview With David Leichner

Patient Safety is at Risk. A breach or compromise of a medical device’s security can have severe consequences for patient safety. For example, unauthorized access to a device can lead to incorrect diagnoses, altered treatment plans, or even physical harm to patients. In 2019, the FDA recalled certain insulin pumps because attackers could alter the device’s settings and overdeliver or stop insulin delivery to patients, which could lead to low or high blood sugar, and possibly the patient’s death.

In an era where technology is revolutionizing healthcare, medical devices — from pacemakers to insulin pumps to hospital imaging machines — are becoming increasingly interconnected. While these advancements offer unprecedented benefits, they also expose healthcare systems and patients to new cybersecurity risks. Cyberattacks on medical devices can result in compromised patient safety, data breaches, and even loss of life. Acknowledging the gravity of the issue, the US Government is ramping up its focus on medical device cybersecurity through regulations, initiatives, and collaborations with industry stakeholders. As a part of this series, we had the pleasure of interviewing Paul Schmeltzer.

Paul Schmeltzer counsels healthcare clients on regulatory matters including Federal and State pharmacy law, Fraud, Waste, and Abuse, Stark law, State and Federal Anti-Kickback Statutes, HIPAA, and EMTALA.

In addition to representing healthcare clients in regulatory matters, Paul has drafted managed care contracts for physicians and health plans and advising clients on regulatory and reimbursement matters. He also has experience counseling corporate clients on civil matters, including drafting legal documents, advising clients on employment issues, and researching and drafting motions.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Southwestern Louisiana. My mother was a registered nurse and my father was a machinist who taught at a local community college. Growing up, I spent considerable time hanging around hospitals due to my mother’s work. So, I have always had an affinity for healthcare.

My childhood was filled with the boredom that comes from growing up in a very rural area. To combat this boredom, I became a voracious reader of both historical biographies and classical fiction.

Upon graduating from high school, I thought I would become a writer of fiction. But after wandering aimlessly through a series of low paying jobs in my late teens and early twenties, both of my parents became ill and my father died. I was completely rudderless and briefly homeless before I met my now wife, who provided the support that I needed to get out of that situation.

Eventually, I moved to Los Angeles, where I mustered the courage to diligently pursue a higher education. I enrolled at UCLA where I studied linguistics and computer science. By my junior year, I knew that I was going to law school, and I was not cut out as a computer programmer. So, I dropped computer science as a major and devoted myself to the preparation necessary to apply to law schools.

Growing up, I had no family members who were practicing attorneys, so law school was completely uncharted territory for me. I chose to attend the University of Miami School of Law because I liked South Florida, and the school had several programs that interested me. I carefully planned my first two years of law school so that in my third year, I studied for and received a Master of Laws in Taxation along with my Juris Doctorate. I really love tax law as it is extremely complex and constantly evolving, which are two of my favorite traits for any intellectual pursuit. Upon graduating from Miami in 2008, I entered a legal job market that was in the throes of the Great Recession. Having not yet passed the bar exam, I was not very marketable and job opportunities for first year associates were slim during this time.

Even before I passed the Florida bar exam, I was experiencing nightly bouts with severe kidney pain. This went on for many months. After I took an in-house counsel position for an up-and-coming managed healthcare organization in Miami, I was diagnosed with metastatic testicular cancer. With that diagnosis, my life completely changed forever. I did three grueling rounds of chemotherapy which nearly killed me. During this time, I spent most, if not all of my time in hospitals, where I received an even greater understanding of the challenges facing the American healthcare system. Once I was in remission, I resumed my legal career, and continued to focus on serving healthcare clients.

Is there a particular story that inspired you to pursue a career in this field? We would love to hear it.

When I was in my early twenties, my father was diagnosed with mesothelioma. While he was receiving treatment in a hospital, a nurse mistakenly referred to a neighboring patient’s chart before administering a shot containing codeine, which my father was allergic to. Because of this medical error, my father instantly suffered a heart attack and died after the shot was administered. This incident preceded the advent of electronic health records by some years, but the fact that someone could die from such negligent misuse of medical information really affected me. My father’s death was certainly the main reason I became an attorney and largely influenced my career path in healthcare.

Can you share the most interesting story that happened to you since you began this fascinating career?

My career as a healthcare attorney has been exciting from the start. In the literal first minutes of my first day practicing as a healthcare attorney, I was greeted by Zone Program Integrity Contractors (ZPICs), who are federal contractors that work under the direction of the Centers for Medicare and Medicaid. Essentially, ZPICs conduct a thorough evaluation of all available information to confirm the veracity of the patient’s medical records and billing by a healthcare practice.

Needless to say, it was a bit alarming that federal contractors were storming into the conference room of my new employer minutes into my legal career to request copies of patient files. I wondered if I made the right career decision at that moment. Eventually, the ZPIC audit concluded with no consequences to my employer. But that first day taught me that healthcare companies have to navigate a complicated web of state and federal laws in their daily practices.

Are you working on any exciting new projects now? How do you think that will help people?

I am always looking to counsel new clients on their exciting projects in the healthcare space. At the moment, I am currently working with clients on advancements in medical devices and telehealth that will greatly improve the public’s access to healthcare. Of particular interest are medical devices that aid in the diagnosis and treatment of cancers to improve patient outcomes.

Ok, thank you. Let us now move on to our main topic. For the uninitiated, can you explain the nature and scope of cybersecurity threats to modern medical devices? How significant is the risk in comparison to other sectors?

Cybersecurity threats to medical devices pose significant risks to patient safety, data privacy, and the overall functionality of healthcare systems. The nature and scope of these threats are evolving as medical devices become more prevalent, interconnected and reliant on digital technologies. The FDA considers the Apple Watch to be a wellness tool, not a medical device. But how long will it be before connected devices such as smart watches include functionality to treat things like anxiety, obesity, eating disorders, and muscle atrophy, and therefore become medical devices?

Compromised medical devices can directly impact patient safety. For example, hackers could alter drug dosages, manipulate pacemakers, or interfere with other life-sustaining equipment. This could mean life or death for a patient using a blood glucose monitor at home. The FDA has been aware for years of the susceptibility of medical devices to hacks. For example, the FDA issued a voluntary recall in 2017 of some 500,000 pacemakers deemed vulnerable to being hacked.

Breaches of medical devices can also lead to the unauthorized access and theft of sensitive patient data, including medical records, making patients vulnerable to identity theft and privacy violations. This could open the medical device manufacturer and healthcare system to patient litigation and regulatory action where such data theft occurs.

The interconnected nature of healthcare systems means that a compromised device can potentially disrupt an entire hospital’s operations, affecting patient care and overall healthcare infrastructure. This is why healthcare systems must identify compromises early to mitigate lateral movement that would cripple operations.

Increasingly, my healthcare clients are asking me to design tabletop scenarios for their organizations to roleplay compromised medical devices such as infusion pumps or hospital smart beds. These attacks could paralyze a hospital’s operations and force staff to expend much more labor to monitor and deliver patient care.

Could you highlight some key regulations or initiatives that the US Government has introduced or proposed specifically targeting medical device cybersecurity? How have these been received by industry stakeholders?

On December 29, 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by requiring, a person who submits a premarket application or submission for a cyber device on or after March 29, 2023 to submit information to ensure that cyber devices meet certain cybersecurity requirements. If a cyber device were previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law would apply for the new premarket submission.

The sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the following cybersecurity requirements:

• Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post market updates and patches to the device and related systems; and
• Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.

The FDA can also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure.

Because medical devices are being used by healthcare practices for longer than anticipated by the manufacturers, these recent amendments to the FD&C Act require medical device manufacturers to take a more proactive and long-term approach to the cybersecurity of their devices. No longer can device manufacturers develop and leave medical devices for dead after a few years of profitability.

From a manufacturer and healthcare provider perspective, what are the most pressing challenges in adapting to and complying with these cybersecurity regulations? Are there any unforeseen hurdles they have had to navigate?

For manufacturers and healthcare providers, compliance necessitates a hybrid approach. The recent amendments to the FD&C Act require medical device manufacturers to take a more proactive and long-term approach to the cybersecurity of their devices. Not only must they submit a plan to monitor, identify, and address cybersecurity vulnerabilities and exploits, but they must also make available post market updates and patches to the device and related systems; and provide a software bill of materials.

With regulations becoming more stringent, do you think this might impede or slow down the innovation of medical devices? How are manufacturers ensuring both security and the continuous advancement of medical technology?

Actually, I think the opposite will happen. Regulations imposed by the FDA on the manufacturers of new medical devices will not slow down innovation. The world is becoming increasingly connected by faster internet speeds and more powerful devices. This will be exploited by medical device manufacturers in the next generation of products. The new FDA requirements are only temporary impediments to medical device manufacturers who are now forced to consider how their products secure patient data, something that healthcare software vendors have been grappling with for many years. In short, the innovation will continue as medical devices are too financially lucrative to ignore.

What are your “5 Things Everyone Should Know About Medical Device Cybersecurity?”

1 . Vulnerabilities Exist in Medical Devices Medical devices, such as pacemakers, infusion pumps, and imaging equipment, are susceptible to cybersecurity threats. Just like any other connected technology, they can have vulnerabilities that malicious actors could exploit. These vulnerabilities may include outdated software, weak passwords, or insecure communication channels. A notable example of this risk was Vice President Dick Cheney’s admission that he was so concerned of assassination via medical device hacking of a pacemaker implanted in 2007 that his doctors disabled its wireless capabilities as a precaution.

2 . Patient Safety is at Risk. A breach or compromise of a medical device’s security can have severe consequences for patient safety. For example, unauthorized access to a device can lead to incorrect diagnoses, altered treatment plans, or even physical harm to patients. In 2019, the FDA recalled certain insulin pumps because attackers could alter the device’s settings and overdeliver or stop insulin delivery to patients, which could lead to low or high blood sugar, and possibly the patient’s death.

3 . Regulations Are Evolving. Regulatory bodies, such as the FDA have recognized the importance of medical device cybersecurity. They have been updating their guidelines to address these concerns. Manufacturers are now required to incorporate cybersecurity into the design and maintenance of their devices. For medical device manufacturers and healthcare practices, it’s important to stay updated with these evolving regulations and compliance requirements, which will only continue to proliferate as medical devices do as well.

4 . Collaboration Is Key. Medical device cybersecurity requires that the healthcare industry, including device manufacturers, healthcare providers, federal agencies, and cybersecurity experts, work together to address challenges posed by ever evolving cybersecurity threats and vulnerabilities. Collaboration is essential to identifying and mitigating risks effectively. No one single corner of the healthcare industry should bear complete responsibility for securing medical devices. For example, the FDA recently informed health care providers and laboratory personnel about a cybersecurity vulnerability that could impact genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach. Such collaboration serves to bring all parties together to identify and address vulnerabilities in a more time and cost-efficient manner that can also lead to increased patient safety.

5 . Continuous Monitoring and Updating. Cybersecurity is an ongoing process that does not have an end date. Medical devices need to be monitored continuously for vulnerabilities and updated as needed. Healthcare institutions should continually assess and manage the cybersecurity of the medical devices they use and communicate any vulnerabilities to the device manufacturer so that they can be patched. Manufacturers should provide patches and updates to address known vulnerabilities, and healthcare providers should ensure that these updates are applied promptly. Regular risk assessments and testing are also crucial components of maintaining the security of medical devices.

Let us talk about the future. Considering the pace of technological advancements and the growing emphasis on cybersecurity, where do you see the future of medical device security in the next 5–10 years? Are there emerging technologies or methods that hold particular promise in safeguarding patient health and data?

In the near term, there are no quick and easy ways to improve medical device security. However, I do see The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) establishing clearer requirements under HIPAA for medical devices as they become more prevalent and their security risks more pronounced. Healthcare industry, device manufacturers, and regulatory bodies must continue to work to improve cybersecurity for medical devices. Threat actors will evolve their tactics so the healthcare industry must avoid complacency. The next 5–10 years in medical device cybersecurity will focus on the development of industry standards, regular security assessments to identify and remediate vulnerabilities, and the implementation of advanced security features in medical devices. The evolving nature of cybersecurity threats necessitates ongoing vigilance and adaptation to ensure the safety and security of modern medical devices.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

If I could inspire any movement, it would be for true interoperability between healthcare entities so that patients achieve their best possible healthcare outcome through the sharing of meaningful patient data between practices. For example, if I were to face serious injuries in a car accident while traveling in Montana, I would want the ER doctor in Montana to know right away that I am on anticoagulants prior to surgery. This information could very likely mean the difference between life or death for someone like me. Obviously, the U.S. government is making strides towards interoperability with HIPAA and the 21st Century Cures Act, but there is still great disparity in the U.S. healthcare system and the absence of a uniform information sharing protocol can greatly impact the effectiveness of healthcare decisions.

Paul Schmeltzer counsels healthcare clients on regulatory matters including Federal and State pharmacy law, Cybersecurity, Fraud, Waste, and Abuse, Stark law, State and Federal Anti-Kickback Statutes, HIPAA, and EMTALA.

How can our readers further follow your work online?

https://www.clarkhill.com/people/paul-f-schmeltzer/ https://www.linkedin.com/in/paulhealthlaw/

This was very inspiring and informative. Thank you so much for the time you spent on this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.