An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
Last month, the U.S. Food and Drug Administration issued its final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Those guidelines make non-binding recommendations on the cybersecurity issues medical device manufacturers should consider in developing new devices. The guidelines also address the processes medical device manufacturers should follow in evaluating and seeking to mitigate cybersecurity risks and the documentation they should submit to the FDA in seeking approval of new devices.
The FDA’s guidance is in response to the growing recognition that the connectivity medical devices have through the internet, networks and USB ports makes them vulnerable. While that connectivity improves patient care, it also creates cybersecurity risks, including the risk of patient harm.
The FDA’s guidance is relevant not only to the manufacturers of new medical devices, but also to hospitals and others which currently use medical devices that have internet, network or other connectivity. The guidelines expressly state that they do not create “legally enforceable responsibilities.” However, they may well contribute to the establishment of a standard of care for such users in evaluating the security of current devices and whether software updates and other risk mitigation measures are recommended for such devices.
A copy of the Cyber Security Guidance issued by the FDA can be found here.