Premier Weighs in with Administration on Cyber Regulatory Harmonization

Premier responded to the Office of the National Cyber Director (ONCD)’s request for information (RFI) on opportunities for and obstacles to harmonizing cybersecurity regulations. Premier expressed support for the ONCD’s efforts to combat existing challenges with regulatory overlap and exploration of a framework for reciprocity across regulatory agencies. In comments, Premier recommended that the ONCD focus on:

• Affirming and ensuring that approval of a new device does not relieve the manufacturer of maintaining the cybersecurity of the predicate device(s);
• Prohibiting medical device manufacturers from receiving approvals for new devices when the manufacturer demonstrates an inability to reasonably maintain cybersecurity levels over an objectively-defined lifecycle that is informed by health delivery organization (HDO) buying patterns;
• Creating resources for HDOs to support decision-making for legacy device risk management, including templates for information-sharing agreements to help set expectations with medical device manufacturers around responsibility and liability for legacy medical devices;
• Collecting and making publicly available aggregated data on typical costs, quality and security standards, device useful life timelines, etc. to help quantify risks across the healthcare sector, inform policy and improve alignment of business strategies between HDOs and medical device manufacturers; and.
• Equitably allocating fines and penalties for a cybersecurity incident between manufacturers and HDOs commensurate with the findings of a root cause analysis.