organizations involved in creating digital health products and services.151
Unlike internal confidential data loss affecting an organization only, parties
affected by insufficient cybersecurity controls can be patients or consumers,
often individuals in a compromised health position.152 Many patients assume,
given the FDA’s involvement in device safety matters and HIPAA’s
coverage of PHI, that health safety and confidentiality meet existing industry
best practices.153 Others may not be able to effectively advocate their
interests, either because of health status or comparatively less bargaining
Because the market cannot effectively guarantee this protection and
patients often expect a basic level of safety for digital health products, a
regulatory framework provides the best option for managing cybersecurity
risk. However, achieving a level of specificity in the law that actually reduces
risk requires knowledge and regulation of technology as it actually works.155
Although computer systems collect, compile, process, transfer, display, or
store data, specific implementations may use different variations of security
controls to meet a security principle, for example, methods for managing
password resets.156 Frameworks should balance specificity with flexibility to
151. Heather Landi, Medical Device Cybersecurity Needs Enforceable Regulations, Not
Just Suggestions, HEALTHCARE INFORMATICS (Feb. 17, 2016), http://www.healthcare-informatics.com/news-item/medical-device-cybersecurity-needs-enforceable-regulations-not-just-suggestions-icit-says; Derek Mohammed et al., Cybersecurity Challenges and
Compliance Issues within the U.S. Healthcare Sector, 5 INT’L J. BUS. & SOC. RESEARCH 55,
57 (2015), http://www.saintleo.edu/media/975946/cybersecurity_challenges_and_complian
152. Following from the recognition that for the digital health marketplace, participants
using devices and apps often have a particular health condition, some very serious in nature.
See Mohammed et al., supra note 151, at 56.
153. See Pam Dixon, What’s a Consumer to Do? Consumer Perceptions and Expectations
of Privacy Online, Testimony Before the Subcommittee on Commerce, Manufacturing, and
Trade of the House Committee on Energy and Commerce, WORLD PRIVACY FORUM 3 (Oct.
13, 2011), http://www.worldprivacyforum.org/wp-content/uploads/2011/10PamDixonCon
sumerExpectation Testimonyfsshort.pdf (testifying on how consumers often do not have the
information or opportunity to evaluate the status and treatment of their information, and
disconnect exists between what consumers believe organizations do to protect information and
what organizations actually do).
154. See McGraw et al., infra note 173 (illustrating that large business associates, with
great bargaining power, can more easily dictate the terms of their security compliance).
155. In my experience, this challenge has borne out in HIPAA compliance schemes. It is
my opinion that because encryption is an “addressable” requirement under HIPAA, many
organizations do not encrypt data and when they do, employ poor encryption practices simply
to meet the requirement. Poor practices do not significantly improve an organization’s ability
to protect individual’s PHI. Similarly, high-level general FDA guidelines will not likely
establish the structure necessary to measurably reduce cybersecurity for medical devices.
156. Mathew J. Schwartz, 5 Ways to Solve the Password Reset Dilemma, DARKREADING
(Aug. 14, 2012), http://www.darkreading.com/attacks-and-breaches/5-ways-to-solve-the-