3 CYBER LAW PREDICTIONS FOR 2021
As states prepare for the 2021 spring legislative sessions and Washington D.C. braces for an inauguration and legislative musical chairs, a few cyber law topics are predicted to emerge in 2021. @LaCyberLawBlog predicts to see movement in either legislation or jurisprudence on these 3 matters:
1. Final FDA Guidance on Clinical Decision Support (CDS) Software: CDS uses predictive algorithms to assist healthcare providers with making timely and informed healthcare treatment decisions. CDS software can analyze all electronic health record data and look for patient abnormalities or changes faster than a physician, especially in a critical care situations. For example: in preparing a patient for emergency surgery, CDS applications can assist the physician in determining which combination of pharmaceuticals may prove fatal, contribute to blood loss during an operation, aggravate existing medical conditions, and potentially cause an adverse reaction with anesthesia – all simultaneously.
The U.S. Food and Drug Administration (FDA) recognizes the increased utility of and reliance on CDS applications in healthcare. And, with the semi-recent passage of the 21st Century Cures Act (which is intended to accelerate medical device innovation and provide patients greater access to electronic health records), the FDA is under pressure to form a position on CDS regulation. On September 27, 2019, the FDA released draft CDS regulation considerations, stating that the FDA would not seek to regulate CDS software that met 4 characteristics: 1) Did not acquire, process, or analyze a medical image or a signal from a diagnostic device; 2) Was not intended for the purpose of displaying, analyzing, or printing medical information about a patient; 3) Was not intended for the purpose of supporting or providing recommendations about prevention, diagnosis, or treatment of a disease or condition; and 4) Was not intended for the purpose of enabling a health care professional to rely primarily on the CDS software recommendations for clinical diagnoses or treatment decisions.
The draft guidance was primarily met with the following question: what CDS software will not be regulated then? The American Hospital Association (AHA) encourages the FDA to distinguish CDS software between those that merely inform as oppose to those that manage patient care in determining regulation. The AHA, along with other healthcare advocacy groups are concerned that the FDA’s overregulation of CDS software will slow the medical device innovation process, especially during a time of great necessity (pandemic). Therefore, it is predicted that the FDA will relax and then finalize its regulatory guidance on CDS software for consistency with the 21st Century CURES Act and current needs of the healthcare community.
2. Proposed Revisions to Chemical Facility Anti-Terrorism Standards (CFATS): CFATS is the Department of Homeland Security's regulatory program for security at high-risk chemical facilities. CFATS is the nation’s first regulatory program that identifies and regulates high-risk facilities to reduce the risk of the facilities’ hazardous chemicals becoming weaponized by terrorists. Codified in 2007 in 6 C.F.R. Part 27, CFATS is actually a term program that was set to expire on July 23, 2020. The day before its expiration, President Trump extended the program through 2023. Now under the control of the Cybersecurity and Infrastructure Security Agency (CISA), CFATs is expected to undergo a long-awaited revision to reflect increased virtual threats to the regulated chemical facilities.
Indeed, the Government Accountability Office published report GAO-20-453 on May 14, 2020 specifically recommending that CISA evaluate “high-risk chemical facilities’ cybersecurity efforts via inspections that include reviewing policies and procedures, interviewing relevant officials, and verifying facilities’ implementation of agreed-upon security measures.” GAO found that the CFATS program had not been updated in more than 10 years and lacks a process to routinely review its cybersecurity guidance to ensure consistency with threats and technological advances. Furthermore, on January 7, 2021, CISA issued a whitepaper entitled “Cybersecurity and Physical Security Convergence” echoing GAO’s report providing examples of how physical security failings serve as catalysts for cybersecurity breaches, even providing a case study from a “Large U.S. Energy Company.” CFATS should hopefully be updated this year.
3. Federal Use and Regulation of Artificial Intelligence (Outside of HealthTech): Many were shocked by the Netflix documentary entitled “The Social Dilemma” and how big tech uses artificial intelligence to predict behaviors, attraction, and hatred. Excepting a few states like Illinois and Nevada, artificial intelligence (AI) is totally unregulated. This freedom of development will soon end. Introduced on December 17, 2020 by Senator Christopher Coons of Delaware, the Algorithmic Fairness Act of 2020 or S. 5052 seeks to set up a study with the Federal Trade Commission on how AI is used by businesses against consumers and whether limitations should be imposed for consumer protection. A similar task is set forth in S. 5043 as introduced by Sen. Deb Fischer of Nebraska, entitled the “American COMPETE Act of 2020.” The prediction is obviously that California will be the first to regulate AI in manner sought by the Feds, but that the U.S. Govt. will at least try to stop big tech from enjoying its monopoly on AI.