But in addition to that, when we think about cybersecurity, the devices and the data cross more boundaries than just the scope of the FDA. So if we're talking about a kind of more traditional medical device or an implantable medical device, we know that that falls within the FDA's purview. But there are other health-related things, health-related software out there, for example, which also could have vulnerabilities, or maybe leaves unprotected health information, and may be vulnerable. And those things don't necessarily fall under FDA purview. It isn't clear where they fall, based upon the FDASIA work that was done [INAUDIBLE]. That may fall under ONC, for example. And then when we look at the larger system, let's say, even within a hospital, when we look at the hospital network, we're now talking about commercial off-the-shelf networking technology. And then, maybe, our vulnerability to networking technologies, of course. And that would not necessarily be under the FDA's purview, because commercial off-the-shelf networking technology is not a medical device. It doesn't have a medical device-associated claim with it, that it's been built or designed, or it's being marketed to treat a disease, for example. So those networks are not medical devices, so they don't fall under FDA purview. So we do have a larger system of technology, much of which falls out of scope of the FDA. But much of which could directly address health outcomes, and potentially be hazardous through their cyber-related vulnerabilities. So who should address that? Well, more recently, there was an announcement regarding how some of that's being partitioned, in terms of responsibility, around the nation, with DHS taking an important lead role. Clearly, FDA is the home of the medical device experts, there's no question about that. So doing something without the FDA doesn't make sense, and expecting the FDA to manage this alone doesn't make sense. Exactly where things will fall, I'm not sure. I think it's clear that NSF has had a role already. NSF has been supporting medical cyber-related research. And they should have, probably, an expanded role, especially the more forward-looking role of understanding what future medical device systems could and should do to be safer. And to provide, perhaps, a road map for some of that technology. And the same is true of other agencies, like NIST. It's important there are standards, and NIST is very active, of course, in security. So I wish there was a clearer road map or a description of how the agencies will work together. But I'm uncomfortable with separating national policy decisions about cybersecurity for medical devices and health from national policies about healthcare. We don't have a clear national focus on the agency, for example, that's responsible for healthcare outcomes. We still have some fragmentation, with the FDA responsible for things that relate to medical devices, and other agencies may or may not be involved. So if there are problems today with apps that are healthcare-related, with loss of information from an app that may not be a regulated medical device, it isn't clear what the pathway should be to address that problem and take care of it. So I wouldn't divorce cybersecurity from the larger issue of national policy related to healthcare outcomes that are proven.
