#50: Paul Schmetzler: FDA Regulations, AI and Legal Risk
We chatted with the partner at Clark Hill PLC about AI, FDA regulations, and cybersecurity legal risks, based on his years of experience learning the legal aspects of healthcare and industrial cybersecurity
About Paul Schmetzler
Paul Schmeltzer is a partner at Clark Hill PLC where he advises clients across a variety of industries including healthcare and manufacturing, providing strategic and legal guidance regarding artificial intelligence and preparing for, responding to, recovering, and learning from cybersecurity and privacy incidents. He also counsels healthcare clients on a variety of regulatory matters. Paul holds a Bachelor of Arts from UCLA and his LLM from the University of Miami School of Law.Summary of the Conversation with Paul Schmelzer
Paul Schmelzer, a partner at Clark Hill PLC, shared insights into his journey in the cybersecurity and healthcare sectors, discussed regulatory impacts, and provided advice for those entering the field. He emphasized the importance of understanding regulatory requirements and the evolving landscape of cybersecurity in healthcare.
Career Journey
- Early Career: Initially intended to be a tax lawyer but shifted to healthcare after graduating during the Great Recession. He gained experience in HIPAA-related incidents and joined Clark Hill in 2019.
- Cybersecurity Focus: In 2020, he transitioned to cybersecurity and data privacy, handling incident response and expanding his portfolio to include clients with pressing data privacy and cybersecurity needs.
Key Insights and Highlights
- FDA Cybersecurity Regulations (2023):
- Regulations have created a wake-up call for device manufacturers to take cybersecurity seriously.
- Emphasis on secure product development frameworks and lifecycle support for medical devices.
- Increased focus on patching, updating, and monitoring vulnerabilities beyond the product lifecycle.
- Healthcare Data and Privacy:
- Healthcare is a data-rich environment, making it a prime target for cybercriminals.
- Insider threats and external cyber-attacks (e.g., ransomware, phishing) are major concerns.
- Regular training and awareness are critical to maintaining a strong cybersecurity posture.
Advice for Entering Healthcare Cybersecurity
- Skillset and Knowledge:
- Background in technology and computer science is beneficial.
- Understanding of regulations (HIPAA, state privacy laws) is crucial.
- Stay updated with evolving laws and regulations affecting healthcare data privacy.
- Specialized Legal Expertise:
- There is a need for legal experts who can navigate the complex intersection of healthcare, data privacy, and cybersecurity.
- Holistic approach considering federal and state regulations, technological implications, and data protection strategies.
Regulatory Landscape and Evolution
- Upcoming Changes:
- Expect updates to HIPAA to address modern data elements like biometric data and AI usage.
- Increasing state-level privacy laws will create a patchwork of regulations.
- Federal framework for telehealth is needed to streamline regulations across states.
- AI in Healthcare:
- AI presents both opportunities and risks. Over-reliance on AI without human oversight can lead to errors.
- Regulatory bodies are expected to address AI-related issues, including data privacy and cybersecurity risks.
Balancing Innovation and Compliance
- Telehealth and New Technologies:
- Telehealth is not new but has gained wider adoption post-pandemic.
- Licensing and credentialing, HIPAA compliance, and secure communication platforms are key considerations.
- Stakeholders should evaluate new technologies for potential vulnerabilities and ensure robust contractual protections.
- Advice for Stakeholders:
- Conduct thorough reviews of agreements with technology providers.
- Ensure continuous training and awareness programs for all staff.
- Balance innovation with stringent compliance to maintain data security and patient trust.
Conclusion
Paul Schmelzer highlighted the importance of staying abreast of regulatory changes and adopting a comprehensive approach to cybersecurity and data privacy in healthcare. He emphasized the need for continuous education, training, and collaboration among stakeholders to navigate the evolving landscape and ensure robust data protection.