Cybersecurity: New Area for Mobile Medical App Compliance, Part 1

Regulatory compliance. While this phrase may strike an ominous tone for many traditional mobile app software companies, it is familiar territory for veterans in the mobile medical app space. It is unlikely the software developers behind the first calorie counting app gave regulatory compliance much thought. Applications, after all, have been a source of convenience, entertainment and education for years. However, as mobile apps have grown more integrated and mobile device sensor technology has become more sophisticated, that calorie counting app may be transformed into a tool for treating obesity, diabetes and sleep disorders. Smart software developers have come to realize that mobile medical apps are a way to future profits as well as a benefit to patients.

That is where the regulatory compliance piece of the puzzle comes in. We are all now familiar with the FDA and their Guidance on Mobile Medical App regulation, issued this past February. In my opinion, the guidance leaves far too many apps essentially unregulated. However, it does corral the applications posing the greatest patient risk and provides app developers with a pathway to obtain clearance before being marketed.

However, simple regulatory compliance is only part of the picture. Providing assurance of mobile medical application security is as essential to delivering a safe and effective product as is functional and performance testing. What good is a mobile medical app if it cannot upload health information to its central server securely? What if the app is compromised, leading to a breach of patient health information? Or even worse, what if an app is subject to hacking, and as a result the patient medical device it connects to can be somehow manipulated? Now we are speaking of actual patient harm.

Some potential cybersecurity risks to medical devices include:

  • Breaches of protected health information
  • Stolen financial information and identity theft
  • Loss of device availability at a time of need
  • Compromised device performance and malfunctions
  • Theft of device intellectual property

My intent is not to scare anyone, but rather, raise awareness. App developers likely rely on clinical and technical experts to ensure they have mitigated risk and met their functional and performance requirements. The question becomes whether or not these developers have analyzed the cybersecurity risks posed by, and to, their applications. The FDA requires that cybersecurity be addressed in 510(k) filings, but like much of the agency’s guidance, the requirement is described at a high level. It is left up to the app developer to essentially self-police based on an analysis of cybersecurity risks – and therein lies the problem.