The FDA now requires that mobile app developers create a cyber security plan and submit it to the FDA along with their mobile medical app / medical device submission.
As we’ve know, the FDA reads its jurisdiction expansively over mobile applications for your iphone, Android, or other smartphone, and consider these mobile apps to be regulated as medical devices when the apps, in the FDA’s view, transform your mobile app into a medical device:
Mobile apps that connect physicians and patients, or, that transmit medical data from the patient to the physician–or particularly, that upload photographs and videos, even if taken with the patient’s smartphone independent of the app–are at risk for FDA regulation as mobile medical apps, and therefore as medical devices.
Recently, the FDA has issued cybersecurity requirements for these apps as well.
Previously, the FDA issued guidance entitled, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” (“OTS Guidance”). The draft guidance issued on June 13, 2013, “Content of Premarket Submission for Management of Cybersecurity in Medical Devices,” addresses what companies should include in their premarket submissions “to reduce the risk that device functionality is intentionally or unintentionally compromised” by cyber security hacking.
The draft guidance focuses on three security controls: confidentiality, integrity, and availability.
The guidance states that manufacturers should provide the following information in a premarket submission to demonstrate the cybersecurity of the medical device:
- Hazard analysis, mitigations, and design consideration pertaining to intentional and unintentional cybersecurity risks associated with the device;
- A “traceability matrix” linking the actual cybersecurity controls to the cybersecurity risks considered;
- Plan for providing validated updates and patches to operating systems or software as needed;
- Appropriate documentation to demonstrate that the device will be provided to purchasers free of malware; and
- Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use.
Cyber-security is only one of the many pieces of the regulatory puzzle in which the FDA is involved. Mobile app developers can also be slammed by the FDA (or FTC) for making claims that are deceptive, misleading, or misleading and unsubstantiated.
Contact our FDA and FTC mobile app and medical device attorneys when you have questions about privacy, security, and medical device laws governing your product.