What do we call our emerging futurist healthcare– digital health, e-health, m-health, mobile medicine, tele-health, or old-fashioned “medicine?” FDA is “hip” with its terms, “connected health.” Seek the FDA website and ye shall find: Connected Health leads you to all sorts of device advice for your mobile medical apps, medical devices used in a home environment, medical device data systems (MDDS), and software in medical devices.
Among other things, FDA recognizes voluntary consensus standards to help support and strengthen the interoperability and cybersecurity of networked and connected medical devices.
Regarding cybersecurity, FDA explains:
Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.
To mitigate and manage cybersecurity threats, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.
Hospitals and health care facilities should evaluate their network security and protect the hospital system.
All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase health care providers’ ability to treat patients. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. Addressing cybersecurity threats and reducing information security risks is especially challenging because of the need to balance the protection of patient safety with promoting the development of innovative technologies and improved device performance.
FDA’s page on mobile medical apps is particular instructive.
Mobile medical apps are applications that FDA regulates as medical devices, because they either meet the definition of a medical device and are intended to be used as an accessory as a medical device, or transform a mobile platform into a medical device for various reasons.
FDA has indicated that it is unlikely to treat the following kinds of mobile apps as medical devices — apps that:
- Help patients/users self-manage their disease or condition without providing specific treatment suggestions;
- Provide patients with simple tools to organize and track their health information;
- Provide easy access to information related to health conditions or treatments;
- Help patients document, show or communicate potential medical conditions to health care providers;
- Automate simple tasks for health care providers; or
- Enable patients or providers to interact with Personal Health Records (PHR) or Electronic Health Record (EHR) systems.
However, because of the intended use doctrine, FDA retains wide enforcement discretion over mobile apps. This means it’s difficult to predict whether FDA will or will not exercise its enforcement discretion when you put your product out to market. It’s important to have a thoroughly legal and regulatory strategy review to assess:
- whether the healthcare product is likely to be regulated as a medical device under FDA’s mobile medical app guidance
- if so, whether the healthcare product is likely to be classified as Class 1 exempt, or as Class 2 (requiring a more burdensome 510(k) submission)
- what arguments might be made for Class 1 exempt vs. Class 2 / 510(k), and how these arguments will in turn shape the claims made for the product, and the marketing
Some mobile app developers wait until the product is already almost out to market, and then have a corporate lawyer (who is unfamiliar with FDA regulation) draft terms of use as though it is a boilerplate document. That is a mistake. FDA closely watches the product marketing to assess whether the manufacturer or distributor is making claims that could turn an innocent app into a more regulated medical device. Even if FDA is busy looking elsewhere, a jealous competitor may try to bring your product to the watchful eyes of government. We have seen this happen with our clients – i.e., a competitor noticing and collecting the brochures handed out at conferences, the statements made by company personnel, the website and company literature, and then submitting this to FDA with a complaint that the company is making claims outside the Class 1 exempt category, or in some cases, outside the 510(k) Class 2 claim.
FDA regulatory strategy is something a start-up should tackle at the outside — even before patenting. And even terms of use can incorporate claims indicating the product’s intended use.
Our FDA attorneys track FDA and FTC developments affecting drugs, medical devices, dietary supplements, cosmetics, homeopathic medicines, and other healthcare clients, as we counsel our clients on their compliance legal obligations.
Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.
Contact Us
