On October 18, 2018, FDA issued a long-awaited draft revision to its existing guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”(premarket cybersecurity guidance). This coincided with release of the FDA-supported incident preparedness and response playbook, the announcement of two new Information Sharing Analysis Organizations (ISAOs), and FDA’s recent news release discussing the agency’s enhanced cybersecurity partnership with the U.S. Department of Homeland Security (DHS) earlier this month. FDA’s recent flurry of activity focuses on providing additional clarity about when to interact with FDA, what information would be useful in submissions, and what level of documentation is expected. Cybersecurity clearly is a high priority issue for FDA and the agency is working hard to bring together stakeholders and provide the best information it can so that all entities that are involved in managing the multifaceted and evolving area of cybersecurity have the best and most current information to manage the risks of a cybersecurity intrusion.
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
The medical internet of things is coming. That was the common recognition of participants at a two-day public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” co-sponsored by the Food and Drug Administration, Department of Health and Human Services, and the Department of Homeland Security. The workshop comes during a busy month for medical device cybersecurity, with the FDA issuing final guidance earlier this month and DHS indicating that it is reviewing dozens of potential cybersecurity vulnerabilities in medical devices.
Government officials emphasized the importance of risk analysis and risk management in safeguarding PHI at the Seventh Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 23–24, 2014, and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. The conference’s themes—which include risk analysis and risk management, information sharing, and upcoming OCR enforcement efforts—highlighted how HIPAA regulated entities should approach cybersecurity considerations and compliance with the HIPAA Security Rule.
Drawing on the increasing use of wireless, Internet- and network-connected medical devices, the Food and Drug Administration issued a draft guidance document for comment on June 14, 2013, proposing that manufacturers of medical devices that contain software, firmware, or programmable logic, address cybersecurity risks in premarket submissions. The draft guidance represents the Agency’s most direct and recent effort to address the potential risks of compromised medical device functionality due to intentional or unintentional cyber-attacks. In conjunction with the draft guidance, FDA issued a safety communication on its website addressing not only medical device manufacturers, but hospitals, medical device user facilities, and health care IT and procurement staff, recommending that these facilities also take steps to ensure that safeguards are place to reduce the risks of medical device failures resulting from cybersecurity breaches, and report such failures.
This blog entry provides a summary of the Hogan Lovells Chronicle of Data Protection’s recent coverage of legal developments regarding social media.
Many people remember the now-dated cartoon from the New Yorker magazine showing two dogs sitting in front of a computer, with one observing to the other “the best part about the Internet is that no one knows you are a dog”.