On October 18, 2018, FDA issued a long-awaited draft revision to its existing guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”(premarket cybersecurity guidance). This coincided with release of the FDA-supported incident preparedness and response playbook, the announcement of two new Information Sharing Analysis Organizations (ISAOs), and FDA’s recent news release discussing the agency’s enhanced cybersecurity partnership with the U.S. Department of Homeland Security (DHS) earlier this month. FDA’s recent flurry of activity focuses on providing additional clarity about when to interact with FDA, what information would be useful in submissions, and what level of documentation is expected. Cybersecurity clearly is a high priority issue for FDA and the agency is working hard to bring together stakeholders and provide the best information it can so that all entities that are involved in managing the multifaceted and evolving area of cybersecurity have the best and most current information to manage the risks of a cybersecurity intrusion.
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.