In an important move, the U.S. Food And Drug Administration (FDA) has released final guidance to mobile application developers that are creating medical applications to run on devices like the iPhone and Android mobile devices. Some applications, it said, will be treated with the same scrutiny as traditional medical devices.*
The statement is the final word from the FDA on the approach it will take when enforcing federal regulations regarding the safety of medical devices to the large and fast-growing category of medical applications. The agency said on Monday that, while it doesn’t see the need to vet “the majority of mobile apps,” because they pose “minimal risk to consumers,” it will exercise oversight of mobile medical applications that are accessories to regulated medical devices, or that transform a mobile device into a regulated medical device. In those cases, the FDA said that mobile applications will be assessed “using the same regulatory standards and risk-based approach that the agency applies to other medical devices.”
The FDA is authorized to review medical devices under the Federal Drug & Cosmetic Act of 1938, which authorized the Agency to oversee the safety of food, drugs, and cosmetics. It first issued draft guidelines for mobile medical applications in 2011. “Some mobile apps carry minimal risks to consumer or patients, but others can carry significant risks if they do not operate correctly. The FDA’s tailored policy protects patients while encouraging innovation,” said Jeffrey Shuren, M.D., J.D., director of the FDA’s Center for Devices and Radiological Health in a published statement. The FDA says that it has approved around 100 mobile medical applications in the last 10 years.
However, 40 of those were approved in just the last two years – a sign of the increasing activity in the mobile medical application market. Mobile application marketplaces like Apple’s iTunes AppStore and Google Play list hundreds of mobile applications in the “Medical” category. The vast majority of those – including applications for accessing electronic health records, look up information on illnesses or keep track of headaches – don’t pose a threat to patient health and won’t be reviewed by the FDA, the agency said. Also, the FDA made clear that it doesn’t consider the mobile application marketplace owners (Google, Apple and others) to be “medical device makers” and won’t attempt to enforce FDA rules on their platforms, FDA said. When applications interface with regulated medical devices (for example: with blood pressure measurement and tracking apps), or turn mobile devices into devices for assessing the health of an individual, the FDA will take note.
“There are about 500 new health apps created every week, and over 40,000 health apps in the consumer market today. Currently, the FDA is estimating that about 100 of these 40,000 health apps need regulatory review,” noted Kurt Stammberger, the VP of Product Marketing at the security firm Mocana. ” Stammberger said the FDA is, for all intents and purposes, using the same designations that they use for more traditional medical devices, like implanted pacemakers, which divide them into three categories: “class 1”, “class 2” and “class 3”
But that line can sometimes be hard to discern. The FDA said it will look to the “intended use of a mobile app” when determining whether it meets the definition of a medical “device.” The Agency may study the labeling or advertising claims used to market it, or statements by the device maker and its representatives. In general, “when the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment or prevention of disease, or it is intended to affect the structure of any function of the body of man, the mobile app is a device,” FDA said in its published guidelines. (PDF) Medical devices of all sorts have attracted the scrutiny of the IT security community in recent years, as more and more devices in hospitals and other medical settings have added networking features that make them discoverable from traditional IT networks and even the Internet.
Researchers have noted that medical devices manufactured by major firms like Siemens, General Electric and Philips contain many of the same kinds of software security holes found in industrial control system (ICS) software from the same firms. The research suggests that lax coding practices may be institutionalized within the firms, amplifying their effects. Stammberger said that, while only 1 in every 400 mobile applications will warrant an FDA review, there are still security issues that likely affect all 400. “Data leakage from one of those apps might be extremely harmful to a person or organization, even if the FDA doesn’t regulate it,” he wrote in an e-mail to The Security Ledger.
That’s an issue of which the FDA has taken notice. In June, the Agency issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments. (*) Added commentary from Kurt Stammberger of Mocana. – PFR 9/25/2013