A senior advisor to the U.S. Food and Drug Administration (FDA) tossed cold water on speculation that the Agency might try to police mobile health and wellness applications, saying the FDA couldn’t possibly scale up to meet the challenge of policing the hundreds of new apps appearing every month.
Correction: The article was changed to clarify Mr. Patel’s comments. He was not responding to a direct question about the FDA setting up an office to regulate mobile health applications. He was commenting on the possibility of creating a platform to evaluate and rate mobile health applications. Also, he said “It’s not do-able,” not “it’s not possible.” We apologize for any confusion created by the article. – PFR July 10, 2014.
The sheer pace of innovation in the mobile health application space and the numbers of such applications already available on mobile marketplaces like the iTunes App Store and Google Play mean that many mobile health applications will escape scrutiny by federal regulators, said Bakul Patel, a Policy Advisor in the FDA’s Center for Devices and Radiological Health.
Patel was speaking as part of a roundtable discussion of medical device security hosted by that National Institute of Standards and Technology’s (NIST’s) Information Security and Privacy Advisory Board (ISPAB) in June. (I wrote about this panel, more broadly, over on Veracode’s blog.)
When asked about rumors that the FDA would set up a special office to regulate mobile applicationsSpeaking about the possibility of a platform to evaluate mobile medical applications and allow doctors to advise patients about which medical mobile applications they should use, Patel politely shot down the idea.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
“It’s just not do-able,” Patel told the panel. Estimates put the number of new, mobile health applications created each month at 500. But the FDA has reviewed no more than 80 in total so far – a mere fraction of the population.
In September, 2013, the FDA issued guidance to mobile application publishers about what kinds of mobile applications would qualify as medical devices. The Agency said it will exercise oversight of mobile medical applications that are accessories to regulated medical devices, or that transform a mobile device into a regulated medical device. In those cases, the FDA said that mobile applications will be assessed “using the same regulatory standards and risk-based approach that the agency applies to other medical devices.”
The FDA is authorized to review medical devices under the Federal Drug & Cosmetic Act of 1938, which authorized the Agency to oversee the safety of food, drugs, and cosmetics. While some mobile applications carry minimal risks to consumer or patients, others can carry significant risks if they do not operate correctly, the FDA said. That’s especially true of mobile applications that interact with other medical devices.
Speaking on the NIST panel in June, Patel reiterated that guidance, saying that most mobile medical applications were really “health and wellness” tools that couldn’t adversely affect patient health. But he said the agency would treat applications that are mobile companions to regulated medical devices – like insulin pumps – differently.
That’s a small minority of all the mobile applications out there, but Patel said that was fine – that many mobile health applications have short lifespans: living and dying unnoticed on the Appstore or Google Play. Diverting FDA resources to vetting them would be a waste of time.
“The whole mobile application world has its own ecosystem. Mobile apps live and die and its all user or consumer driven. The end-of-life cycle is so short compared to any other products we see. We need to focus on oversight of what is sustained and maintained.”
The healthcare vertical is one of the most aggressive adopters of new technologies. In many medical settings, iPhones and tablets long ago replaced the ubiquitous clipboard as the platform for all manner of patient information. But they can already do a lot more, and its reasonable to expect that, within a few, short years, smart phones might reasonably replace a slew of critical medical devices, from the stethoscope to blood pressure cuffs.
But hospitals and regulators are struggling to take advantage of transformative technology advances and stay true to core principles (and regulations) governing things like patient privacy and standard of care.
[Read Security Ledger’s coverage of security issues related to medical device technology here.]
Patel said that the FDA was trying to take a “horizontal” view of the industry: making sure that products were designed safely, but also balancing information security best practices with healthcare organizations basic need to take care of patients. The agency does not want to be prescriptive in its directions to medical device makers, he said.
Regulators and device makers need to consider both safety and security during design of the product, but also make it possible to easily deliver on the promise of the device. “You don’t want someone to have to punch in a 15-digit password when they try to turn on an infusion pump,” Patel said. “That would be not useful.”