© Hall, Render, Killian, Heath & Lyman, P.C.
The iPhone
as a
Medical Device
Presented by:
Melissa L. Markey, Esq.
Hall, Render, Killian, Heath & Lyman, PLLC 201 West Big Beaver Rd, Suite 315
Troy, Michigan (248) 740-7505
This session will consider:
When is a mobile app a medical device?
What are the concerns related to mobile apps
which are used in healthcare?
What privacy and security issues must be
considered in deciding whether to support a medical device mobile app?
The docs want the app – how can the hospital
iPhone EKG
Brief Overview of Device
Regulation
Definition of a Medical Device
an instrument, apparatus, implement,
machine, contrivance, implant, reagent, or similar or related item, or a component part or article…
intended to affect the structure or any
function of the body… and
does not achieve any of it's primary intended
purposes through chemical action…and is not dependent upon being metabolized…
Brief Overview of Device
Regulation
Three categories of device regulation
Class I – general controls Class I – special controls
Class III – premarket approval
“FDA Policy for the Regulation of Computer
Products”
Withdrawn
Regulation of software and computer-related
devices based on risk
When is an App a Device?
All medical device software is subject to
design control requirements, unless
exempted
Certain types of medical device software are
subject to specific regulation
Commercial off-the-shelf (“COTS”), handheld
platforms
Software
Executed on a mobile platform
Web-based software applications tailored for mobile
platforms and run on servers
Used as an accessory to a regulated medical
device or transforms a mobile device into a regulated medical device
FDA Guidance on Mobile
Medical Apps
Mobile Medical Devices
Identity as a medical device is based on
intent
LED on mobile platform for general lighting
purposes – not regulated
LED on mobile platform for illumination of patient
exam – regulated
If regulated when not mobile, regulated when
Mobile Medical Devices
Who is a manufacturer?
Anyone who initiates specifications, designs,
labels, or creates software or application
Software designer
Web service or support provider Developer
Software author Who isn’t?
iTunes store
BlackBerry App World
Mobile Medical Devices
What is not a mobile medical app?
Textbooks, teaching aids and reference books.
General health and wellness apps
Generic aids, but not marketed for specific medical
indications
Mobile Medical Devices
Regulatory oversight limited to mobile
medical apps that
Have traditionally been treated as medical devices
Affect performance or functionality of a currently
regulated medical device
Mobile Medical Devices
Types of Mobile Medical Apps
Medical Device Extenders: extend devices by
connecting the mobile device to another device for purposes of controlling the primary device or displaying, storing, analyzing, or transmitting patient-specific medical device data
Includes active patient monitoring data and
remote PACs-viewing applications
If merely displays medical device data in
original format and not used for active patient monitoring, may be MDDS and subject to class I controls
Mobile Medical Devices
Types of Mobile Medical Device Apps
Mobile Apps that Transform the Mobile Device
into a Medical Device
By attachments, display screens, or sensors, or
functionalities
Permit use of the mobile device as a medical
device
Subject to the same regulation as the
traditional medical device
Mobile Medical Devices
Types of Mobile Medical Apps subject to
regulation
Mobile apps that permit input of patient-specific
information to obtain patient-specific diagnosis, treatment recommendations, or other clinical decision support
If this creates alarms, recommendations or
analyzes or interprets data: accessory to the primary medical device
Mobile Medical Devices
The Hospital as the Manufacturer
Physician Has an Idea…
IT develops an interface…
Lab Director creates a quick app in his garage…
Mobile Medical Devices
Reporting Obligations
As a Manufacturer
Deaths or serious injuries your device may
have caused or contributed to
Device malfunctions
Maintain adverse event files Updates
As a Device User Facility
Deaths or serious injuries a device caused or
may have contributed to
Submit summary annual reports
Includes adverse events caused by viruses, hacks,
Medical Device Data Systems
MDDS
Feb. 15, 2011: FDA issues final rule
down-regulating Medical Device Data Systems from Class III (premarket approvals) to Class I (general controls)
Devices that transfer, store, convert formats,
or display medical device data
Not used in connection with active patient
monitoring
Expressly excludes EHR and PHR
MDDS
MDDS risks:
incomplete or inaccurate data transfer, storage,
conversion, or display.
FDA believes Quality System regulations
MDDS
MDDS are merely communications
conduits.
They transfer, store, convert or display
medical data.
They do not change data!
MDDS
“Medical device data” is electronic data that is
obtained from a medical device.
Manually entered data is not medical device
data…
unless it is later transmitted from a medical
device.
MDDS
Any type of analysis of data removes the
device from the MDDS classification
Flagging data as out-of-acceptable limits Prioritizing data
Plotting or graphing data Trending of data
Use of other functionality or algorithms
“Conversion” for MDDS is limited to
language/format translation to harmonize
data from multiple vendors
MDDS
Examples
Hospital purchases COTS software which it uses
to store serial blood pressure measurements for each patient treated in its CV clinic
Hospital purchase software which hospital IT
department interfaces with and modifies to convert serial blood pressure measurements into a graph
Hospital develops an interface that transmits
Mobile Device Privacy and
Security
There is nothing new under the sun…
January, 2005: FDA Guidance for Industry
Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
Mobile Device Privacy and
Security
Privacy and Security Concerns depend on
how data is stored
Some mobile applications store data only on the
server
Security vulnerabilities will exist at the server
level and the wireless level
Some mobile applications store data on the
mobile device
Security vulnerabilities will exist at the server
level, the wireless level, and the mobile device level
Mobile Device Privacy and
Security
Mobile Device Privacy and
Security
Social Engineering
Image From: http://www.itgovernance.co.uk/visible-statement-infosec-awareness-tool.aspx
Hackers
Image from: http://www.lovefortech.com/2011/08/07/hackers-could-kill-a-person-remotely-with-an-iphone-said-security-expert/
Authentication
Image from: http://www.idapps.com/products/tactivo-iphone-case
Encryption
Encryption
Image from: http://howto.cnet.com/8301-11310_39-10434684-285/want-really-secure-gmail-try-gpg-encryption/
Technological Solutions
Remote Wipe Capabilities
Disable WiFi, Join Network, Location Services
when not needed
This will also help save your battery!!
Disable Bluetooth when you are not using it
Know whose network you are on; only use
trusted networks
Starbucks is not a trusted network
Bluetooth Security
Bluetooth is a great technology, but has its
own security issues
Don’t pair or “search” Bluetooth in public places Once you have paired your device, turn off
discoverable mode
Never accept an unexpected “pair” request Check the list of “paired” devices from time to
time; delete old or unexpected devices
Require prompts and active acceptance of files Encryption is always a good thing
Mobile Device Privacy and
Security
Privacy Concerns
Transmission of PHI in the clear over the wireless
network
Storage of unencrypted PHI on the mobile device
Mis-directed data
Shoulder Surfing
LOST DEVICES!!!!!
Mobile Device Privacy and
Security
Step 1: Get A Physician Leader
Step 2: Evaluate Your Wireless Capabilities
Step 3: Develop A Reasonable Plan
CMS Guidance
HIPAA Security Guidance on Remote Access
“In general, covered entities should be extremely
cautious about allowing offsite use of, or access to, EPHI…”
But if you are going to allow it… Risk Analysis
Risk Management Limit Access Secure the Media Training
Address Security Incidents and
Non-Compliance
CMS Guidance – Access
Risk Loss of Authentication Credentials Unauthorized remote access Unattended remote devices Viruses Strategy Use 2-factor authentication Use single-event token generator Consider biometrics
Training and enforcement Clearly delineate when remote
access is permitted
Timeouts on remote devices
Enforce anti-virus on remote
CMS Guidance – Storage
Risk
Lost Device
Strategy
Track remote devices
Track who has what device, and
where it has been
Lock-down unattended devices Password protect files and devices Encrypt
Pass security updates to mobile
devices
Consider biometrics
Consider remote wipe
Know what data is on what device
CMS Guidance – Storage
Risk
Lost Device has
critical data on it
Improper Disposal;
EPHI Remains on Device
Strategy
Ensure remote devices are
appropriately backed up
Once backed up, delete
unnecessary data from remote device
Develop and enforce disposal
policies for all storage media
Don’t forget fax machines, copiers,
CMS Guidance – Storage
Risk
Data Left on
External Device (“I left it at the
Marriott”)
Viruses
Strategy
Prohibit or prevent download of
ePHI on remote systems without operational justification
Training – clean cache
Minimize use of browser-cached
data in web-based applications
Require small mobile media (jump
drives) be carried on a lanyard, etc – they are harder to forget that way
Use anti-virus software
Update it!!!!
CMS Guidance – Transmission
Risk Interception or modification of data Viruses Strategy Prohibit transmission of ePHI over
open networks such as the internet
Unless encrypted
Prohibit use of offsite devices or
wireless access points for non-secure access to email
Use more secure connections for
email via SSL, etc
Use Encryption
Use anti-virus