Ostendio Blog

FDA takes on Mobile Security

Written by Grant Elliott | Jan 27, 2016 5:00:19 PM


A recent Healthcare IT News article revealed that 95% of FDA approved mobile health apps lack important technical protection layers. That means our use of many popular apps has left us vulnerable to being hacked. Risks include PHI theft, device tampering and privacy violations.

In 2013, the FDA issued the “Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff,” focused on clinical effectiveness and the safety of the apps working as intended. Now the FDA has just released a new draft guidance document, “Postmarket Management of Cybersecurity in Medical Devices” for commentary.

The document’s pre- and post-market recommendations will be familiar to anyone already following a strong compliance program. As an example - “a manufacturer should establish, document, and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device.” As we always advise our clients they should, at a minimum:

  • Conduct a risk analysis
  • Identify risks
  • Mitigate risks
  • Make it an ongoing process.

What does this all mean for medical device manufacturers?

Most medical device manufacturers are already on top of the FDA regulations they have to comply with to ensure their product can be marketed in the US. Those rules focus on aspects such as Management Controls; Records, Document and Change Controls; and CAPA. But they cannot stop there. Today’s medical device companies are also software companies. They must focus on the same cybersecurity, information security and compliance processes and procedures that software and technology companies follow. That includes implementing a robust information security program. The FDA’s draft guidance points to the NIST Framework for Improving Critical Infrastructure Cybersecurity as a model. This is relatively new but in line with other guidance documents published by NIST, which Ostendio’s policies and procedures are based upon. It will be interesting to see how Medical Device companies embrace these new guidelines and I will be happy to share my experiences on this blog as we continue to work with them.

To learn how you can use Ostendio’s MyVCM to manage to both FDA regulations and the recent cybersecurity guidance, contact us on 877-668-5658 or visit ostendio.com.