As with all software and technology, security is, and will always remain, a hot-button topic. It is even a point of contention for computer consumers - Mac vs. PC debates often will focus on how Mac's don't "need" virus protection (which is somewhat of a misnomer, but certainly good marketing).

If consumer products and their manufacturers are concerned about software security, then a regulated industry such as medical devices must do so as well. Standards exist (international, FDA guidance documents, etc.) that require security measures to be implemented as part of medical device software development; however, the mobile application market exposes patients and their data to a new realm of hackers.

One article I've read revolves around McAfee's report that hackers may be able to manipulate medical device software to cyberassinate patients. Medtronic responds in suit to assure its users that the company has taken measures to secure the software to prevent such acts from occurring. I would imagine that traditional medical device manufacturers would be able to issue a similar statement that their medical devices have appropriate security measures to avoid such a travesty. At the same time, I cannot hold such confidence in app developers.

In beginning my involvement with medical devices in the mobile app space, I've come across some interesting tidbits. One app developer, not specializing in medical devices, communicated his displeasure with app developers not properly developing the software in general. Many people have an idea and, all too quickly, shove it out onto the respective app marketplace hoping to be the next "Angry Birds" and strike it rich. Unfortunately, these one-off, hasty developers don't consider that there was a general process that the developers of "Angry Birds" followed to create functional, user friendly software from their genius idea of flinging birds at pig fortresses.

His statements regarding app development concerned me because anyone with an iPhone, iPad, or Android device can take one look at the App Store or Android Market and find countless examples of these "one-off" medical apps that have no guarantee of safely delivering patient therapy or relaying patient data securely to "the cloud" (which, in and of itself, is an independent target). To make matters worse, because the industry has yet to be tightly regulated, many developers will be reactive rather than proactive about controlling their device. In the example above, McAfee talks about blood glucose monitors being used for cyberassassination; hackers could easily turn their focus to apps that function in the same manner as the "low hanging fruit" of software targets.

All things considered, I think we can expect FDA to target a few large-volume or large-grossing applications once the guidance document is released. A highly-public trouncing of a few app developers, be it right or wrong, would go a long way to bringing this industry under control. With that said, the best advice to developers is to a.) understand whether your app is a medical device, b.) if so, take action to ensure the appropriate statutory and regulatory requirements are satisfied, and c.) in either case, record and maintain said records regarding any regulatory activity for evidence of due diligence during an inspection.

-RTK

Image Credit: Phil Roeder on Flikr

We are passionate about your success. Tell us more about your regulatory and quality needs to learn about how we can help.

Book a Consultation

GLOBAL BOTTOM CTA INSTRUCTIONS:

To display custom copy instead of global copy in this section, please go to Show Global Content for Bottom CTA? toggle in the "Contents" tab to the left, toggle it off, save, and then REFRESH the page editor, the custom text will then show up and ready to be edited.

Turning the global content back on will be the same process, go to the toggle and toggle it back on, save and refresh!