Editor’s Note: The following article is an example of federal officials, industry, NGOs and academia are working through the process of regulating aspects of private sector cybersecurity in the absence of a new statutory framework. The absence of new cybersecurity legislation does not mean the absence of new cybersecurity regulation.
From: Government Health IT
BOSTON – Two issues near and dear to the hearts of mHealth enthusiasts – mobile app regulation and privacy and security – took center stage as the 4th Annual mHealth World Congress opened Wednesday afternoon in Boston.
The topics took up the first two of four panel discussions on Wednesday, the first day of the three-day conference. And judging by the level of discussion and number of questions from the audience, it’s clear they won’t be going away any time soon.
With the mHealth industry anxiously awaiting the U.S. Food and Drug Administration’s final draft of guidelines for mobile medical apps (expected by this fall), the talk at that particular panel discussion focused on what should be regulated and what shouldn’t. Bakul Patel, MS, MBA, policy director for the FDA’s Office of the Center Director at the Center for Devices and Radiological Health, pointed out that the market is flooded with apps – many of them harmless, but some of them potentially dangerous and in need of regulation.
“It’s not just about cool software or making something useful,” he said in a video feed to the conference, held at the Collonade Hotel. “You have to understand the risks … and the intentions.”
Taking up the reins for most of the session was Brad Merrill Thompson, JD, general counsel for the mHealth Regulatory Coalition and counsel for the Continua Health Alliance. Thompson, who drafted a response from the coalition to the FDA’s guidance document, issued about a year ago, said the FDA is only concerned with a small fraction of mobile medical apps that meet specific uses: They either assist in the development of clinical decisions for health issues, or as accessories that cause an app to be used as a medical device.
Thompson said stakeholders want the FDA to clarify the issue of intended use, which focuses on the difference between wellness and health apps, and much of that discussion focuses on what the developer says the app will do. “It all comes down to how you promote the product,” he said.
For instance, he pointed out, the FDA stepped in roughly three years ago when the makers of Cheerios began advertising that the cereal helped reduce cholesterol – thus qualifying it as a new drug. That advertising campaign was quickly shelved.
Thompson said some apps blur the distinction between health and wellness, moving away from language like “improve” and “monitor” to the more risky “diagnose” claim. An in-house study of 100 mobile health apps found on iTunes, he said, found 8 percent that definitely needed regulation and 56 percent that wouldn’t need it – but 36 percent fell into an ambiguous area that might require regulation.
“You’re drawing connections between leading mHealth products and leading a healthier life … and you’ve got to understand that there are lines that can’t be crossed,” he said.
Another area of concern, Thompson said, is clinical decision support (CDS) software – what he called “the next wave” in electronic health records. He said most EHRs are generally considered passive collection points, but as they develop tools that allow them to analyze data and draw medical conclusions, the FDA will have to step in and look at them.
Patel agreed, saying the FDA is working on a guidance document on CDS systems “that has big implications for the EHR.”
For some, FDA regulation isn’t such a bad thing. Sridhar Iyengar, PhD, co-founder and chief technology officer for AgaMetrix, a developer of diabetes tools, said developers may find it more advantageous to seek FDA approval of their app than try to maneuver around it. That so-called FDA seal of approval, he said, could then be used for marketing purposes and as an advantage over competitors.
Privacy and Security While the FDA regulations are expected to clarify a muddy situation with regard to mobile medical apps, the panelists discussing mobile device security and privacy issues found themselves confronting an equally complex dilemma: How can an institution ensure not only that the devices it uses are protected, but extend those protections to devices brought in by physicians and patients?
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, pointed out that many privacy and security laws in place – such as HIPAA – were enacted at least a decade ago, and they “don’t incorporate the challenges posed by newer technologies.”
She also pointed out that providers generally aren’t as concerned about privacy and security as their supervisors are.
“If you’ve got a security device that’s hard for your providers to use, they’re going to turn it off (or) get around it,” she said.
Still, the risks are plenty – and expensive. John Halamka, MD, MS, a professor of medicine at Harvard Medical School and chief information officer at Beth Israel Deaconness Medical Center, said BIDMC is just now paying the price for a physician who brought in a newly-purchased personal device that wasn’t secured and left it on a desktop – where it was promptly stolen by someone passing by. The thief, a known felon, was identified and tracked down, but the device was long gone. Hospital officials are now working on a two-phased plan to make sure all devices in the institution, as well as personal devices used by employees that may contain protected health information, are properly encrypted.
“When you look at the cost of a breach, actually spending a couple hundred thousand dollars to secure personal devices is a bargain,” he lamented.
And while considering automatic wipe enforcement, smartphone encryption enforcement and mobile device management policies, he said, one also has to take into account malware. FDA-approved medical devices can attract viruses of a decidedly non-biological nature, he said, and patching or securing them could force the device makers to seek FDA approval all over again.
Part of the problem, said David Harlow, JD, MPH, principal of The Harlow Group, is the “alphabet soup” of federal agencies involved in privacy and security issues, all of them wanting to assert control.
“We’re having a sort of an Al Haig moment in the evolution of regulatory control over mHealth,” he said. “All of the agencies have a piece of us.”
McGraw, whose agency recently released a set of best practices for securing mobile devices, said privacy and security issues often get set aside when physicians and nurses are working.
‘”The primary mission of healthcare is to save people’s lives,” she pointed out. “We secondarily ask them to protect data, but don’t give them any more resources to do it.”
Halamka said healthcare institutions need to balance standards with what he called “optionality” – devising privacy and security measures that might be different for each device or set of devices, with different guidelines and standards based on how those devices are used.
“My wish is that all these agencies say, ‘What is it you should be accomplishing?’” and then decide on the appropriate security standards, he said. “It’s not a technology problem – it’s a psychology challenge.”