Health app makers face privacy and security regulation from many quarters

By Jonah Comstock
Share
pepper headshots Sharon Klein and Dayna Nicholson

Even though the FDA guidance on mobile medical apps is now finalized, it only represents a portion of the regulation mobile medical app developers need to concern themselves with, according to Pepper Hamilton lawyers Mark Kadzielski, Sharon Klein, and Dayna Nicholson, who presented a webinar on the topic last week. Particularly in the areas of privacy and security, a number of regulatory bodies are involved.

"With the proliferation of medical devices utilized on smartphones and tablets by doctors, pharmaceutical companies, and patients, comes a lot of vulnerabilities and a confusing web of regulations," Klein said. "Cybersecurity incidents are very very likely, especially in wireless and network connected devices that transfer patient data electronically. They're subject to SQL injections, hacking, and data breaches ... And with that greater risk comes increasing regulation."

Klein, who is the chair of Pepper’s Privacy, Security and Data Protection practice, said that increased regulation is happening to fill gaps in legislation about emerging classes of device, but the sheer number of agencies regulating the same space -- including the FDA, the FCC, the FTC, the Office for Civil Rights, which enforces HIPAA, and state attorneys general -- can be problematic for app developers and provider organizations trying to comply with all the regulations.

"The regulatory overlap is confusing and in some instances it's duplicative," Klein said. "Congress has recognized this problem and passed the FDA Safety Act of 2012, which has mandated that HHS produce a report with a strategy and a recommendation, dealing with mobile health apps, which would balance innovation, patient safety, and avoid regulatory duplication. What we do know is there will be great enforcement in 2014 and the years to come in the mobile health area."

Nicholson added that as it stands now, none of the regulations pre-empt each other, so developers have to keep them all in mind

"Part of the inconsistency is that the regulations are coming from different perspectives," she said. "You might have the perspective of patient safety, but you also have data privacy and data security concerns, and general consumer protection concerns. And those perspectives lead to different regulations. The challenge is that you can be fined by multiple agencies and it can be hard to satisfy so many bosses." 

In addition to the FDA Safety Act, the National Institute of Standards and Technology (NIST) has also released some guidelines it hopes other regulatory bodies and private sector groups will adopt. NIST has released guidelines pertaining to privacy, encryption, and disposal of data.

The FDA itself, meanwhile, recently finished up the draft guidance for cybersecurity in medical devices. This would deal with protecting connected medical devices from dangerous malfunctions or malicious hacks. The guidance is similar to the HIPAA omnibus in some ways, namely it's emphasis on risk analyses, which, under the draft guidance, companies will be required to complete to secure clearance for new medical devices.

In addition to maintaining confidentiality, integrity, and availability of patient data, the draft guidance requires medical device makers to report breaches as they happen and to include failsafes to protect critical functionality if security is compromised, Nicholson said.

"With regard to emergency issues, device manufacturers need to ensure that the security they've implemented doesn't create additional problems," she said. "For example, in 2011 in Joplin, there was a tornado, and St. Johns Hospital in Kansas City lost electricity. As a result their cabinet storing drugs was automatically locked and became immediately inaccessible -- a very problematic situation."

Nicholson and Klein also offered some general tips that will help developers stay compliant with most regulations. Klein stressed the importance of having a standard operating procedure for breaches and emergencies, and not only to have it on paper, but to actually conduct drills so everyone knows what to do. Nicholson pointed out that just as important as having safety protocols in place is documenting those protocols rigorously, so that in the event of an audit that diligence is provable.

One idea present in several different regulatory documents is the idea of "privacy by design" or "security by design", which is simply the idea that the best way to guard against privacy and security concerns is to think about them at the very beginning of the development process of an app and build safeguards in along the way, rather than expecting to add them in the late stages of development.

As a closing thought, Kadzielski, who moderated the webinar, stressed that in addition to the various government regulators involved, privacy and security breaches can ultimately open one up to litigation as well.

"The real issue is," he said, "when you have a privacy breach, you're looking not only at punitive actions by government entities, you're looking at potential action by consumers alleging that their privacy was violated, even if there's no evidence that it hurt them individually."