The FDA Applies Recommendations To Mobile Medical Applications
The use of Smart Phones to deliver and medical services to patients and their caregivers is becoming more and more ubiquitous. Now the FDA's December 28, 2016 Final Report on Post Market Management of Cybersecurity in Medical Devices specifically includes mobile medical applications.
The inclusion of mobile medical applications stresses the cyber-security issues involved with the inter-operability of Smart Phones and new as well as ”legacy” medical applications that contain software or programmable logic to be used for the benefit of patients and their caregivers.
Several key recommendations within this FDA Final Guidance Report specifically address cyber-security issues. It is “strongly recommended” that medical device manufacturers participate in an information sharing and analysis organization (ISAO) plus implement well-coordinated cyber-security vulnerability disclosure policies and practices throughout the life cycles of the devices.
The FDA additionally states that cyber-security risk management programs “should” address the problem of “lost” devices and/or unauthorized access, modification, misuse or denial of use of the device and its stored information.
The FDA also “strongly recommends” that manufacturers of Smart Phone enabled medical systems provide users with training on how to identify and implement “compensating controls” for temporary fixes in the event the device(s) stop working properly. Incompatibility of operating system updates, performance in the face of potential battery deficiencies, etc. make training essential in mitigating possible risks when an “official fix” is not available or immediately practical.