to the open Internet, the potential risks of physical injury or substantial data
loss increase. 35 For these reasons, the FDA publicly announced both in 2015
and 2016 its intention to focus attention on high risk digital health medical
devices, rather than all health-related mobile apps. 36
B. Cybersecurity Risks – Threats and Vulnerabilities for Digital Health
Cybersecurity is defined as “the activity or process, ability or capability,
or state whereby information and communications systems and the
information contained therein are protected from and/or defended against
damage, unauthorized use or modification, or exploitation.” 37 The breadth of
this definition is critical to understanding cybersecurity: not only do strong
cybersecurity practices require technical solutions, but they also require
strong organizational processes and continuous management. 38 In the
cybersecurity field, both administrative controls, controls like processes and
procedures regulating human behavior, and technical controls, or controls
managed via computerized mechanisms, must be implemented in a complete
cybersecurity program. 39 Much like medical device regulation and safety
assessments, cybersecurity is, at its foundation, a creature of risk
The cybersecurity field aims to protect the confidentiality, integrity, and
availability of information. 41 For digital health, this means examining how a
loss of confidentiality, integrity, or availability might result in risks to a
patient or consumer for a particular type of device, ultimately causing an
either physical or financial injury. 42 Understanding the risks for a specific
35. Williams & Woodward, infra note 136, at 307.
36. MOBILE MEDICAL, infra note 143; GENERAL WELLNESS, infra note 144.
37. Cybersecurity: A Beginner’s Vocabulary, CYBERSECURITYU, http://www.cyber
securityu.org/cybersecurity-a-beginners-vocabulary/ (last visited Nov. 16, 2016).
38. A common example in cybersecurity is the practice of access management. Access
management practices involve processes like access reviews, where user accounts are
reviewed periodically to ensure individuals who have moved to a new role or have been
terminated no longer have access to systems and information. See THE FIN. INDUS. REG. AUTH.,
REPORT ON CYBERSECURITY PRACTICES 19 (Feb. 2015), http://www.finra.org/sites/default/
39. Stephen Northcutt, Security Controls, SANS TECH. INST., http://www.sans.edu/
research/security-laboratory/article/security-controls (last visited Oct. 26, 2016).
40. See generally THE N.Z. NAT’L CYBER SECURITY CTR., CYBER SECURITY AND RISK
MANAGEMENT: AN EXECUTIVE LEVEL RESPONSIBILITY (2013), http://www.ncsc.govt.nz/
41. Dan Craigen et al., Defining Cybersecurity, TECH. INNOVATION MGMT. REV. 13, 15
(Oct. 2014) (citing Public Safety Canada 2014).
42. Peter Sullivan et al., In Cybersecurity, No Harm Does Not Necessarily Mean No Foul,
L. 360 (Feb. 17, 2016), http://www.law360.com/articles/759413/in-cybersecurity-no-harm-