on implanted and physically invasive connected devices and Classes II and
III, which the FDA deems not “low risk,” and it neglects Class I devices.145
In the FDA’s Mobile Medical Apps Guidance, issued in February 2015,
the FDA gave specific examples of mobile medical apps where the FDA may
exercise enforcement and reiterated the FDA’s sole focus on patient safety.146
These examples include medical devices providing technology to monitor
patients, conduct data analysis, or for controlling the medical device via a
mobile application (Type A, see Table 1); mobile applications connecting to
sensors, displays, or attachments of existing medical devices (Type B, see
Table 1); and mobile apps that perform the functions of existing diagnostic
or therapeutic software, most likely Class II and Class III devices.147
Reinforcing the FDA’s focus on patient safety, the FDA also listed mobile
apps for which the FDA will exercise enforcement discretion, or choose not
to regulate.148 The FDA will not actively regulate the majority of these apps
that may be vulnerable to information loss, including apps that help patients
manage disease, track health information, provide remote medical care,
provide access to health information, or transfer data from a medical device
(Types C-E, see Table 1).149 In short, the FDA has demonstrated it will
regulate direct physical safety, not data loss or disclosure.
The FDA has the ability, via statute and practice, to manage and monitor
Class II and Class III medical devices.150 However, the lack of clear direction
of organizational and technical cybersecurity requirements coupled with a
reluctance to regulate Class I devices and a significant proportion of mobile
applications does not position the FDA to effectively manage cybersecurity
risk in the digital health marketplace.
PART III: PROPOSED REGULATORY LANDSCAPE
The existing statutory framework regulating the digital health marketplace
is not sufficient to reduce and manage cybersecurity risk. FDA guidelines do
not effectively manage a market heavily driven by compliance-oriented
activities, and entities required to follow HIPAA only covers a subsection of
gen/documents/document/ucm429674.pdf [hereinafter GENERAL WELLNESS].
146. MOBILE MEDICAL, supra note 143, at 13.
147. Id. at 15.
149. Id. at 15–18.
150. Overview of Medical Devices and Their Regulatory Pathways Medical Devices:
The Basics, U.S. FOOD & DRUG ADMIN., http://www.fda.gov/AboutFDA/CentersOffices/Off
iceofMedicalProductsand Tobacco/CDRH/CDRHTransparency/ ucm203018.htm (last updated
Nov. 27, 2015).