management system for Class I devices and pursuant to FDCA post-market
surveillance requirements for Class II and III devices.203
The FDA will also need to more actively regulate behavior of
organizations when information arises regarding organizational noncompliance with the FDCA, as the FDA has interpreted those regulatory
requirements. The OCR has taken significant steps to hold HIPAA entities
accountable, and the FDA may also need to more rigorously evaluate
organizations marketing Class I devices given the comparatively flexible
regulatory responsibilities for these devices.204 Despite less potential for
physical injury, Class I devices, like mobile apps, also likely involve
processing, transfer, and storage of highly sensitive health information,
making them more likely to be a conduit for healthcare fraud.205 In particular,
the FDA can leverage its previous experience prosecuting for violations to
the quality system regulation to enforce effective cybersecurity quality
measures if the FDA learns of data breaches, failure to patch or remediate
devices with known vulnerabilities affecting individual safety or sensitive
personal information.206 Alternatively, the FDA could operate a modified
audit process, similar to recent OCR audits, involving self-disclosure or third
party certification.207 While this might require additional budgetary
allocation, coupling strong process with strong enforcement would likely
preserve maximum flexibility for organizations while creating the necessary
stringency to improve cybersecurity for consumers.
CONCLUSION
Although the OCR could provide some level of oversight for the digital
health marketplace, the FDA provides the most comprehensive regulatory
203. 21 C.F.R. § 822.4; NAT’L HEALTH-ISAC, supra note 202; HEALTH INFO. TRUST
ALLIANCE, supra note 202.
204. Compare Part II, HIPAA OCR Audit Protocol and Oversight and accompanying
notes, with Part II, FDA and accompanying notes. In addition, the FDA and OCR may need
to coordinate activities and choose when meeting certain requirements will suffice. For
example, if a Class II or III device is also regulated by HIPAA, security requirements
implemented and validated by the FDA should sufficiently meet the HIPAA Security Rule as
well, without additional showing to the OCR.
205. Jim Finkle, Exclusive: The FBI Warns Healthcare Sector Vulnerable to Cyber
Attacks, REUTERS (Apr. 23, 2014), http://www.reuters.com/article/us-cybersecurityhealthcare-
fbi-exclusiv-idUSBREA3M1Q920140423.
206. See, e.g., Federal Judge Approves Consent Decree with Maquet Holding B.V. & Co,
U.S. FOOD & DRUG ADMIN. (Feb. 4, 2015), http://www.fda.gov/NewsEvents/Newsroom/
PressAnnouncements/ ucm432925.htm; FDA Enters Consent Decree with Medtronic,
Inc.,U.S. FOOD & DRUG ADMIN. (Apr. 27, 2015), http://www.fda.gov/NewsEvents/
Newsroom/PressAnnouncements/ ucm444690.htm; Chuck Soder, FDA Identifies More
Problems at Invacare Corp., MODERN HEALTHCARE (Jan. 25, 2016), http://www.modernhealth
care.com/article/20160125/NEWS/301259997.
207. See Part II, HIPAA OCR Audit Protocol and Oversight and accompanying notes.