Annals of Health Law - Vol. 26 Issue 1

management system for Class I devices and pursuant to FDCA post-market surveillance requirements for Class II and III devices.203

The FDA will also need to more actively regulate behavior of organizations when information arises regarding organizational noncompliance with the FDCA, as the FDA has interpreted those regulatory requirements. The OCR has taken significant steps to hold HIPAA entities accountable, and the FDA may also need to more rigorously evaluate organizations marketing Class I devices given the comparatively flexible regulatory responsibilities for these devices.204 Despite less potential for physical injury, Class I devices, like mobile apps, also likely involve processing, transfer, and storage of highly sensitive health information, making them more likely to be a conduit for healthcare fraud.205 In particular, the FDA can leverage its previous experience prosecuting for violations to the quality system regulation to enforce effective cybersecurity quality measures if the FDA learns of data breaches, failure to patch or remediate devices with known vulnerabilities affecting individual safety or sensitive personal information.206 Alternatively, the FDA could operate a modified audit process, similar to recent OCR audits, involving self-disclosure or third party certification.207 While this might require additional budgetary allocation, coupling strong process with strong enforcement would likely preserve maximum flexibility for organizations while creating the necessary stringency to improve cybersecurity for consumers.

CONCLUSION
Although the OCR could provide some level of oversight for the digital
health marketplace, the FDA provides the most comprehensive regulatory

203. 21 C.F.R. § 822.4; NAT’L HEALTH-ISAC, supra note 202; HEALTH INFO. TRUST ALLIANCE, supra note 202.

204. Compare Part II, HIPAA OCR Audit Protocol and Oversight and accompanying notes, with Part II, FDA and accompanying notes. In addition, the FDA and OCR may need to coordinate activities and choose when meeting certain requirements will suffice. For example, if a Class II or III device is also regulated by HIPAA, security requirements implemented and validated by the FDA should sufficiently meet the HIPAA Security Rule as well, without additional showing to the OCR.

205. Jim Finkle, Exclusive: The FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, REUTERS (Apr. 23, 2014), http://www.reuters.com/article/us-cybersecurityhealthcare- fbi-exclusiv-idUSBREA3M1Q920140423.

206. See, e.g., Federal Judge Approves Consent Decree with Maquet Holding B.V. & Co, U.S. FOOD & DRUG ADMIN. (Feb. 4, 2015), http://www.fda.gov/NewsEvents/Newsroom/ PressAnnouncements/ ucm432925.htm; FDA Enters Consent Decree with Medtronic, Inc.,U.S. FOOD & DRUG ADMIN. (Apr. 27, 2015), http://www.fda.gov/NewsEvents/ Newsroom/PressAnnouncements/ ucm444690.htm; Chuck Soder, FDA Identifies More Problems at Invacare Corp., MODERN HEALTHCARE (Jan. 25, 2016), http://www.modernhealth care.com/article/20160125/NEWS/301259997.