Cybersecurity flying under FDA’s 2018 radar

Image credit: Cocoparisienne,  Pixabay . 

Image credit: Cocoparisienne, Pixabay

On January 11, 2018, the U.S. Food & Drug Administration (FDA) released its “2018 Strategic Policy Roadmap”, outlining the agency's top priorities this year. According to the document, it will focus on four primary policy areas:

  • Reduce the burden of addiction crises that are threatening American families.
  • Leverage innovation and competition to improve health care, broaden access, and advance public health goals.
  • Empower consumers to make better and more informed decisions about their diets and health; and expand the opportunities to use nutrition to reduce morbidity and mortality from disease.
  • Strengthen FDA’s scientific workforce and its tools for efficient risk management.

The third focus area, empower consumers, included explanatory text, excerpted here. “Empowering consumers to make better and more informed decisions also means promoting access to effective tools that can help provide reliable information about their health. These tools can include new technologies, such as digital tools and medical apps, which can provide up-to-date health information at the point of decision-making. We are taking new steps to make the development and review process for these novel technologies more efficient.”

While FDA’s efforts to move a bit faster and embrace new technologies is laudable, the new Roadmap provides an example of how important considerations can fall through the cracks. The document specifically mentions “digital tools and medical apps”, yet nowhere does it mention the terms “privacy”, “data security”, or “HIPAA”. 

Since the Roadmap is intended as a high-level strategic plan, what about the more specific draft guidance document, “Clinical and Patient Decision Support Software”, released December 8, 2017? Again, no mention of privacy, data security or HIPAA. “Software as a Medical Device (SAMD): Clinical Evaluation", released the same day? No mention. “Changes to Existing Medical Software Policies Resulting from Section 3060 of 2the 21st Century Cures Act” (draft guidance)? Nope, not there either.

Indeed, the only relatively recent document found that mentions cybersecurity was FDA’s “Digital Health Innovation Action Plan”, issued July 27, 2017. While acknowledging that cybersecurity is a “challenge”, it also allows that it will not focus on mobile medical apps, medical device data systems, or digital products that promote general wellness. The only nod to security was the formation of “a community to exchange cyber security information”.

The bottom line is that FDA has indicated that it will continue to follow a hands-off approach to data security, at least for the next 12 months. However, for apps and devices collecting, storing and transmitting high-value data, increasing use and popularity will make them targets. 

The question comes down to how many opportunities for cyber-mischief, how much compromising on the protection of personal data, how much risk, and how much potential negative publicity a company is willing to accept.

To paraphrase philosopher George Santayana, those who cannot remember the past of companies like Equifax, Yahoo, and Uber are condemned to repeat it.