FDA and UL weigh in on security of medical devices, IoT

The security of medical devices is on the FDA's radar as IoT moves into healthcare and wearable health technology data flows to doctors' charts.

As IoT increasingly moves into healthcare, and data from wearable health devices flows more from consumers' wrists to physicians' charts, the Food and Drug Administration (FDA) is trying to keep pace with the fast-evolving technologies.

Meanwhile, a well-known private organization interested in the safety and security of medical devices has stepped up its efforts in these arenas.

UL watching IoT developments

Underwriters Laboratories (UL), the more-than-century-old industrial and electronics testing company firm, is one of several companies approved to perform safety testing by the U.S. Occupational Safety and Health Administration.

In interviews with SearchHealthIT, Anura Fernando, UL's principal engineer for medical software and systems interoperability, said the FDA's recent moves in the areas of IoT and wearable devices -- as expressed in its non-binding but widely disseminated guidance documents -- have been influential. However, Fernando noted that with the playing field of the new technologies so vast and unsettled, it's sometimes hard for the agency to keep up.

"They're really in a tough spot," said Fernando, who has served on the FDA Medical Device Interoperability Council. "It's very challenging in this rapidly moving market. They have to balance safety and effectiveness and innovation. It seems clear-cut but sometimes it's not. It's truly a tough balance."

One recent political development has the potential to further alter the health IT landscape. The House of Representatives has approved the so-called 21st Century Cures bill, which would boost FDA funding and ease regulatory hurdles for more advanced medical devices, a prospect that has alarmed safety advocates but pleased vendors.

FDA guidance suggests cybersecurity steps

In the meantime, the FDA has deregulated consumer wellness devices through several guidance statements over the last two years. The agency's policy essentially says that the devices are low risk and do not need FDA approval unless they make specific medical claims.

The agency has also assumed a loose oversight toward most consumer mobile medical apps, as it said it would not enforce stricter standards but reserved discretion to do so if needed.

At the same time, amid growing worries about the security of medical devices and IoT, the FDA last year issued a cybersecurity guidance that details best practices for their management. The cybersecurity policy sets forth basic security standards, such as multifactor authentication, limiting user access, strengthened passwords, layered authorization and breach detection procedures.

While some in law enforcement and health IT think IoT cybersecurity is a big and growing problem in healthcare, Fernando said not only is the FDA guidance on cybersecurity clear, but most reputable providers are following best practices for the security of medical devices.

FDA official outlines health IT policies

In a statement provided to SearchHealthIT, Bakul Patel, associate director for digital health at the FDA's Center for Devices and Radiological Health, said the agency wants to stimulate innovation in health IT, mobile health, general wellness, interoperability and cybersecurity, while also protecting patient safety.

IoT cybersecurity can help protect data collected and disseminated by devices. It can also preserve accurate functioning of devices to ensure they perform reliably, because cyberattacks can damage devices, Fernando and others have noted.

"At the FDA, we are excited that this convergence of medical devices, connectivity and information that encourages patient engagement also holds the potential to provide enhanced care to patients," Patel said. "Our priorities are to continually understand the benefits of such technologies and provide clarity that will facilitate innovation that is in the best interest of public health."

The FDA is collaborating with the Federal Communications Commission and the Office of the National Coordinator for Health Information Technology. Last year, the agencies released a joint health IT report about the risks involved with medical devices and apps.

The report articulates a "risk-based" approach premised on the idea that the risk and corresponding regulation of medical devices and apps should be based on their health IT functionality, not the platforms they reside on; in other words, the agencies formally recognized the legitimacy of devices as platforms for the delivery of digital healthcare.

More to come with clinical decision support software

Some of the guidance documents issued in late 2014 and this year were contained in the FDA's fiscal 2015 "roadmap."

One key topic listed in the roadmap on which the FDA has not yet spoken is medical-device-related clinical decision support software, a growing sector related to IoT that boosts the role of connected devices by tying their use more directly to clinical decisions, Fernando noted.

Fernando said the FDA has already done much work in establishing universal device identifiers for medical devices in IoT applications, but said he expects further clarification.

A welcome next step, Fernando said, would be some kind of tagging of the metadata generated by connected devices that would allow data to be closely tracked as it travels between devices or between devices and networks.

"Doctors are starting to ask, 'Can I trust this data and is this data really from my patient?'" he said.

Let us know what you think about the story or about the security of medical devices; email Shaun Sutner, news and features writer, or contact @SSutner on Twitter.

Next Steps

Nurses would trade time on medical devices for more patient care

IoT applications entering healthcare sphere

Security of medical devices an issue at hacker conferences

Dig Deeper on Internet of Things (IoT) in Healthcare