It has been almost a year since the European Commission published a final draft of a Code of Conduct on privacy for mHealth mobile applications (the “Code”). Our previous post summarizes the draft and its application to app developers. However, we noted that the Article 29 Working Party (the “WP29”), an independent advisory body comprised
The U.S. Food and Drug Administration (FDA) issued a Warning Letter on April 12, 2017 requiring an explanation of how St. Jude Medical plans to correct and prevent cybersecurity concerns identified for St. Jude Medical’s Fortify, Unify, Assura (including Quadra) implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, and the Merlin@home monitor.
The Warning Letter…
The European Medicines Agency (“EMA”) recently set up a task force, along with the national competent authorities in the EEA, to analyze how medicines regulators in the EEA can use big data to better develop medicines for humans and animals. This follows a workshop in November last year to identify opportunities for big data…
2017 has started with a bang on the data protection front. There have been several developments these past few months, ranging from updates on the new EU General Data Protection Regulation (“GDPR”), coming into force in May 2018, to the establishment of a Swiss-EU Privacy Shield. In relation to mHealth specifically, the Code of Conduct…
Published in Privacy & Cybersecurity Law Report’s April 2017 issue.
In the closing days of last year, the FDA issued its final guidance on postmarket medical device cybersecurity. This guidance is a corollary to the previously issued final guidance on premarket cybersecurity issues, and the pre and post market pieces should be read, and fit,…
On January 23, 2017, the FTC released a long-awaited report regarding the increased incidence of cross-device tracking. The report, which follows a November 2015 FTC workshop on cross-device tracking, sheds light on the privacy concerns raised by the practice and alerts companies engaged in cross-device tracking of certain best practices for avoiding potential violations of…
On November 28, 2016, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a rare alert warning the public of an email scam masquerading as an official OCR audit communication. The alert addresses an emerging “phishing” scheme that targets employees of HIPAA covered entities and their business associates in…
Part 4 of this webcast series explores the emerging law governing advertising and data privacy and security as it relates to consumer-directed mobile apps and Health IT, as a means to help stakeholders stay ahead of the curve.
On August 25, 2016, investment firm Muddy Waters Capital issued a report claiming that St. Jude Medical’s implantable cardiac devices are susceptible to cybersecurity attacks, allegedly putting more than 260,000 individuals in the U.S. at risk. St. Jude strongly rejected the report and disputed the alleged security risks of its devices.
The report claims that MedSec Holdings Ltd., a cybersecurity firm, was able to demonstrate two types of cyberattacks on St. Jude’s implantable cardiac devices. The first type of attack — a “crash” attack — enables a hacker to remotely disable cardiac devices, and in some cases, cause the cardiac device to pace at a dangerous rate. The second type of attack — a battery drain attack — remotely runs cardiac device batteries down to 3% of capacity within a 24-hour period. However, the report concludes that patients’ personal health information appears to be safe as the report states that patient data is encrypted.
The report argues that the cybersecurity risks of the devices are due to security deficiencies in accessories to the implantable devices including devices located in physician offices that display data from the implanted devices, the network that manages and transmits data, and the at-home device which communicates with the implanted device via radio frequency within a 50 foot range. Some of the alleged deficiencies require attackers having access to device accessory hardware or being within 50 feet of the target(s).
Last week, the U.S. Food and Drug Administration (FDA) released a draft guidance entitled “Dissemination of Patient-Specific Information from Devices by Device Manufacturers,” which is intended to “clarify that manufacturers may share patient-specific information recorded, stored, processed, retrieved, and/or derived from a medical device with the patient who is either treated or diagnosed with that specific device.” Such sharing, the FDA believes, “will empower patients to be more engaged with their healthcare providers in making sound medical decisions.”
The draft guidance is timely. Individuals are increasingly using wearable mobile technologies (e.g., trackers, fitness watches, etc.), as well as mobile medical applications and related health software. Many wearable technology manufacturers are facing increased scrutiny and litigation about the reliability of their products’ assessments (e.g., sleep or exercise trackers). And there is considerable concern about the security of patient-specific information on such devices.
The draft guidance defines “patient-specific information” to mean “any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of a medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device.” Such information may include, but is not limited to:
- recorded patient data;
- device usage/output statistics;
- healthcare provider inputs;
- incidence of alarms; and/or
- records of device malfunctions or failures.