Privacy and Cybersecurity

It has been almost a year since the European Commission published a final draft of a Code of Conduct on privacy for mHealth mobile applications (the “Code”). Our previous post summarizes the draft and its application to app developers. However, we noted that the Article 29 Working Party (the “WP29”), an independent advisory body comprised

The U.S. Food and Drug Administration (FDA) issued a Warning Letter on April 12, 2017 requiring an explanation of how St. Jude Medical plans to correct and prevent cybersecurity concerns identified for St. Jude Medical’s Fortify, Unify, Assura (including Quadra) implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, and the Merlin@home monitor.

The Warning Letter

Published in Privacy & Cybersecurity Law Report’s April 2017 issue.

In the closing days of last year, the FDA issued its final guidance on postmarket medical device cybersecurity. This guidance is a corollary to the previously issued final guidance on premarket cybersecurity issues, and the pre and post market pieces should be read, and fit,

On January 23, 2017, the FTC released a long-awaited report regarding the increased incidence of cross-device tracking.  The report, which follows a November 2015 FTC workshop on cross-device tracking, sheds light on the privacy concerns raised by the practice and alerts companies engaged in cross-device tracking of certain best practices for avoiding potential violations of

On November 28, 2016, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a rare alert warning the public of an email scam masquerading as an official OCR audit communication. The alert addresses an emerging “phishing” scheme that targets employees of HIPAA covered entities and their business associates in

On August 25, 2016, investment firm Muddy Waters Capital issued a report claiming that St. Jude Medical’s implantable cardiac devices are susceptible to cybersecurity attacks, allegedly putting more than 260,000 individuals in the U.S. at risk.  St. Jude strongly rejected the report and disputed the alleged security risks of its devices.

The report claims that MedSec Holdings Ltd., a cybersecurity firm, was able to demonstrate two types of cyberattacks on St. Jude’s implantable cardiac devices. The first type of attack — a “crash” attack — enables a hacker to remotely disable cardiac devices, and in some cases, cause the cardiac device to pace at a dangerous rate.  The second type of attack — a battery drain attack — remotely runs cardiac device batteries down to 3% of capacity within a 24-hour period.  However, the report concludes that patients’ personal health information appears to be safe as the report states that patient data is encrypted.

The report argues that the cybersecurity risks of the devices are due to security deficiencies in accessories to the implantable devices including devices located in physician offices that display data from the implanted devices, the network that manages and transmits data, and the at-home device which communicates with the implanted device via radio frequency within a 50 foot range.  Some of the alleged deficiencies require attackers having access to device accessory hardware or being within 50 feet of the target(s).

Continue Reading

Last week, the U.S. Food and Drug Administration (FDA) released a draft guidance entitled “Dissemination of Patient-Specific Information from Devices by Device Manufacturers,” which is intended to “clarify that manufacturers may share patient-specific information recorded, stored, processed, retrieved, and/or derived from a medical device with the patient who is either treated or diagnosed with that specific device.”  Such sharing, the FDA believes, “will empower patients to be more engaged with their healthcare providers in making sound medical decisions.”

The draft guidance is timely. Individuals are increasingly using wearable mobile technologies (e.g., trackers, fitness watches, etc.), as well as mobile medical applications and related health software.  Many wearable technology manufacturers are facing increased scrutiny and litigation about the reliability of their products’ assessments (e.g., sleep or exercise trackers).  And there is considerable concern about the security of patient-specific information on such devices.

The draft guidance defines “patient-specific information” to mean “any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of a medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device.” Such information may include, but is not limited to:

  • recorded patient data;
  • device usage/output statistics;
  • healthcare provider inputs;
  • incidence of alarms; and/or
  • records of device malfunctions or failures.

Continue Reading