Privacy and Cybersecurity

In prior blogs, we’ve discussed the “team” approach being used by federal agencies to regulate consumer products. Last week, the FTC provided further evidence of the government’s collaborative spirit, through the release of a web-based tool designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to their apps.

According to its press release, the FTC developed this guidance tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights, and the Food and Drug Administration, with consideration of the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act  and the Federal Food, Drug and Cosmetics Act.

Continue Reading Federal Agencies Collaborate to Forewarn Mobile Health App Developers of Potentially Applicable Regulations

If your company is involved in consumer-directed health-related mobile apps or Health IT solutions, you may want to join our April 19 webinar on advertising, data privacy, and data security issues raised by such products.

Consumers are increasingly relying on mobile apps and Health IT for a variety of purposes, such as managing their fitness goals, monitoring chronic conditions, monitoring adherence to prescriptions, tracking symptoms, and identifying new health problems ranging from ear infections to autism. As technologies become increasingly sophisticated, the legal framework surrounding them is rapidly developing. At the federal level, the Federal Trade Commission has issued guidelines on compliant advertising and privacy and data security practices for mobile apps; the Food and Drug Administration has issued guidelines on the security of medical devices; the Office of Civil Rights at the Department of Health and Human Services has issued guidance on the application of the HIPAA privacy and security regulations to mobile health apps; and the FTC, FDA and HHS have jointly created a web-based tool to help familiarize mobile app developers with the federal laws and regulations governing their apps. Although few states have yet adopted legislation to protect personal medical data collected and transmitted through new technologies, state regulators have expressed concern regarding the collection, transfer, storage, and dissemination of patient-specific data through such platforms.

As the regulatory environment evolves and becomes more complex, developers as well as providers of back-end services, such as cloud-based storage providers, are finding it critical to stay abreast of legal developments and to contribute to the regulatory process driving those developments. This webinar will explore the emerging law governing advertising and data privacy and security as it relates to consumer-directed mobile apps and Health IT, as a means to help stakeholders stay ahead of the curve. To register, click here.

On March 22, 2016, the FTC called for Congress to pass legislation to deter fraud and medical identity theft in the rapidly growing health IT sector. This suggested legislation is likely the swan song of FTC Commissioner Julie Brill, who will resign from her position at the end of the month.  The FTC has been very aggressive in using its existing authority to initiate  enforcement actions regarding data security breaches and related privacy and security issues, but it is now calling for legislation that will strengthen its ability to protect consumers’ privacy by seeking civil penalties for all data security and breach notification violations “in appropriate circumstances.”

In support of such legislation, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, presented testimony before the House Oversight and Government Reform Subcommittees on Information Technology and Health, Benefits, and Administrative Rules, in which she outlined the FTC’s current efforts to protect consumers’ medical data in an increasingly digitized health industry. According to the FTC, many of the entities involved in digitizing healthcare through consumer-facing health products and services are not covered by the Health Insurance Portability and Accountability Act (HIPAA).  However, the FTC has been able to use Section 5 of the FTC Act, which prohibits certain unfair and deceptive practices, to attempt to regulate the data security practices of some of  these entities.

The FTC highlighted multiple enforcement actions it has taken against companies that gather, use, and share consumers’ medical data outside of traditional healthcare situations. Specifically, the FTC has successfully prosecuted entities that give consumers’ medical data to third parties without their informed consent, that fail to maintain reasonable and appropriate data security practices, and that falsely represent that their data security practices are secure.

Continue Reading FTC Calls for Congress to Pass Legislation to Address Data Security in the Health Tech Industry

Last week, the FTC issued another reminder of its intent to closely scrutinize the novel technologies embedded in apps and other consumer products to ensure that any data collected by the products is covered by the privacy policy provided with the products to consumers. On March 17, 2016, the FTC issued warning letters to twelve application developers regarding their use of software that monitors a device’s microphone for audio signals in television advertisements.  According to the FTC, the use of such software to collect information about the television-viewing habits of consumers without providing notice or obtaining their consent could constitute an “unfair or deceptive act or practice” in violation of Section 5 of the FTC Act.  Accordingly, companies that elect to use this or similar technologies in the future, without obtaining the requisite consent from consumers, could — under the agency’s theory — be found in violation of the FTC Act and, subsequently, subject to civil and criminal penalties.

The software at issue in the FTC’s recent letters was developed by Indian technology company SilverPush. When installed, the software enables application developers to access SilverPush’s “Unique Audio Beacon” technology, which allows mobile applications to listen to ultrasonic “audio beacons” embedded in television commercials through the device’s microphone — even when the consumer is not actively using the application.  At present, SilverPush claims that its “audio beacons” are not embedded in television advertisements targeting U.S. consumers; nevertheless, the FTC notes that the application developers to whom it sent  warnings offer mobile applications containing SilverPush software that appears similar to that which is described above.  According to the FTC, upon downloading the application, the consumer receives no disclosure about the functionality of such software.  The FTC cautions the developers against allowing third parties to monitor the television-viewing habits of consumers through use of the developers’ mobile applications — particularly if a developer’s user interface or privacy policy fails to disclose this information or states or implies the opposite.

The FTC’s action follows on the heels of several other privacy developments related to  the use of interconnected smart televisions and mobile devices.  For instance, within the past year-plus, multiple television manufacturers and entertainment companies have been sued in class actions under the Electronic Communications Privacy Act, the Video Privacy Protection Act, and state privacy statutes for the alleged collection and disclosure of consumer viewing habits and other sensitive personal information without consumers’ knowledge or consent.  In one such case, a class of consumers accused a television manufacturer of installing software on its smart televisions — without notice or consent — that tracks and records consumer viewing data, pairs the data with the consumer’s IP address, and transmits the packaged information to a third-party advertising company so it can be sold for marketing purposes.  In other cases, television manufacturers were accused of capturing voice commands through a smart television’s voice recognition software, storing the information, and later transmitting it to third-parties.  In each instance, it was alleged that the companies’ had engaged in “deceptive” acts and practices in violation of Section 5 of the FTC Act because their privacy policies supposedly did not make clear that such information would be collected, stored, and shared with third parties.

Continue Reading FTC to Companies: Inadequate Consumer Privacy Protections Will Be Silver Bullet to SilverPush Technology

Yesterday marks one year since President Obama, launched the $215 million Precision Medicine Initiative (“PMI”) to create new and innovative tools healthcare providers can use to tailor disease treatment and prevention to an individual’s unique characteristics.  More than 40 private and public organizations, non-profit groups, academic institutions, and government agencies gathered this week at the White House to announce plans to accelerate the PMI, focusing in large part on the goal of establishing a large national research participant cohort.  The stated mission of the PMI is:

To enable a new era of medicine through research, technology, and policies that empower patients, researchers, and providers to work together toward development of individualized care.

Precision medicine is a healthcare approach that takes into account differences in individuals’ genes, environment, and lifestyle. Advances in precision medicine give healthcare professionals the tools to tailor treatment to, for example, a person’s genetic makeup, which may transform how medicine is practiced.  Although precision medicine is not currently used in the treatment of most diseases, the PMI is helping fund cross-cutting research to allow more widespread use of precision medicine.

A key element of the PMI are the Data Security Policy Principles and Framework (“Data Security Principles”), which are designed to guide organizations participating in PMI-related activities on the basic obligations of protection for personal privacy.  Developed through a broad collaborative process, the Data Security Principles  set forth the following goals for each precision medicine organization: 1) to identify the organization’s specific data security risks; 2) to protect critical infrastructure services; 3) to detect any cybersecurity event; 4) to respond to detected cybersecurity events; and 5) to recover any impairment due to a cybersecurity event.  The Data Security Principles further suggest that every data security plan should: 1) be participant-centric; 2) ensure that data security is adaptable and updatable; 3) identify risks, prescribe evaluation plans, and establish clear and transparent security protocols; 4) control data while providing adequate access; and 5) responsibly maintain data security.  Additionally, the Data Security Principles support the exchange among organizations of data security  experiences and challenges in an effort to enhance mutual education and understanding of data security risks and methods of protection.

Continue Reading The Precision Medicine Initiative: One Year After Creation

Recently, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining the agency’s recommendations for Postmarket Management of Cybersecurity in Medical Devices.  The guidance is applicable to medical devices that contain software (including firmware) or programmable logic, as well as software that meets the definition of a medical device.  The guidance does not apply to experimental or investigational medical devices.  Comments on the draft guidance are due by April 21, 2016.

The draft guidance emphasizes that manufacturers should proactively monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.  FDA defines “vulnerability” as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.”  The draft guidance defines “exploit” to mean “an instance where a vulnerability or vulnerabilities have been exercised (accidently or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.”

The draft guidance explains that for a small subset of cybersecurity vulnerabilities and exploits that may compromise “the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” the FDA would require medical device manufacturers to notify the agency under 21 CFR 806.10.  This section generally requires device manufacturers to notify FDA in writing within 10-working days of any correction (e.g., repair, modification, adjustment, relabeling) or removal of a device that was initiated to (1) reduce a risk to health posed by the device; or (2) remedy a legal/regulatory violation caused by the device that may present a risk to health.  FDA’s guidance defines “essential clinical performance” to mean “performance that is necessary to achieve freedom from unacceptable clinical risk[], as defined by the manufacturer.”  Thus, FDA explained that manufacturers should “define, as part of risk management, the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria,” taking into consideration the requirements necessary to achieve device safety and effectiveness.

Further, the guidance recommends that the process to assess the cybersecurity risk to a device’s essential clinical performance should consider: (1) the exploitability of the cybersecurity vulnerability; and (2) the severity of the health impact to patients if the vulnerability were to be exploited.  The guidance also recommends that manufacturers evaluate whether the risk to essential clinical performance of the device is controlled (acceptable) or uncontrolled (unacceptable).  In one example, FDA explained that a manufacturer would be required to notify FDA under 21 CFR 806.10 under the following circumstances:

A manufacturer becomes aware of a vulnerability via a researcher that its Class III medical device (e.g., implantable defibrillator, pacemaker, etc.) can be reprogrammed by an unauthorized user.  If exploited, the vulnerability could result in permanent impairment, a life-threatening injury, or death.  The manufacturer is not aware that the vulnerability has been exploited and determines that the vulnerability is related to a hardcoded password, and cannot be mitigated by the device’s design controls.  The risk assessment concludes that the exploitability of the vulnerability is moderate and the risk to the device’s essential clinical performance is uncontrolled.  The manufacturer notifies appropriate stakeholders, and distributes a validated emergency patch.

A hospital reports that a patient was harmed after a medical device failed to perform as intended.  A manufacturer investigation determines that the medical device malfunctioned as a result of exploitation of a previously unknown vulnerability in its proprietary software.  The outcome of the manufacturer’s investigation and impact assessment determines that the exploit indirectly impacts the device’s essential clinical performance and may have contributed to a patient death.  The manufacturer notifies the customer base and user community, and develops a validated emergency patch within 30 days of learning of the vulnerability.  … Because there has been a serious adverse event or death associated with the vulnerability, the manufacturer files a report in accordance with 21 CFR 806.10 to notify FDA and complies with reporting requirements under 21 CFR part 803.

Conversely, for the majority of cases, FDA explains that actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches,” for which the FDA does not require advance notification or reporting under 21 CFR part 806.  The draft guidance defines “cybersecurity routine updates or patches” to mean:

updates or patches to a device to increase device security and/or remediate vulnerabilities associated with controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act.  They include any regularly scheduled security updates or patches to a device, including upgrades to the software, firmware, programmable logic, hardware, or security of a device to increase device security as well as updates or patches to address vulnerabilities associated with controlled risk performed earlier than their regularly scheduled deployment cycle even if they are distributed to multiple units. Cybersecurity routine updates and patches are generally considered to be a type of device enhancement that may be applied to vulnerabilities associated with controlled risk and is not considered a repair.  Cybersecurity routine updates and patches may also include changes to product labeling, including the instructions for use, to strengthen cybersecurity through increased end-user education and use of best practices.

For example, FDA explained that a manufacturer would not be required to notify FDA under 21 CFR 806.10 under the following circumstances:

A device manufacturer receives a user complaint that a recent security software scan of the PC component of a Class III medical device has indicated that the PC is infected with malware.  The outcome of a manufacturer investigation and impact assessment confirms the presence of malware and that the primary purpose of the malware is to collect internet browsing information.  The manufacturer also determined that the malware has actively collected browsing information, but that the device’s essential clinical performance is not impacted by such collection.  The manufacturer’s risk assessment determines that the risk due to the vulnerability is controlled.  Since essential clinical performance was not impacted, the manufacturer can update the product and it will be considered a cybersecurity routine update or patch. … Because the device is a Class III device, the manufacturer should report the changes to the FDA in its periodic (annual) report required for holders of an approved PMA under 21 CFR 814.84.

The draft guidance goes on to explain that it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820), including but not limited to complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)) and servicing (21 CFR 820.200).  The draft guidance explains that such programs should emphasize addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety.  FDA recommends that critical components of such a program should include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation

FDA’s new draft guidance outlines in greater detail each of the recommendations and considerations manufacturers should incorporate into their postmarket cybersecurity risk management programs.

The draft guidance comes roughly one month after FDA announced that it would be convening a workshop on device cybersecurity on January 20-21, 2016, for which FDA also released supporting materials.

The draft guidance also comes several months after FDA issued what appeared to be its first public Safety Communication about cybersecurity vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems.  The Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) also included in its 2016 Work Plan examining FDA’s oversight of hospitals’ networked medical devices and their cybersecurity.

Prior to this draft guidance, FDA issued guidance on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which outlines when manufacturers should consider cybersecurity during the design phases of the medical device lifecycle.  FDA’s new draft postmarket guidance reiterates that manufacturers address cybersecurity “throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.”  Further, FDA recognized that the issuance of its new draft guidance is consistent with Executive Order 13636 – Improving Critical Infrastructure Cybersecurity, issued by the President in February 2013, which emphasizes the need for stakeholders in the Healthcare and Public Health Critical Infrastructure Sector to enhance cybersecurity measures.

As we enter this new era of medical device cybersecurity, it will be incumbent upon medical device manufacturers and related stakeholders to assess FDA’s recent guidance and begin evaluating necessary changes and enhancements.

On December 18, 2015, President Obama signed a $1.1 trillion Omnibus spending bill. Among many other things in its 2,009 pages, the bill mandates the creation of a Healthcare Industry Cybersecurity Task Force. The Task Force must be established within 90 days of the bill’s enactment, which is March 17, 2016. Given the fact that the healthcare industry is increasingly a target to hackers, the creation of the task force should be welcome news.

Many, including the Washington Post, dub 2015 as “the year of the health-care hack.” While it is believed that there were over 730 data breaches this year, the seven largest hacks exposed personal records and data corresponding to roughly 193 million people. Over one-third of the breaches — 259 — occurred in the health care sector. Three of the seven largest breaches pertained to covered healthcare entities with large amounts of Americans’ protected health information. Healthcare data hacks are particularly troublesome given the sensitivity of the stolen data. Health data often involves highly personal and private information, including data pertaining to children and minors. Individuals whose medical information has been stolen can be at increased risk for identity theft and medical fraud, causing them not only financial harm, but potentially physical harm as well.

Section 405(c) of the bill requires the Secretary of Health and Human Services (“HHS”) to convene the Task Force in consultation with the Director of National Institutes of Standards and Technology (“NIST”) and the Secretary of Homeland Security (“DHS”). The Task Force will include healthcare industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary deems appropriate to include. In accordance with the bill’s instructions, the Task Force will operate for one year following its creation.

Continue Reading Congress Directs HHS to Convene a Cybersecurity Task Force

This holiday season, be careful while toy shopping for your children.  Increasingly, hackers are targeting information stored in Internet-connected toys. For example, an unauthorized party accessed VTech’s Learning Lodge, a database that allows customers to download educational content to their VTech products, uncovering confidential names, birthdays and genders of more than 6.3 million children. In addition, a Bluebox report found that Mattel’s talking Hello Barbie, an interactive doll, may have a security flaw in its software allowing hackers to steal personal information.

The research suggests that Internet-connected toys are an easy target for hackers because companies design the toys to store excessive personal information without adequate protection. Despite the privacy and security measures that software developers install in toys, security researchers contend that the quality of the technology may be inferior. Other unconventional consumer devices such as baby monitors that contain a simple, password-protected computer are also on hackers’ hit list.

The ease with which hackers can exploit privacy and security measures installed in household devices suggest that no device is ultimately free from data breach, including robotic medical devices for children and the sick elderly. Robotic medical devices store and manipulate highly confidential health data to provide treatment or diagnostic information. For example, PARO, an interactive robotic seal, is regulated by FDA for use in dementia and Alzheimer’s disease patients. The robotic seal responds to tactile, light, auditory, temperature, and posture sensors to simulate social interaction and provide emotional support.

FDA has already raised concerns about cybersecurity risks for medical devices. It is important that medical device manufacturers and developers to take steps to address and preempt future data breaches. Processes must be in place to ensure that the device’s software is properly equipped to withstand hacker attacks. This may include complex encryption and multiple levels of defense.

Earlier this week, the U.S. Food and Drug Administration (FDA) announced that it would be hosting a two-day Public Workshop entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.”

The workshop will be hosted at FDA on January 20-21, 2016, from 9:00 am – 5:30 pm.  The agenda for the meeting has not yet been posted.

FDA will host the meeting in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services (HHS), and the Department of Homeland Security (HHS).  The agencies are seeking to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem.  The purpose of this workshop is to:

  • Highlight past collaborative efforts;
  • Increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development; and
  • Engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.

Continue Reading FDA Looking at Gaps in the Cybersecurity of Medical Devices

Cybersecurity (or the perceived lack of it) is a growing source of anxiety for the healthcare and technology industries. A development last Friday, in which an administrative law judge dismissed the Federal Trade Commission (FTC)’s complaint against diagnostic laboratory LabMD, may be a welcome relief for companies in the healthcare sector.  The decision is the culimination of more than two years of litigation stemming from FTC’s August 2013 complaint alleging that LabMD had engaged in unfair and deceptive trade practices by “fail[ing] to provide reasonable and appropriate security for personal information on its computer networks.”  On November 13, 2015, an FTC administrative law judge found that LabMD’s conduct did not constitute an unfair trade practice under Section 5 of the FTC Act, because the FTC had not proven that LabMD’s action “cause[d] or is likely to cause substantial injury to consumers.”

For companies facing similar legal cases, this decision is an important reminder that the government must meet its burden of proof. But the unique circumstances of the case are a cautionary tale for companies.

The FTC’s case was based on two “security” incidents, one in which a spreadsheet of patient insurance information was found on a peer-to-peer file sharing network, and another where the Sacremento Police Department found LabMD documents, including names, Social Security numbers, and bank account information, in the possession of identity thieves. But the case was plagued by concerns and questions about the reliability of the evidence.  According to documents filed in the proceedings, the company that initially discovered the spreadsheet on the peer-to-peer network repeatedly solicited LabMD, offering investigative and remediation services about the data breach, and was later found to have fabricated the files that were shared with the FTC.  Moreover, the Sacramento Police Department contacted the FTC about the files it found only after learning that LabMD was under investigation already.

Continue Reading FTC Loses Case Involving Security of Laboratory’s Customer Data