Kaye Scholer Counsel Helen Christakos, whose practice areas include intellectual property, technology and data security, discusses the U.S. Food and Drug Administration's recent decision not to closely regulate so-called general wellness products such as fitness-related calorie consumption and heart rate monitors.
From watches and apps that measure users' heart rate and fitness goals to contact lenses that monitor glucose levels and hats that monitor calorie consumption -- new wearable gizmos have caused shades of gray within the world of cybersecurity regulation. The U.S. Food and Drug Administration recently released two sets of guidelines to help clarify which devices it will regulate from a cybersecurity perspective.
On Oct. 2, 2014, the FDA issued a final guidance called “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” 1 to encourage medical device 2 manufacturers to consider cybersecurity risks in the design and development of their medical devices to minimize potential patient/consumer risks from cybersecurity incidents. 3 And, on Jan. 20, it issued “General Wellness: Policy for Low Risk Devices Draft Guidance for Industry and Food and Drug Administration Staff.” 4 These guidelines indicate that the FDA will not regulate general wellness devices, but will regulate medical devices (both as defined below).
This commentary helps companies assess whether their goods are general wellness products (which the FDA does not currently regulate) or medical devices (for which the FDA recommends cybersecurity by design), and helps companies developing medical devices determine what steps they should take to comply with FDA recommendations.
FDA's medical device guidelines
The FDA states in the medical device guidelines that medical device manufacturers should consider cybersecurity while designing medical devices, including the following:
- Identification of assets, threats and vulnerabilities.
- Assessment of the impact of threats and vulnerabilities of device functionality and end users/patients.
- Assessment of the likelihood of a threat and of a vulnerability being exploited.
- Determination of risk levels and suitable mitigation strategies.
- Assessment of residual risk and risk acceptance criteria.
The FDA further recommends medical device manufacturers use the following cybersecurity framework to guide their device development. 5
*2 Some medical devices create more risk of cybersecurity incidences than other devices because of their design and intended uses. Companies should consider the following to determine the level of risk involved for their device:
- Medical devices capable of connecting to another device, the Internet or other network or to portable media (such as USB or CD) are more vulnerable to cybersecurity threats than non-connected devices.
- The extent to which security controls are needed depend on the device's intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited and the probable risk of patient harm from a cybersecurity breach.
Protect and detect
Once companies have identified the level of risk for their devices, they should develop a plan for detecting security compromises and protecting consumer. The FDA recommends companies consider the following:
- Balance cybersecurity safeguards vs. usability of the device in its intended environment (i.e., home vs. hospital), and make sure the controls are appropriate to the users.
- Provide justification in premarket submissions for the security functions chosen for the device.
- Limit access to trusted users only:Authenticate users (i.e., user ID, password, smartcard, biometric).Use timed methods to terminate sessions.Use a layered authorization model; different users get different privileges based on their role.Avoid “hardcoded” passwords or common words that are the same for each device; limit public access to passwords.Use physical locks on devices.Require user authentication or other controls before permitting software or firmware updates.
- Ensure trusted content:Restrict software updates or firmware updates to authenticated code (i.e., signature verification).Use systematic procedures for authorized users to download version-identifiable software and firmware from the manufacturer.Ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption.
- Implement features that allow for security compromises to be detected.
Respond and recover
The FDA recommends that companies take the following proactive steps in the event their devices are subject to a cybersecurity event:
- Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event.
- Implement device features that protect critical functionality, even when the device's cybersecurity has been compromised.
- Provide methods for retention and recover of device configuration by an authenticated user.
These medical device guidelines are not legally enforceable. They should be viewed only as suggested recommendations for companies that make wearable devices and medical devices. This said, companies failing to implement these suggestions may experience problems with premarket submissions (such as the FDA requiring the submission of additional materials which will trigger multiple rounds of review), and ultimately not be able to obtain 501(k) clearance.
FDA's general wellness device guidelines
*3 The FDA created a carve-out from these suggestions for “general wellness products” (defined below). The FDA stated in the general wellness device guidelines that it will not regulate general wellness products, and general wellness products are not subject to premarket (501(k)) notification requirements, registration, labeling requirements, good manufacturing practice requirements and medical device reporting requirements.
The general wellness device guidelines define “general wellness products” as a product that has an intended “(1) use that relates to a maintaining or encouraging a general state of health or a healthy activity, or (2) use claims that associate the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in the health outcomes for the disease or condition.”
General wellness products exclude devices presenting inherent risks to a user's safety, including devices that are invasive, involve intervention or technology that may pose a risk to a user's safety if device controls are not applied (i.e., lasers, radiation exposure or implants), raise novel questions of usability, or raise questions of biocompatibility.6
Products maintaining or encouraging a general state of health
Devices only fall within the first prong of the general wellness products definition (i.e. products that maintain or encourage a general state of health or healthy activity if they do not make any reference to diseases or conditions. For further clarity, the first category of general wellness claims relate to:
- Weight management.Physical fitness, including products intended for recreational use.
- Relaxation or stress management.
- Mental acuity.
- Self-esteem (i.e., devices with a cosmetic function that make claims related only to self-esteem).
- Sleep management.
- Sexual function. 7
Products in the following categories, or that make such performance claims, are specifically excluded from the first prong of the definition of general wellness products:
- Treat or diagnose obesity.
- Treat an existing eating disorder, such as anorexia.
- Treat anxiety.
- Computer game that will diagnose or treat autism.
- Treat muscle atrophy or erectile dysfunction.
- Restore a structure or function impaired due to a disease (such as a prosthetic device that enables amputees to play basketball).
Associating healthy lifestyle with helping reduce chronic diseases or conditions
The second prong of general wellness products definition (products that have a use claim associating the role of healthy lifestyle with helping to reduce the risk of certain diseases or conditions) includes products that may help to reduce the risk of certain chronic diseases or conditions and may help living well with certain chronic diseases or conditions. In both cases, the claim that healthy lifestyle choice may play an important role in health outcome should be widely and generally accepted (such as in peer-reviewed scientific publications). What must your company do to comply?
Identify whether your company's offering is a device or a general wellness product
*4 Given the transformative nature of many wearable gizmos and medical devices in development and in the market, it may be difficult to determine whether an item falls within the general wellness product exception and is exempt from the FDA's suggestions. In addition to the guidance above, the general wellness device guidelines provide a decision algorithm which asks questions about the device to determine if it falls within the general wellness product exception.
Companies should also consider whether the Center for Devices and Radiological Health regulates products that are of the same type as the product in question. The CDRH has special controls for certain devices if they can cause injury or trauma to patients. Therefore, these types of devices would not be considered low-risk or general wellness products. If it still is not clear, the company should ask the FDA to provide an opinion as to whether a product falls within the general wellness product exception.
For both wearable gizmos and medical devices, identify other laws that may apply
The medical device guidelines are the tip of the iceberg with respect to privacy and data security law compliance. A thorough analysis should be done to determine which laws may apply. Start first by considering whether your business collects, uses, processes, stores or has access to confidential information. If so, determine whether it is employee data, patient data, customer data or data from a third party organization. Is the confidential information primarily intellectual property or other data? Once you complete this assessment, you can identify which laws may apply.
Provide the following information with premarket submissions for medical devices
As already stated, the medical device guidelines are not enforceable; however a company's failure to implement them may result in the inability to receive 501(k) clearance. The FDA recommends that device makers provide the following documentation with respect to submissions 8 :
- Design considerations pertaining to intentional and unintentional cybersecurity risks: A list of cybersecurity risks that were considered in the device design.A list and justification for all cybersecurity controls that were created for the device.
- A matrix linking cybersecurity controls to the cybersecurity risks that were considered.
- Plan for providing validated software updates throughout the lifecycle of the device.
- Controls in place that assure the medical device software will be free of malware, etc. from the point of origin to the point at which the device leaves the manufacturer's control.
- Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (antivirus software, firewall, etc.).
Originally appeared in Westlaw Journal Medical Devices on July 16, 2015.