Ready or not? Product liability and regulatory implications for digital health products

Today, more and more people are integrating digital health into their daily lives, from the smartphone app that offers therapeutic techniques for mental health improvement to the wristwatch that counts steps and measures heart rate. In the general consumer context, the benefits tend to outweigh the potential hazards. Users may actively monitor their health data in real time and make better lifestyle choices at minimal risk: if your app incorrectly counts the number of steps because of a software glitch, that hiccup typically does not cause serious physical harm. But when a traditional medical device or pharmaceutical drug integrates digital health components, the product liability risk profile becomes less certain for manufacturers because the consequences of malfunctioning software can be severe.

Take, for example, the Therac 25 radiation-emitting device from the 1980s. Due to software programming errors, the device delivered massive overdoses of radiation, which killed two patients and injured four others. Therac 25 is an extreme example of medical software gone bad, but the app-connected drugs and devices we see on the market today tend to have comparatively limited capabilities. In most cases, the smartphone app works with the medical product's existing functions: the medical product transmits data to the app to enable real-time monitoring of the patient's medical condition.

Several medical device breakthroughs in the digital health space relate to diabetes management. For example, device (such as a wearable patch) measures a patient's insulin levels, and analytics software processes the data from the device to offer the patient personalized recommendations, ranging from dietary suggestions to insulin dose amounts. A similar breakthrough in the digital pharmaceutical space is a digital ingestion tracking system, in which a tiny sensor in the pill can be used to track and monitor patients' adherence to drug treatment regimens.

Given enthusiastic support of this industry from Congress and FDA, we anticipate that in the near future increasing numbers of companies will offer digital health products with enhanced capability functions. Yet, as laws and regulations catch up with innovation, there remains an open question: how will traditional product liability cases apply to cases involving app-connected devices and drugs? Each case will be highly fact-dependent, and much of the discovery will likely aim to answer some of these threshold questions:

• Who designed the various components of the digital health product?
• What is the nature of the product's defect?
• How did the defect occur? Are these internal defects or external defects, such as a cyberattack on the device?

At a fundamental level, we are seeing changes in the regulatory landscape relating to digital health products. In Section 3060 of the 21st Century Cures Act, Congress amended the definition of a "device" to exclude certain software functions from the statutory definition, such as software for maintaining or encouraging a healthy lifestyle and certain types of clinical decision support software. Section 3060 also provides that when a medical device has multiple functions – ie, both device and non-device software functions – then FDA is not permitted to regulate the non-device functions, although FDA may assess how the non-device functions impact the safety and effectiveness of the device functions under review.

Consistent with this mandate, FDA launched the Digital Innovation Action Plan in 2017 and is in the process of updating existing guidance documents on various topics, including mobile medical applications and general wellness products. It will be prudent to stay abreast of this regulatory developments as they will likely impact the development and marketing of future digital health products.

For product liability, the nature of digital health products is what makes it difficult to determine who is liable. When we normally think about a device or a drug in a product liability suit, we imagine a singular, distinct product that directly injures a patient. But some digital health products are actually a system of connected parts, with each component being regulated differently. The device or drug is subject to FDA's oversight, which generally entails compliance with detailed regulatory requirements on testing, manufacturing and labeling. The app software, depending on whether it has device functions under the Cures Act's amended definition of devices, may or may not be subject to FDA's review. And, within this system, there may also be third parties supporting the app's functions, such as a data analytics firm that analyzes the device's raw data and provides personalized feedback to the app.

Significantly, too, each of these components may be designed, tested and/or manufactured in different states. This may lead to a thorny jurisdictional issue: whether the medical product manufacturer may be subject to the app developer's forum. In the aftermath of Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco County, No. 16-466, 582 U.S. ___ (2017), we have seen at least one Pennsylvania state court exercise specific personal jurisdiction over an out-of-state pelvic mesh kit manufacturer based on its collaboration with a local Pennsylvania company in designing and manufacturing the mesh component of the product.1 This issue could play out in different ways in the digital health space, depending on a number of factors, such as the degree of control and oversight the medical product manufacturer has over the design and manufacture of the connecting app and how integrated the app is to the overall functioning of the medical product.

Another potential wrinkle is whether the app's software, if considered separate and apart from the medical product, is actually a "product" or a "service," since product liability principles do not extend to services. Under the Restatement (Third) of Torts, a "product" is defined as "tangible personal property distributed commercially for use or consumption,"2 and courts have reached conflicting conclusions about whether software can be regarded as a tangible product. This analysis may impact whether liability can be shifted from the medical product manufacturer to the software designer, and vice versa.

Cybersecurity threats are also an unavoidable consideration for digital health products. In 2017, FDA recalled over 450,000 pacemakers after identifying a potential vulnerability in the software that would allow hackers to alter programmed settings, which could lead to rapid battery depletion or inappropriate pacing. As part of the recall, the pacemakers had FDA-approved firmware updates installed to correct these software deficiencies. If a hacked digital health product injures a patient, product liability may hinge on whether the medical product manufacturer or the software designer was capable of designing a system that is immune to cybersecurity attacks and to what extent such an alleged "defect" is reasonably foreseeable given the general public's awareness of cybersecurity issues. And, even if routine software updates were provided, the quality of those updates could become an important factor in this analysis.

Ready or not, digital health products are going to evolve and fundamentally change how we use and interact with medical products. We expect there will likely be a growing number of collaborations among digital health startups, app software designers, artificial intelligence firms and drug and medical device companies. Some of the products that are born out of these collaborations may no longer look and feel like a traditional medical product that is prescribed and administered by a doctor. Indeed, over time, such apps will enable patients to have a greater degree of access, control and interaction with their medical products, and that in itself may impact the practice of medicine. This change is coming, and many patients will welcome it and come to expect it as part of treatment. As laws and regulations develop in response to these changes, device and drug manufacturers should be cognizant that digital health products may require a more nuanced approach to product liability cases.