Regulating Mobile Apps: Where Do We Draw The Line?
Critics call the FDA a control freak, while others see the agency as a key public health guardian. A recent hacking experiment suggests the latter.
Two recent news stories have drawn attention to an age-old dilemma: If the government lets healthcare vendors remain completely unregulated, unscrupulous companies will take advantage of this freedom and endanger patient safety with their shoddy workmanship. But on the other hand, if the government over-regulates vendors, it stifles innovation and makes it too expensive for some to stay in business.
One story that touched on this issue centers on a new Food and Drug Administration (FDA) draft guidance document outlining the agency's plan to regulate mobile health apps. Specifically, the FDA plans to exercise more oversight of mobile apps that remotely manipulate one or more medical devices. Such apps can control a device by displaying, storing, analyzing, or transmitting patient data. This oversight would apply, for example, to remote displays of data from bedside monitors, ECG waveforms, and medical images generated by a picture archiving and communication system (PACS). The mobile apps might also control blood pressure cuffs and insulin pumps, according to the FDA.
The agency's rationale for this decision is pretty straightforward. As it explains in the draft document, "when standalone software is used to analyze medical device data, it has traditionally been regulated as an accessory to a medical device or as medical device software. As is the case with traditional medical devices, mobile medical apps can pose potential risks to public health."
What kind of risks? If the application is flawed, it can misread data from the hardware device. Or it can send inaccurate data to the device, causing an insulin pump, for instance, to send too much of the hormone into a patient's bloodstream, bringing on life-threatening hypoglycemia.
And then there's always the security threat. Suppose a hacker decides to use a mobile app to reprogram someone's cardiac monitor or remotely adjust his insulin dose. Think it can't happen? During a medical device hacking demonstration earlier this month at the Black Hat conference in Las Vegas, security researcher Jerome Radcliffe broke into his own insulin pump, which he relies on to administer multiple doses of insulin per day. Radcliffe, 33, said he was diagnosed with diabetes at age 22.
Next came the medical device hardware hacking. Radcliffe reverse-engineered the wireless commands sent from the small controller that ships with his pump, and which is used to tell the pump what dosage of insulin to administer. After decoding the communications protocol, Radcliffe was able to program a small radio frequency transmitter--easily available for $100 new or $20 used on eBay--to remotely control his insulin pump. In his demonstration, Radcliffe showed how he used the remote transmitter to administer arbitrary insulin doses and disable the pump.
Hacking the pump wasn't easy, he said, but the fact that he was able to crack the communications at all was due to its not being properly protected. "There's no passwords, no authentication. All you need is the serial number," Radcliffe told InformationWeek. That's a concern, since the manufacturer of his insulin pump probably reused the technology for other medical devices, such as pacemakers.
Radcliffe said he was in communications with his pump's manufacturer about ways to improve the security of its devices.
The Black Hat demonstration got the attention of Reps. Anna G. Eshoo (D-Calif.) and Edward J. Markey (D-Mass.), both members of the House communications and technology subcommittee. They have asked the Government Accountability Office to review the FCC's approach to medical devices with wireless capabilities to ensure that the devices are "safe, reliable, and secure."
So it seems that at least one portion of the FDA's new guidelines is justified. While this particular hacking demonstration didn't come specifically from a mobile app, there's little doubt that a developer familiar with medical devices could create an application capable of doing much the same thing as Radcliffe did.
If the consequences of such tampering weren't so serious, it could easily serve as the plot for the next sci-fi best seller, in which case the federal government might actually be portrayed as the hero--not something you usually see in popular books and movies.
Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?