Regulating Mobile Apps: Where Do We Draw The Line? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Mobile & Wireless
02:53 PM
Paul Cerrato
Paul Cerrato
Connect Directly

Regulating Mobile Apps: Where Do We Draw The Line?

Critics call the FDA a control freak, while others see the agency as a key public health guardian. A recent hacking experiment suggests the latter.

Two recent news stories have drawn attention to an age-old dilemma: If the government lets healthcare vendors remain completely unregulated, unscrupulous companies will take advantage of this freedom and endanger patient safety with their shoddy workmanship. But on the other hand, if the government over-regulates vendors, it stifles innovation and makes it too expensive for some to stay in business.

One story that touched on this issue centers on a new Food and Drug Administration (FDA) draft guidance document outlining the agency's plan to regulate mobile health apps. Specifically, the FDA plans to exercise more oversight of mobile apps that remotely manipulate one or more medical devices. Such apps can control a device by displaying, storing, analyzing, or transmitting patient data. This oversight would apply, for example, to remote displays of data from bedside monitors, ECG waveforms, and medical images generated by a picture archiving and communication system (PACS). The mobile apps might also control blood pressure cuffs and insulin pumps, according to the FDA.

The agency's rationale for this decision is pretty straightforward. As it explains in the draft document, "when standalone software is used to analyze medical device data, it has traditionally been regulated as an accessory to a medical device or as medical device software. As is the case with traditional medical devices, mobile medical apps can pose potential risks to public health."

What kind of risks? If the application is flawed, it can misread data from the hardware device. Or it can send inaccurate data to the device, causing an insulin pump, for instance, to send too much of the hormone into a patient's bloodstream, bringing on life-threatening hypoglycemia.

And then there's always the security threat. Suppose a hacker decides to use a mobile app to reprogram someone's cardiac monitor or remotely adjust his insulin dose. Think it can't happen? During a medical device hacking demonstration earlier this month at the Black Hat conference in Las Vegas, security researcher Jerome Radcliffe broke into his own insulin pump, which he relies on to administer multiple doses of insulin per day. Radcliffe, 33, said he was diagnosed with diabetes at age 22.

Next came the medical device hardware hacking. Radcliffe reverse-engineered the wireless commands sent from the small controller that ships with his pump, and which is used to tell the pump what dosage of insulin to administer. After decoding the communications protocol, Radcliffe was able to program a small radio frequency transmitter--easily available for $100 new or $20 used on eBay--to remotely control his insulin pump. In his demonstration, Radcliffe showed how he used the remote transmitter to administer arbitrary insulin doses and disable the pump.

Hacking the pump wasn't easy, he said, but the fact that he was able to crack the communications at all was due to its not being properly protected. "There's no passwords, no authentication. All you need is the serial number," Radcliffe told InformationWeek. That's a concern, since the manufacturer of his insulin pump probably reused the technology for other medical devices, such as pacemakers.

Radcliffe said he was in communications with his pump's manufacturer about ways to improve the security of its devices.

The Black Hat demonstration got the attention of Reps. Anna G. Eshoo (D-Calif.) and Edward J. Markey (D-Mass.), both members of the House communications and technology subcommittee. They have asked the Government Accountability Office to review the FCC's approach to medical devices with wireless capabilities to ensure that the devices are "safe, reliable, and secure."

So it seems that at least one portion of the FDA's new guidelines is justified. While this particular hacking demonstration didn't come specifically from a mobile app, there's little doubt that a developer familiar with medical devices could create an application capable of doing much the same thing as Radcliffe did.

If the consequences of such tampering weren't so serious, it could easily serve as the plot for the next sci-fi best seller, in which case the federal government might actually be portrayed as the hero--not something you usually see in popular books and movies.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll