Software as a medical device: How HIPAA security paves way for FDA classification

No matter the application’s purpose, one that is developed or tweaked under FDA guidelines is one ready for prime time.

Broadly defined, software as a medical device is any application used by providers to make clinical decisions. An increasing number of applications are now officially designated as FDA-regulated devices. Is it worth it to pursue this classification for your own software?

If your objective is to make it an indispensable tool in the healthcare and life sciences industries, there’s a decided market advantage to entering the regulated medical device arena. What’s more, work you’ve done to date to achieve compliance with another set of controls – the HIPAA Security Rule – can be applied to obtaining the FDA classification.

On that note, be aware that the FDA has three tiers of classification for medical devices, each based on intended use of the application and the risk the application poses to patients or users.

This article is concerned with FDA Class I, the tier reserved for low-risk devices, and therefore, subjected to the least amount of regulation. All Class 1 devices must, however, conform to certain requirements, including annual registration with the FDA, careful product labels and descriptions on both the product and accompanying sales and marketing literature, and other regulations.

The upside of FDA scrutiny
There are a number of reasons – all good ones – why software companies would willingly jump through the necessary hoops to obtain FDA classification.

First, large integrated health networks increasingly need FDA classification for the applications they use to make medical decisions. It makes life a lot easier for them, especially from a legal standpoint, if these apps are cleared for FDA approval.

Healthcare is also entering an unprecedentedly collaborative era, with a proliferation of joint projects concerned with testing new innovations and technologies. The market for a promising new product could be bigger with FDA classification.

There’s also the matter of software taking an ever more important role in healthcare. From analytics to radiation dose monitoring, healthcare today relies on a broad range of applications. For many of these apps, FDA classification is or will become a mandate. Vendors that get ahead of this now will be better positioned than those that have to rush to catch up.

Some may be wondering if this includes consumer-focused apps, such as personal health tracking and coaching products. As it happens, in early 2015 the FDA released a report of exempt mobile apps. However, should vendors market or intend these apps as a means for diagnosing, curing or preventing diseases, the FDA will consider them non-exempt from regulation.

HIPAA compliance – a springboard to FDA Class I
No matter the application’s purpose, one that is developed or tweaked under FDA guidelines is one ready for prime time. But how much work are vendors really looking at to get there? No doubt, even for Class I, the requirements are rigorous.

The good news is that an application designed to comply with the technical safeguards of the HIPAA Security Rule has a head start for some FDA Class 1 domains. Both sets of controls address configuration management, for example, along with monitoring and physical environmental security. And adherence to security and privacy will only grow in importance as hackers increase their targets to include medical devices and medical device software.

But what if you suspect your application isn’t secure at all, or lacks basic privacy features? How do you step up your security and privacy game, without making the road to FDA classification even longer? The quickest – and increasingly safest – route is to bring in expertise.

Many healthcare organizations and the vendors who serve them are turning to “cloud” managed services partners for a broad set of security and privacy services. These can span from an initial risk assessment of the IT infrastructure that houses your applications, to privacy impact and software development lifecycle assessments, to ongoing, managed hosting of this infrastructure within a cloud environment that exceeds HIPAA, GAPP and other security and privacy controls.

It should be emphasized that vendors need to secure their applications regardless of whether or not they obtain FDA classification. There are too many breaches today and too much at stake when these breaches occur. That said, if you’re ready to pursue FDA Class I, migrating your app to a HIPAA-compliant managed cloud can jumpstart your path.

About the Author
Chris Bowen is founder and chief privacy and security officer at ClearDATA. He is a Certified Information Privacy Professional, Certified Information Systems Security Professional and Certified Information Privacy Technologist.