Software-powered medical devices play an increasingly central role in patient care. For many of the software applications that run on these devices, FDA classification is, or will soon become, a mandate — and vendors that get ahead of this now will be better positioned than those that have to rush to catch up. That said, the requirements may not be easy for many vendors. Even to achieve FDA Class 1 tier reserved for low-risk devices and applications, requirements include annual registration with the FDA, careful product labeling and use of marketing language, and a number of security and privacy mandates. These last two areas may trip vendors up who have never before encountered the many layers required to protect the personal health data that will pass through their apps. It’s a significant undertaking that will sidetrack — and ultimately sideline — the unprepared vendor. The good news is that an application designed to comply with the HIPAA Security and Privacy Rule has a notable head start for some FDA Class 1 domains. This, in turn, can be accomplished to a great extent by hosting your application within a health care-exclusive, HIPAA-compliant data center.
Access to managed services at a manageable operating expense
Many health care organizations and the vendors who serve them are turning to “cloud” managed services partners for a broad set of security and privacy services. These services are typically delivered within a top-tier data center, by professionals in health care IT security and privacy. The many services they offer can span from an initial risk assessment of the current IT infrastructure that houses your applications, to privacy impact and software development life cycle assessments, to ongoing, managed hosting of this infrastructure within a cloud environment that exceeds HIPAA, GAPP and other security and privacy controls.
Note that the investment in this fortress-like environment was made by someone else. All of its capabilities and assets, from data hosting to professional IT expertise, is available on a pay-as-you-go model, much like a monthly utility bill. In other words, vendors pay only for what they need. In the case of making medical software secure and private to FDA and HIPAA standards, this can include services where there is considerable overlap between the two sets of controls.
Both FDA Class 1 and HIPAA address configuration management, for example, which assures (among other responsibilities) that vendor-supplied credentials are changed to unique passwords. This is routine work for managed data services experts, who can also facilitate other change-driven activities, such as a secure transition of valuable data to new systems and integration of multiple databases. Monitoring and physical environmental security are another two areas where FDA Class 1 and HIPAA converge. Managed data services in the cloud can include real-time monitoring, intrusion detection and prevention, data encryption and regular scans to detect new compliance risks. As for physical security, few commercial buildings are more secure in these modern times than a top-tier data center, from perimeter security to biometric authentication requirements for internal staff.
The security and privacy mandate
There are a number of reasons — all good ones — why software companies would willingly jump through the necessary hoops to obtain FDA classification. Large integrated health networks increasingly need FDA classification for the applications they use to make medical decisions. It makes life a lot easier for them, especially from a legal standpoint, if these apps are cleared for FDA approval. Health care is also entering an unprecedentedly collaborative era, with a proliferation of joint projects concerned with testing new innovations and technologies.
The market for a promising new product could be bigger with FDA classification. It should be emphasized, however, that vendors need to secure their applications regardless of whether or not they obtain FDA classification. Adherence to security and privacy will only grow in importance as hackers increase their targets to include medical devices and medical device software. But instead of taking this on themselves — a daunting feat — vendors can turn to a cloud partner who has made this a core competency.
Chris Bowen is founder and chief privacy and security officer at ClearDATA. He is a certified information privacy professional, certified information systems security professional and certified information privacy technologist. ClearDATA provides HITRUST CSF-certified HIPAA-compliant cloud computing used by more than 350,000 health care providers to store, manage, protect and share their patient health information and critical applications.