Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

mHealth App: Balancing Agility, Risks, and Regulatory Compliance

457 views

Published on

Overview on the risks and regulatory requirements related to mobile Health (mHealth) Apps and Wearables

Published in: Health & Medicine
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

mHealth App: Balancing Agility, Risks, and Regulatory Compliance

  1. 1. Achieve Business Agility in mHealth Development While Ensuring Compliance with Regulatory Requirements Victor Huynh, CISSP November 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit Princeton, NJ
  2. 2. Disclaimer Nov. 16, 2016 The opinions expressed in this presentation are based on the personal experience of the presenter. They do not represent the approach, policy, or practice of any particular organization that is currently affiliated with the author. 2 2nd Annual Life Science Mobile Medical Apps Summit
  3. 3. Agenda • The mHealth Universe • The mHealth Regulatory Landscape o Medical Device Regulations (FDA, MHRA, EMEA, etc.) o CE Mark (ISO 13485, ISO 14971, ISO 80001, etc.) o Privacy Regulations (FTC, HIPAA, EU Data Protection, etc.) • Classification of mHealth • Multi-compliance Risk Management for mHealth • Effective Design Controls for mHealth • Data Privacy Issues Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 3
  4. 4. The mHealth Universe • B2C business model o 90,055 mHealth for iOS* • Digital Marketing apps • Wearable accessory apps • Medical Device accessory apps • Stand-alone to complex ecosystem • Customers’ expectations and ratings • Patient’s safety and privacy • Fluid regulatory environment Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 4 * IMS Institute for Healthcare Informatics, 2015
  5. 5. The mHealth Universe – Consumer Sentiment* • 45.7% of mHealth app users discontinue the use • Reason for discontinuation o Too much time to enter data (44.5%) o Loss of interest (40.5%) o Hidden cost (36.1%) o App confusing to use (32.8%) o Data privacy concern (29%) * NIH National Survey of mHealth Apps, 2015 Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 5
  6. 6. Evolution of Mobile Health Apps and Devices Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 6 2013 2014
  7. 7. Evolution of Mobile Health Apps and Device Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 7 2015 2016 -
  8. 8. Making of a Complex mHealth App supporting a Medical Device Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 8 Self-monitoring Device maintenance PaaS Access & Authentication SaaS Environmental Health Data SaaS Patient Health Data Implantable Device The Patient Predictive conditions Prescriptive changes Device maintenance Physician Portal The Physician The Device Manufacturer Monitoring Troubleshooting, CAPA Engineering IaaS Servers, databases, application
  9. 9. Impact of Regulatory Requirements Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 9 PaaS Access & Authentication SaaS Environmental Health Data SaaS Patient Health Data Implantable Device Physician Portal IaaS Servers, databases, application QSR, MDD, IVDD QSR, MDD, IVDD FTC Security HIPAA HIPAA QSR, MDD, IVDD ISO 13485 ISO 14971 ISO 13485 ISO 14971 ISO 13485 ISO 14971 ISO 80001 EU Data Protection FTC Security HIPAA Where is my data? Is it safe? Is it secret? Will it work? Covered Entity? Who’s responsible? Is the data accurate? How to comply? How to manage risk? How to make it usable? How to deploy it fast? FTC Security
  10. 10. Regulatory Environment for mHeath • Medical Device Regulations o U.S. 21 CFR Part 820, 807, 803, etc. • Mobile Medical Applications Guidance • Postmarket Management of Cybersecurity in Medical Devices o EU Medical Device Directive MDD 93/42/EEC, IVDD 98/79/EC • MHRA Medical Device Stand-alone Software Including Apps o CE Marking (EU and non-US markets) • ISO 13485, Medical Device Quality Management System • ISO 14971, Medical Device Risk Management • ISO 80001, Application of Risk Management for IT-networks incorporating medical devices • Data Privacy Regulations o FTC Security Principles for the Internet of Things, FTC Notice/Consent & Security o HIPAA Security Rules o EU Data Protection Directive 95/46/EC Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 10
  11. 11. Challenges of mHealth Apps and Devices • Consumers’ sentiment and likes o Strong initial uptakes but could fizzle (e.g., Pokemon Go) o Well liked until a poor update released (e.g., Fitbit vs. Edmodo) • Security Breach on 6 o’lock news (e.g., Starbuck) • Privacy Minefield (HIPAA, FTC, EU Data Protection, etc.) • Device Safety and Device Regulations o Digital Marketing has no exposure to device regulations o Product R&D has no exposure to cybersecurity risks affecting device safety o Neither has knowledge of data privacy • Poorly managed mHealth Program would impact brand image Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 11
  12. 12. A Study of 211 mHealth Apps by JAMA Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 12 Source: JAMA, Privacy Policies of Android Diabetes Apps and Sharing of Health Information, March 8, 2016
  13. 13. Overall Process for Effective Management of mHealth Development Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 13 Classification Risk Assessment Design Control Release Support Mgmt. • Regulated mHealth App • Direct Impact • Indirect Impact • EU Class I/II • Non-Regulated mHealth App • Non-R. mHealth • Data Privacy • Promotional • R. mHealth • Patient Safety • Effectiveness • 3rd Party • Cybersecurity • Data Privacy • Promotional • Non-R. mHealth • SDLC • Software Quality • R. mHealth • 3rd Party Controls • SDLC • Design Verification • Design Validation • Security Design • Risk Mgmt. Plan • R. mHealth • Complaints • CAPA • 3rd Party Audits • Etc.
  14. 14. mHealth App Classification • Statement of intended use is key (instruction, promotional materials, etc.) • Georgraphical location is critical (U.S., EU, etc.) • Participation from key stakeholders is essential o R&D / Product Development o Quality Assurance o Information Security / IT Compliance / IT Risk Management o Legal, Regulatory o Commercial / Digital Marketing • Classification Framework o Based on MHRA and FDA Guidance Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 14
  15. 15. mHealth Device App Classification (MHRA) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 15
  16. 16. mHealth App Classfication (FDA) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 16 Not a Regulated mHealth App Control device? Analyze device data? Active patient monitor? Extend functionality of medical device? Provide diagnostic? Recommend treatment? Yes Yes Yes No Directly Regulated mHealth App No Help patients to self managed disease w/o treatment suggestion? Help patients to track, access, organize, interact with e-PHI? HCP interaction? Secondary display of device data? Indirectly Regulated mHealth App No No Yes No Yes Yes
  17. 17. mHealth App Classification Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 17 EU Class II App EU Class I mHealth App US Directly Regulated mHealth App U.S. Indirectly Regulated mHealth App Complex IT eco-system? Yes Basic Design Control & Risk Management Framework ISO Self- certification • 21 CFR Part 807 • 21 CFR Part 812/814 • 21 CFR Part 820 • 21 CFR Part 803 • 21 CFR Part 11 • ISO 13485 • ISO 14971 • ISO 80001 • EU MDD • EU IVDD Self CE Marking ISO Self- certification CE Marking
  18. 18. mHealth App Risk Management • Risks to device safety and privacy • Device safety also affected by cybersecurity and availability for complex ecosystem mHealth apps • Leveraging key partners to identify, evaluate, and control risks: o Information Security for cybersecurity risks o IT Enterprise Architecture for technology risks o Legal / Compliance for data privacy risks o Quality / Compliance for 3rd Party risks • Leveraging IT Enterprise Architecture to manage technology risks Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 18
  19. 19. mHealth Risk Assessment & Management Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 19 Device Risk Management Plan Intended Use Hazards Identification Risk Evaluation Risk Controls Standard ISO 14971 Device Risk Management Framework IT Security Threats Vectors / Vulnerabilities Security Risk Evaluation FTC Security Guide / Doctrine HIPAA Security Rules* IT Risk Management Plan Technical / Quality Agreement Cloud Service Provider Risk Controls FDA Cybersecurity Guidance Standard ISO 80001 IT-network Risk Management Framework Device Design Controls and Quality System External Compliance Requirements IT Risk Management & Quality System
  20. 20. Example of Security Risk Evaluation Matrix Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 20
  21. 21. Design Controls for Regulated mHealth App • More about software and security than traditional medical devices • Leverage IT expertise to build and deploy successful regulated mHealth App o IT Enterprise Architecture – technology to support the current and growth of the app o Information Security – risk identification, vulnerability assessment, and technical controls to safe guard the app and user’s data • Use internal Quality Agreement / Technical Agreement to allow inclusion of IT activities into Design Controls Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 21
  22. 22. Medical Device Quality System Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 22 Management Control CAPA & Device Reporting, Tracking Production & Process Control Facility & Equipment Control Records & Change Control Material Control Design Control • General Requirements • Design & Development Planning • Design Input • Design Output • Design Review • Design Verification • Design Validation • Design Changes • Design Transfer • Design History File Applicable for Regulated mHealth Apps based on classification and risks
  23. 23. Design Control for Regulated mHealth Apps Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 23 Design Input Design Output Design Review Design Verification / Validation Design Design Transfer Standard ISO 13485 Medical Device Quality System / Design Controls Security Technical Standards Security / EA Technical Review Security Vulnerability Code Scanning App Store Deployment Quality Agreement between IT and Device Design Control Enterprise Architecture Standards IT Infrastructure Standards Based on the framework and principles of ISO 80001 and ISO 27001
  24. 24. Data Privacy • Involvement of Legal and Privacy Office • Important of Data Flow Mapping to identify PII and PHI • HIPAA authorization from Covered Entities for PHI data • FTC legal authority to regulate app security under unfairness doctrine (unfair or deceptive practices by business) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 24
  25. 25. Data Privacy and mHealth Apps Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 25 PaaS Access & Authentication SaaS Environmental Health Data SaaS Patient Health Data Implantable Device Physician Portal IaaS Servers, databases, application User’s Personal Identifiable Information Patient Health Information FTC Regulates under Unfairness Doctrine* * FTC v. Wyndham Worldwide Corp. – court affirmed FTC’s juridiction to regulate data security. FTC notice / consent & security FTC notice / consent & security FTC notice / consent & security HIPAA BA HIPAA BA HIPAA Authorization
  26. 26. Data Privacy – FTC Security Principles • Start with Security by Design o Don’t Collect PII if not needed o Hold on to PII only as long as legimitate business needs • Control Access to PII o Restrict access to employees and limit admin access • Use Secure Passwords and Authentication o Complex passwords, keep passwors secured o Guarding against brute force attack / authentication bypass • Secure PII in transit and at rest with industry-tested methods • Segmentation and monitoring network • Secure remote access to network • Train developers in current secured coding / practices • Include security in 3rd Party Contracts and audit for compliance • Have information security SOPs and dispose PII securely 26
  27. 27. Examples of FTC Enforcement under Unfairness Doctrine • FTC v. RockYou (collections of PII during registration not demonstrated by business need and store PII in clear text) • FTC v. Guidance Software (store user credentials in clear text) • FTC v. Twitter (failure to guard against bruce force attack) • FTC v. Twitter (almost all employees has admin access) • FTC v. Twitter (no security policy prohibited employees from storing admin passwords in plain text in personal email accounts) • FTC v. Fandago (improper use of SSL encryption in mobile app) • FTC v. Upromise (failure to audit 3rd party developer for compliance) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 27
  28. 28. Questions & Answers Nov. 16, 2016 28 Email: huynh_victor@allergan.com 2nd Annual Life Science Mobile Medical Apps Summit www.linkedin.com/in/victorhuynh

×