High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipur
mHealth App: Balancing Agility, Risks, and Regulatory Compliance
1. Achieve Business Agility in
mHealth Development While
Ensuring Compliance with
Regulatory Requirements
Victor Huynh, CISSP
November 16, 2016
2nd Annual Life Science Mobile Medical Apps Summit
Princeton, NJ
2. Disclaimer
Nov. 16, 2016
The opinions expressed in this presentation are based on the personal
experience of the presenter. They do not represent the approach, policy, or
practice of any particular organization that is currently affiliated with the
author.
2
2nd Annual Life Science Mobile Medical
Apps Summit
3. Agenda
• The mHealth Universe
• The mHealth Regulatory Landscape
o Medical Device Regulations (FDA, MHRA, EMEA, etc.)
o CE Mark (ISO 13485, ISO 14971, ISO 80001, etc.)
o Privacy Regulations (FTC, HIPAA, EU Data Protection, etc.)
• Classification of mHealth
• Multi-compliance Risk Management for mHealth
• Effective Design Controls for mHealth
• Data Privacy Issues
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
3
4. The mHealth Universe
• B2C business model
o 90,055 mHealth for iOS*
• Digital Marketing apps
• Wearable accessory apps
• Medical Device accessory apps
• Stand-alone to complex ecosystem
• Customers’ expectations and ratings
• Patient’s safety and privacy
• Fluid regulatory environment
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
4
* IMS Institute for Healthcare Informatics, 2015
5. The mHealth Universe – Consumer Sentiment*
• 45.7% of mHealth app users discontinue the use
• Reason for discontinuation
o Too much time to enter data (44.5%)
o Loss of interest (40.5%)
o Hidden cost (36.1%)
o App confusing to use (32.8%)
o Data privacy concern (29%)
* NIH National Survey of mHealth Apps, 2015
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
5
6. Evolution of Mobile Health Apps and Devices
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
6
2013
2014
7. Evolution of Mobile Health Apps and Device
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
7
2015
2016 -
8. Making of a Complex mHealth App supporting a Medical
Device
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
8
Self-monitoring
Device maintenance
PaaS
Access & Authentication
SaaS
Environmental Health Data
SaaS
Patient Health Data
Implantable
Device
The Patient
Predictive conditions
Prescriptive changes
Device maintenance
Physician Portal
The Physician
The Device
Manufacturer
Monitoring
Troubleshooting, CAPA
Engineering
IaaS
Servers, databases,
application
9. Impact of Regulatory Requirements
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
9
PaaS
Access & Authentication
SaaS
Environmental Health Data
SaaS
Patient Health Data
Implantable
Device
Physician Portal
IaaS
Servers, databases,
application
QSR, MDD, IVDD
QSR, MDD, IVDD
FTC Security
HIPAA
HIPAA
QSR, MDD, IVDD
ISO 13485
ISO 14971
ISO 13485
ISO 14971
ISO 13485
ISO 14971
ISO 80001
EU Data Protection
FTC Security
HIPAA
Where is my data?
Is it safe?
Is it secret?
Will it work?
Covered Entity?
Who’s responsible?
Is the data accurate?
How to comply?
How to manage risk?
How to make it usable?
How to deploy it fast?
FTC Security
10. Regulatory Environment for mHeath
• Medical Device Regulations
o U.S. 21 CFR Part 820, 807, 803, etc.
• Mobile Medical Applications Guidance
• Postmarket Management of Cybersecurity in Medical Devices
o EU Medical Device Directive MDD 93/42/EEC, IVDD 98/79/EC
• MHRA Medical Device Stand-alone Software Including Apps
o CE Marking (EU and non-US markets)
• ISO 13485, Medical Device Quality Management System
• ISO 14971, Medical Device Risk Management
• ISO 80001, Application of Risk Management for IT-networks
incorporating medical devices
• Data Privacy Regulations
o FTC Security Principles for the Internet of Things, FTC Notice/Consent & Security
o HIPAA Security Rules
o EU Data Protection Directive 95/46/EC
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
10
11. Challenges of mHealth Apps and Devices
• Consumers’ sentiment and likes
o Strong initial uptakes but could fizzle (e.g., Pokemon Go)
o Well liked until a poor update released (e.g., Fitbit vs. Edmodo)
• Security Breach on 6 o’lock news (e.g., Starbuck)
• Privacy Minefield (HIPAA, FTC, EU Data Protection, etc.)
• Device Safety and Device Regulations
o Digital Marketing has no exposure to device regulations
o Product R&D has no exposure to cybersecurity risks affecting device safety
o Neither has knowledge of data privacy
• Poorly managed mHealth Program would impact brand image
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
11
12. A Study of 211 mHealth Apps by JAMA
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
12
Source: JAMA, Privacy Policies of Android Diabetes Apps and Sharing of Health Information, March 8, 2016
13. Overall Process for Effective Management of mHealth
Development
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
13
Classification
Risk
Assessment
Design
Control
Release
Support
Mgmt.
• Regulated mHealth
App
• Direct Impact
• Indirect Impact
• EU Class I/II
• Non-Regulated
mHealth App
• Non-R. mHealth
• Data Privacy
• Promotional
• R. mHealth
• Patient Safety
• Effectiveness
• 3rd Party
• Cybersecurity
• Data Privacy
• Promotional
• Non-R. mHealth
• SDLC
• Software Quality
• R. mHealth
• 3rd Party Controls
• SDLC
• Design Verification
• Design Validation
• Security Design
• Risk Mgmt. Plan
• R. mHealth
• Complaints
• CAPA
• 3rd Party Audits
• Etc.
14. mHealth App Classification
• Statement of intended use is key (instruction, promotional
materials, etc.)
• Georgraphical location is critical (U.S., EU, etc.)
• Participation from key stakeholders is essential
o R&D / Product Development
o Quality Assurance
o Information Security / IT Compliance / IT Risk Management
o Legal, Regulatory
o Commercial / Digital Marketing
• Classification Framework
o Based on MHRA and FDA Guidance
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
14
15. mHealth Device App Classification (MHRA)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
15
16. mHealth App Classfication (FDA)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
16
Not a Regulated
mHealth App
Control device?
Analyze device data?
Active patient monitor?
Extend functionality of
medical device?
Provide diagnostic?
Recommend treatment?
Yes
Yes
Yes
No
Directly
Regulated
mHealth App
No
Help patients to self
managed disease w/o
treatment suggestion?
Help patients to track,
access, organize, interact
with e-PHI?
HCP interaction?
Secondary display of
device data?
Indirectly
Regulated
mHealth App
No
No
Yes
No
Yes
Yes
17. mHealth App Classification
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
17
EU Class II App
EU Class I
mHealth App
US Directly
Regulated
mHealth App
U.S. Indirectly
Regulated
mHealth App
Complex IT
eco-system?
Yes
Basic Design Control & Risk
Management Framework
ISO Self-
certification
• 21 CFR Part 807
• 21 CFR Part 812/814
• 21 CFR Part 820
• 21 CFR Part 803
• 21 CFR Part 11
• ISO 13485
• ISO 14971
• ISO 80001
• EU MDD
• EU IVDD
Self CE
Marking
ISO Self-
certification
CE Marking
18. mHealth App Risk Management
• Risks to device safety and privacy
• Device safety also affected by cybersecurity and availability for complex
ecosystem mHealth apps
• Leveraging key partners to identify, evaluate, and control risks:
o Information Security for cybersecurity risks
o IT Enterprise Architecture for technology risks
o Legal / Compliance for data privacy risks
o Quality / Compliance for 3rd Party risks
• Leveraging IT Enterprise Architecture to manage technology risks
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
18
19. mHealth Risk Assessment & Management
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
19
Device Risk
Management
Plan
Intended Use
Hazards
Identification
Risk Evaluation Risk Controls
Standard ISO 14971 Device Risk Management Framework
IT Security
Threats Vectors
/ Vulnerabilities
Security Risk
Evaluation
FTC Security
Guide /
Doctrine
HIPAA Security
Rules*
IT Risk
Management
Plan
Technical /
Quality
Agreement
Cloud Service
Provider Risk
Controls
FDA
Cybersecurity
Guidance
Standard ISO 80001 IT-network Risk Management Framework
Device Design Controls and Quality System External Compliance Requirements IT Risk Management & Quality System
20. Example of Security Risk Evaluation Matrix
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
20
21. Design Controls for Regulated mHealth App
• More about software and security than traditional medical devices
• Leverage IT expertise to build and deploy successful regulated
mHealth App
o IT Enterprise Architecture – technology to support the current and
growth of the app
o Information Security – risk identification, vulnerability assessment, and
technical controls to safe guard the app and user’s data
• Use internal Quality Agreement / Technical Agreement to allow
inclusion of IT activities into Design Controls
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
21
22. Medical Device Quality System
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
22
Management
Control
CAPA &
Device
Reporting,
Tracking
Production
& Process
Control
Facility &
Equipment
Control
Records &
Change
Control
Material
Control
Design
Control
• General Requirements
• Design & Development Planning
• Design Input
• Design Output
• Design Review
• Design Verification
• Design Validation
• Design Changes
• Design Transfer
• Design History File
Applicable for Regulated mHealth Apps
based on classification and risks
23. Design Control for Regulated mHealth Apps
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
23
Design Input Design Output Design Review
Design
Verification /
Validation
Design Design
Transfer
Standard ISO 13485 Medical Device Quality System / Design Controls
Security
Technical
Standards
Security / EA
Technical
Review
Security
Vulnerability
Code Scanning
App Store
Deployment
Quality Agreement between IT and Device Design Control
Enterprise
Architecture
Standards
IT
Infrastructure
Standards
Based on the framework and principles of ISO 80001 and ISO 27001
24. Data Privacy
• Involvement of Legal and Privacy Office
• Important of Data Flow Mapping to identify PII and PHI
• HIPAA authorization from Covered Entities for PHI data
• FTC legal authority to regulate app security under unfairness
doctrine (unfair or deceptive practices by business)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
24
25. Data Privacy and mHealth Apps
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
25
PaaS
Access & Authentication
SaaS
Environmental Health Data
SaaS
Patient Health Data
Implantable
Device
Physician Portal
IaaS
Servers, databases,
application
User’s Personal
Identifiable
Information
Patient Health
Information
FTC Regulates
under Unfairness
Doctrine*
* FTC v. Wyndham Worldwide Corp. – court affirmed FTC’s juridiction to regulate data security.
FTC notice /
consent & security
FTC notice /
consent & security
FTC notice /
consent & security
HIPAA BA
HIPAA BA
HIPAA
Authorization
26. Data Privacy – FTC Security Principles
• Start with Security by Design
o Don’t Collect PII if not needed
o Hold on to PII only as long as legimitate business needs
• Control Access to PII
o Restrict access to employees and limit admin access
• Use Secure Passwords and Authentication
o Complex passwords, keep passwors secured
o Guarding against brute force attack / authentication bypass
• Secure PII in transit and at rest with industry-tested methods
• Segmentation and monitoring network
• Secure remote access to network
• Train developers in current secured coding / practices
• Include security in 3rd Party Contracts and audit for compliance
• Have information security SOPs and dispose PII securely
26
27. Examples of FTC Enforcement under Unfairness
Doctrine
• FTC v. RockYou (collections of PII during registration not demonstrated
by business need and store PII in clear text)
• FTC v. Guidance Software (store user credentials in clear text)
• FTC v. Twitter (failure to guard against bruce force attack)
• FTC v. Twitter (almost all employees has admin access)
• FTC v. Twitter (no security policy prohibited employees from storing
admin passwords in plain text in personal email accounts)
• FTC v. Fandago (improper use of SSL encryption in mobile app)
• FTC v. Upromise (failure to audit 3rd party developer for compliance)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
27
28. Questions & Answers
Nov. 16, 2016 28
Email: huynh_victor@allergan.com
2nd Annual Life Science Mobile Medical
Apps Summit
www.linkedin.com/in/victorhuynh