3 Lessons: FDA/FTC Enforcement Against Mobile Medical Apps

By Keith Barritt, Fish & Richardson P.C.

Over the last year, the FDA has taken important steps to lessen the regulatory burden on – and in some cases entirely deregulate – mobile medical apps. For example, in January 2015, the FDA released the draft guidance document General Wellness: Policy for Low Risk Devices.

The draft guidance proposed to deregulate low risk products that are intended to help maintain or encourage “a general state of health or healthy activity,” such as weight management or physical fitness, or “to promote, track, and/or encourage choices” that may help to reduce the risk of, or promote the ability to live well with, certain chronic diseases or conditions. Examples include apps that promote physical activity to help reduce the risk of high blood pressure, or track sleep patterns to help reduce the risk of developing type 2 diabetes. 

The draft guidance provides several additional examples of mobile apps that would be considered “low risk general wellness” products:

• Mobile apps that play music to “soothe and relax” and “manage stress”
• Mobile apps that monitor and record daily energy expenditure and cardiovascular workout activities to “allow awareness of one’s exercise activities to improve or maintain good cardiovascular health”
• Mobile apps that monitor and record food consumption to “manage dietary activity for weight management and alert the user, healthcare provider, or family member of unhealthy dietary activity”

The following month (February 2015), the FDA released an amended final guidance outlining, in sometimes broad terms, when mobile medical apps in general would be regulated. That same month, the FDA also announced it would no longer regulate “medical device data systems” that display, store, or transmit patient-specific data from a medical device in its original format, or convert it according to preset specifications, provided the device does not modify the data or generate signals to control another device, and is not used for active patient monitoring.

Despite the FDA’s deregulatory shift to encourage the development of mobile medical apps and other digital devices, the U.S. government has taken some public enforcement action against mobile medical apps over the past few years, and has taken other action when manufacturers of wireless devices face cybersecurity issues (as all mobile app developers do). While rare, such public enforcement actions serve as a reminder that there are still limits to what can be lawfully marketed.

Lesson 1: Determine If Your App Is A Medical Device 

Biosense Technologies designed its uChek smartphone app to analyze urine dipsticks. The app was useful for people with diabetes who wanted to check the amount of glucose in their urine. The app purportedly could analyze the colors of the dipstick and store or chart the results over time. The dipsticks themselves were cleared by the FDA, but only for visual reading.

The uChek app received press attention following demonstration at a TED talk in 2013. In a congressional hearing in February of that year, the app was mentioned as an example of where the FDA might be failing to properly regulate.

A few months later, the FDA advised Biosense Technologies that its uChek app appeared to meet the definition of a “medical device” and required a 510(k) clearance for the app and the dipsticks as part of a urinalysis test system.  Currently, the uChek app appears to be unavailable via Apple’s App Store, Biosense’s website states that the app is available for sale only in India, and Biosense has not registered as a device manufacturer with the FDA.  

Thus, for now it appears that Biosense has at least tacitly agreed not to sell the uChek app in the United States, though notably its website promotes the SüChek app for analyzing sugar levels as being available to the public for beta testing. 

Lesson 2: Be Sure You Can Substantiate Your Claims

The U.S. Federal Trade Commission (FTC) has jurisdiction over deceptive advertising, and while it is usually the FDA that takes the lead with respect to medical devices, the FTC occasionally steps in. Even if the FDA may be reluctant to take action against mobile app developers in the current deregulatory climate, the FTC has in recent years acted against at least three types of mobile apps.

In 2011, the FTC settled with marketers of the AcneApp and AcnePwner, mobile apps that were marketed for treating acne by emitting colored lights from smartphones.  The settlements bar the marketers from making acne-treatment claims about their mobile apps, or any other devices, in the absence of substantiating scientific evidence. 

In 2015, the FTC barred marketers of the MelApp and Mole Detective mobile apps from making any representation that the apps could detect or diagnose melanoma, identify risk factors of melanoma, or increase users’ chances of detecting melanoma in its early stages in the absence of substantiating scientific evidence. 

Later in 2015, the FTC settled with the developer of the UltimEyes app, which was marketed as “scientifically shown” to improve vision.  The company agreed to pay a $150,000 fine and to stop making the vision improvement claims.

Lesson 3: Prioritize Cybersecurity (Because The FDA And FTC Have)

In October 2014, FDA’s growing concern with the interconnectedness of medical devices led to the release of its final guidance document Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. As stated by the FDA, “failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.” 

Based on the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the FDA recommends that manufacturers address cybersecurity during the design and development of their medical devices, and submit documentation to the FDA demonstrating such activities in their premarket submissions. The two core functions that should guide manufacturers’ cybersecurity activities, as identified by the FDA, are “identify and protect,” and “detect, respond, and recover.” 

According to the FDA, manufacturers should establish design inputs for their devices related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that addresses the following elements:

• Identification of assets (i.e., anything of value), threats, and vulnerabilities;
• Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
• Assessment of the likelihood of a threat and of a vulnerability being exploited;
• Determination of risk levels and suitable mitigation strategies; and
• Assessment of residual risk and risk acceptance criteria.

In August, the FDA issued its first-ever cybersecurity alert for a particular medical device — despite no actual adverse events having taken place related to the security of that device — demonstrating to both healthcare providers and device manufacturers that they need to be prepared to adapt, on the fly, to cybersecurity concerns.

The FTC, too, appears to be placing increased importance on its role as "a champion of consumer data privacy and data security,” particularly when it comes to wearables, at least according to one security expert. In the past 15 years, the agency has lodged more than 50 cases against different companies for security-related issues.

Manufacturers should consider the extent to which security controls are needed based on the device’s intended use, the presence and intent of its electronic data interfaces, its intended use environment, the type of cybersecurity vulnerabilities present, the likelihood the vulnerabilities will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach. 

As further evidence of the FDA’s ongoing concerns, the agency will host a public workshop on medical device cybersecurity this week, in collaboration with the National Health Information Sharing Analysis Center, the U.S. Department of Health and Human Services (HHS), and the Department of Homeland Security (DHS).  The purpose of this workshop is to highlight past collaborative efforts, increase awareness of existing and developing models and tools for cybersecurity, and discuss gaps and challenges in advancing medical device cybersecurity.

Conclusion

While there is no doubt that the FDA is taking a light-handed approach in its regulation of mobile apps, there is a limit as to what can be lawfully marketed. App developers would be wise not to ignore the FDA’s and FTC’s regulatory authority.  It probably won’t take another congressional hearing before either agency takes action in appropriate circumstances.

About The Author

Keith A. Barritt is a principal in the Washington, D.C., office of Fish & Richardson. His practice is primarily focused on all aspects of medical device regulation, as well as trademark law. To contact him, visit http://www.fr.com/keith-a-barritt/