Wait a minute, HIPAA regulations have to do with protecting private health information – that's something that hospitals, physicians' practices, and other health organizations have to be concerned about, not medical device manufacturers, right? Wrong.
As more and more diagnostic and therapeutic medical devices are becoming wireless smart devices and wearable technology, information gathered and used during the process of diagnosing and treating patients is at risk of being stolen or compromised. That means that HIPAA compliance and cybersecurity is a concern for companies designing and manufacturing these devices.
The FDA recently produced a draft guidance document titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices that outlines possible HIPAA issues and recommends steps medical device manufacturers should take to ensure that medical device functionality and patient electronic medical records (EMR) cannot be compromised by hackers and other cybercriminals looking to exploit unsecure wireless device communications. In short, premarket submissions from medical device manufacturers need to provide documentation demonstrating effective cybersecurity management. This documentation extends to the following premarket submissions:
- Premarket Notification (510(k)) including Traditional, Special, and Abbreviated 510(k) submissions
- De novo petitions
- Premarket Approval Applications (PMA)
- Product Development Protocols (PDP)
- Humanitarian Device Exemption (HDE) submissions
So what exactly does the FDA mean by “cybersecurity management”? Essentially, medical device manufacturers need to develop a set of security controls that will ensure EMR information confidentiality, integrity, and availability. What steps, processes, and controls manufacturers use depends upon the medical device itself, the environment it’s used in, the type and level of risk involved, and the probable risk to the patient if there is an EMR breach.
To learn more about your HIPAA responsibilities and cybersecurity regarding the design and manufacture of medical devices that process or manage EMR as part of their functionality, consult an experienced FDA regulatory compliance consultant such as MEDIcept.