SlideShare a Scribd company logo
1 of 28
Achieve Business Agility in
mHealth Development While
Ensuring Compliance with
Regulatory Requirements
Victor Huynh, CISSP
November 16, 2016
2nd Annual Life Science Mobile Medical Apps Summit
Princeton, NJ
Disclaimer
Nov. 16, 2016
The opinions expressed in this presentation are based on the personal
experience of the presenter. They do not represent the approach, policy, or
practice of any particular organization that is currently affiliated with the
author.
2
2nd Annual Life Science Mobile Medical
Apps Summit
Agenda
ā€¢ The mHealth Universe
ā€¢ The mHealth Regulatory Landscape
o Medical Device Regulations (FDA, MHRA, EMEA, etc.)
o CE Mark (ISO 13485, ISO 14971, ISO 80001, etc.)
o Privacy Regulations (FTC, HIPAA, EU Data Protection, etc.)
ā€¢ Classification of mHealth
ā€¢ Multi-compliance Risk Management for mHealth
ā€¢ Effective Design Controls for mHealth
ā€¢ Data Privacy Issues
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
3
The mHealth Universe
ā€¢ B2C business model
o 90,055 mHealth for iOS*
ā€¢ Digital Marketing apps
ā€¢ Wearable accessory apps
ā€¢ Medical Device accessory apps
ā€¢ Stand-alone to complex ecosystem
ā€¢ Customersā€™ expectations and ratings
ā€¢ Patientā€™s safety and privacy
ā€¢ Fluid regulatory environment
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
4
* IMS Institute for Healthcare Informatics, 2015
The mHealth Universe ā€“ Consumer Sentiment*
ā€¢ 45.7% of mHealth app users discontinue the use
ā€¢ Reason for discontinuation
o Too much time to enter data (44.5%)
o Loss of interest (40.5%)
o Hidden cost (36.1%)
o App confusing to use (32.8%)
o Data privacy concern (29%)
* NIH National Survey of mHealth Apps, 2015
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
5
Evolution of Mobile Health Apps and Devices
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
6
2013
2014
Evolution of Mobile Health Apps and Device
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
7
2015
2016 -
Making of a Complex mHealth App supporting a Medical
Device
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
8
Self-monitoring
Device maintenance
PaaS
Access & Authentication
SaaS
Environmental Health Data
SaaS
Patient Health Data
Implantable
Device
The Patient
Predictive conditions
Prescriptive changes
Device maintenance
Physician Portal
The Physician
The Device
Manufacturer
Monitoring
Troubleshooting, CAPA
Engineering
IaaS
Servers, databases,
application
Impact of Regulatory Requirements
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
9
PaaS
Access & Authentication
SaaS
Environmental Health Data
SaaS
Patient Health Data
Implantable
Device
Physician Portal
IaaS
Servers, databases,
application
QSR, MDD, IVDD
QSR, MDD, IVDD
FTC Security
HIPAA
HIPAA
QSR, MDD, IVDD
ISO 13485
ISO 14971
ISO 13485
ISO 14971
ISO 13485
ISO 14971
ISO 80001
EU Data Protection
FTC Security
HIPAA
Where is my data?
Is it safe?
Is it secret?
Will it work?
Covered Entity?
Whoā€™s responsible?
Is the data accurate?
How to comply?
How to manage risk?
How to make it usable?
How to deploy it fast?
FTC Security
Regulatory Environment for mHeath
ā€¢ Medical Device Regulations
o U.S. 21 CFR Part 820, 807, 803, etc.
ā€¢ Mobile Medical Applications Guidance
ā€¢ Postmarket Management of Cybersecurity in Medical Devices
o EU Medical Device Directive MDD 93/42/EEC, IVDD 98/79/EC
ā€¢ MHRA Medical Device Stand-alone Software Including Apps
o CE Marking (EU and non-US markets)
ā€¢ ISO 13485, Medical Device Quality Management System
ā€¢ ISO 14971, Medical Device Risk Management
ā€¢ ISO 80001, Application of Risk Management for IT-networks
incorporating medical devices
ā€¢ Data Privacy Regulations
o FTC Security Principles for the Internet of Things, FTC Notice/Consent & Security
o HIPAA Security Rules
o EU Data Protection Directive 95/46/EC
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
10
Challenges of mHealth Apps and Devices
ā€¢ Consumersā€™ sentiment and likes
o Strong initial uptakes but could fizzle (e.g., Pokemon Go)
o Well liked until a poor update released (e.g., Fitbit vs. Edmodo)
ā€¢ Security Breach on 6 oā€™lock news (e.g., Starbuck)
ā€¢ Privacy Minefield (HIPAA, FTC, EU Data Protection, etc.)
ā€¢ Device Safety and Device Regulations
o Digital Marketing has no exposure to device regulations
o Product R&D has no exposure to cybersecurity risks affecting device safety
o Neither has knowledge of data privacy
ā€¢ Poorly managed mHealth Program would impact brand image
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
11
A Study of 211 mHealth Apps by JAMA
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
12
Source: JAMA, Privacy Policies of Android Diabetes Apps and Sharing of Health Information, March 8, 2016
Overall Process for Effective Management of mHealth
Development
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
13
Classification
Risk
Assessment
Design
Control
Release
Support
Mgmt.
ā€¢ Regulated mHealth
App
ā€¢ Direct Impact
ā€¢ Indirect Impact
ā€¢ EU Class I/II
ā€¢ Non-Regulated
mHealth App
ā€¢ Non-R. mHealth
ā€¢ Data Privacy
ā€¢ Promotional
ā€¢ R. mHealth
ā€¢ Patient Safety
ā€¢ Effectiveness
ā€¢ 3rd Party
ā€¢ Cybersecurity
ā€¢ Data Privacy
ā€¢ Promotional
ā€¢ Non-R. mHealth
ā€¢ SDLC
ā€¢ Software Quality
ā€¢ R. mHealth
ā€¢ 3rd Party Controls
ā€¢ SDLC
ā€¢ Design Verification
ā€¢ Design Validation
ā€¢ Security Design
ā€¢ Risk Mgmt. Plan
ā€¢ R. mHealth
ā€¢ Complaints
ā€¢ CAPA
ā€¢ 3rd Party Audits
ā€¢ Etc.
mHealth App Classification
ā€¢ Statement of intended use is key (instruction, promotional
materials, etc.)
ā€¢ Georgraphical location is critical (U.S., EU, etc.)
ā€¢ Participation from key stakeholders is essential
o R&D / Product Development
o Quality Assurance
o Information Security / IT Compliance / IT Risk Management
o Legal, Regulatory
o Commercial / Digital Marketing
ā€¢ Classification Framework
o Based on MHRA and FDA Guidance
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
14
mHealth Device App Classification (MHRA)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
15
mHealth App Classfication (FDA)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
16
Not a Regulated
mHealth App
Control device?
Analyze device data?
Active patient monitor?
Extend functionality of
medical device?
Provide diagnostic?
Recommend treatment?
Yes
Yes
Yes
No
Directly
Regulated
mHealth App
No
Help patients to self
managed disease w/o
treatment suggestion?
Help patients to track,
access, organize, interact
with e-PHI?
HCP interaction?
Secondary display of
device data?
Indirectly
Regulated
mHealth App
No
No
Yes
No
Yes
Yes
mHealth App Classification
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
17
EU Class II App
EU Class I
mHealth App
US Directly
Regulated
mHealth App
U.S. Indirectly
Regulated
mHealth App
Complex IT
eco-system?
Yes
Basic Design Control & Risk
Management Framework
ISO Self-
certification
ā€¢ 21 CFR Part 807
ā€¢ 21 CFR Part 812/814
ā€¢ 21 CFR Part 820
ā€¢ 21 CFR Part 803
ā€¢ 21 CFR Part 11
ā€¢ ISO 13485
ā€¢ ISO 14971
ā€¢ ISO 80001
ā€¢ EU MDD
ā€¢ EU IVDD
Self CE
Marking
ISO Self-
certification
CE Marking
mHealth App Risk Management
ā€¢ Risks to device safety and privacy
ā€¢ Device safety also affected by cybersecurity and availability for complex
ecosystem mHealth apps
ā€¢ Leveraging key partners to identify, evaluate, and control risks:
o Information Security for cybersecurity risks
o IT Enterprise Architecture for technology risks
o Legal / Compliance for data privacy risks
o Quality / Compliance for 3rd Party risks
ā€¢ Leveraging IT Enterprise Architecture to manage technology risks
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
18
mHealth Risk Assessment & Management
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
19
Device Risk
Management
Plan
Intended Use
Hazards
Identification
Risk Evaluation Risk Controls
Standard ISO 14971 Device Risk Management Framework
IT Security
Threats Vectors
/ Vulnerabilities
Security Risk
Evaluation
FTC Security
Guide /
Doctrine
HIPAA Security
Rules*
IT Risk
Management
Plan
Technical /
Quality
Agreement
Cloud Service
Provider Risk
Controls
FDA
Cybersecurity
Guidance
Standard ISO 80001 IT-network Risk Management Framework
Device Design Controls and Quality System External Compliance Requirements IT Risk Management & Quality System
Example of Security Risk Evaluation Matrix
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
20
Design Controls for Regulated mHealth App
ā€¢ More about software and security than traditional medical devices
ā€¢ Leverage IT expertise to build and deploy successful regulated
mHealth App
o IT Enterprise Architecture ā€“ technology to support the current and
growth of the app
o Information Security ā€“ risk identification, vulnerability assessment, and
technical controls to safe guard the app and userā€™s data
ā€¢ Use internal Quality Agreement / Technical Agreement to allow
inclusion of IT activities into Design Controls
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
21
Medical Device Quality System
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
22
Management
Control
CAPA &
Device
Reporting,
Tracking
Production
& Process
Control
Facility &
Equipment
Control
Records &
Change
Control
Material
Control
Design
Control
ā€¢ General Requirements
ā€¢ Design & Development Planning
ā€¢ Design Input
ā€¢ Design Output
ā€¢ Design Review
ā€¢ Design Verification
ā€¢ Design Validation
ā€¢ Design Changes
ā€¢ Design Transfer
ā€¢ Design History File
Applicable for Regulated mHealth Apps
based on classification and risks
Design Control for Regulated mHealth Apps
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
23
Design Input Design Output Design Review
Design
Verification /
Validation
Design Design
Transfer
Standard ISO 13485 Medical Device Quality System / Design Controls
Security
Technical
Standards
Security / EA
Technical
Review
Security
Vulnerability
Code Scanning
App Store
Deployment
Quality Agreement between IT and Device Design Control
Enterprise
Architecture
Standards
IT
Infrastructure
Standards
Based on the framework and principles of ISO 80001 and ISO 27001
Data Privacy
ā€¢ Involvement of Legal and Privacy Office
ā€¢ Important of Data Flow Mapping to identify PII and PHI
ā€¢ HIPAA authorization from Covered Entities for PHI data
ā€¢ FTC legal authority to regulate app security under unfairness
doctrine (unfair or deceptive practices by business)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
24
Data Privacy and mHealth Apps
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
25
PaaS
Access & Authentication
SaaS
Environmental Health Data
SaaS
Patient Health Data
Implantable
Device
Physician Portal
IaaS
Servers, databases,
application
Userā€™s Personal
Identifiable
Information
Patient Health
Information
FTC Regulates
under Unfairness
Doctrine*
* FTC v. Wyndham Worldwide Corp. ā€“ court affirmed FTCā€™s juridiction to regulate data security.
FTC notice /
consent & security
FTC notice /
consent & security
FTC notice /
consent & security
HIPAA BA
HIPAA BA
HIPAA
Authorization
Data Privacy ā€“ FTC Security Principles
ā€¢ Start with Security by Design
o Donā€™t Collect PII if not needed
o Hold on to PII only as long as legimitate business needs
ā€¢ Control Access to PII
o Restrict access to employees and limit admin access
ā€¢ Use Secure Passwords and Authentication
o Complex passwords, keep passwors secured
o Guarding against brute force attack / authentication bypass
ā€¢ Secure PII in transit and at rest with industry-tested methods
ā€¢ Segmentation and monitoring network
ā€¢ Secure remote access to network
ā€¢ Train developers in current secured coding / practices
ā€¢ Include security in 3rd Party Contracts and audit for compliance
ā€¢ Have information security SOPs and dispose PII securely
26
Examples of FTC Enforcement under Unfairness
Doctrine
ā€¢ FTC v. RockYou (collections of PII during registration not demonstrated
by business need and store PII in clear text)
ā€¢ FTC v. Guidance Software (store user credentials in clear text)
ā€¢ FTC v. Twitter (failure to guard against bruce force attack)
ā€¢ FTC v. Twitter (almost all employees has admin access)
ā€¢ FTC v. Twitter (no security policy prohibited employees from storing
admin passwords in plain text in personal email accounts)
ā€¢ FTC v. Fandago (improper use of SSL encryption in mobile app)
ā€¢ FTC v. Upromise (failure to audit 3rd party developer for compliance)
Nov. 16, 2016
2nd Annual Life Science Mobile Medical
Apps Summit
27
Questions & Answers
Nov. 16, 2016 28
Email: huynh_victor@allergan.com
2nd Annual Life Science Mobile Medical
Apps Summit
www.linkedin.com/in/victorhuynh

More Related Content

What's hot

Marketing project final
Marketing project finalMarketing project final
Marketing project final
Jamie Jackson
Ā 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_article
Lauren Rosen
Ā 

What's hot (10)

Marketing project final
Marketing project finalMarketing project final
Marketing project final
Ā 
7 BEST FDA APPROVED HEALTH APPS
7 BEST FDA APPROVED HEALTH APPS7 BEST FDA APPROVED HEALTH APPS
7 BEST FDA APPROVED HEALTH APPS
Ā 
Mobile apps for pharma and healthcare by ARworks
Mobile apps for pharma and healthcare by ARworksMobile apps for pharma and healthcare by ARworks
Mobile apps for pharma and healthcare by ARworks
Ā 
Lifesciences2020
Lifesciences2020Lifesciences2020
Lifesciences2020
Ā 
Digital digest #3- Digital health care- Andrea Garcia
Digital digest #3- Digital health care- Andrea Garcia Digital digest #3- Digital health care- Andrea Garcia
Digital digest #3- Digital health care- Andrea Garcia
Ā 
mHealth and Digital Masters : Novartis Vs Kodak
mHealth and Digital Masters : Novartis Vs KodakmHealth and Digital Masters : Novartis Vs Kodak
mHealth and Digital Masters : Novartis Vs Kodak
Ā 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
Ā 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_article
Ā 
MobileHealth_Shrestha
MobileHealth_ShresthaMobileHealth_Shrestha
MobileHealth_Shrestha
Ā 
Pharma apps by ARworks
Pharma apps by ARworksPharma apps by ARworks
Pharma apps by ARworks
Ā 

Viewers also liked

Physio-Logic-InvestorsRegulatoryPerspective
Physio-Logic-InvestorsRegulatoryPerspectivePhysio-Logic-InvestorsRegulatoryPerspective
Physio-Logic-InvestorsRegulatoryPerspective
Gadi Ginot
Ā 
Keeping House Compliance Risk Assessment Medical Device Summit.PPTX
Keeping House Compliance Risk Assessment Medical Device Summit.PPTXKeeping House Compliance Risk Assessment Medical Device Summit.PPTX
Keeping House Compliance Risk Assessment Medical Device Summit.PPTX
Gina M. Cavalier
Ā 

Viewers also liked (14)

Physio-Logic-InvestorsRegulatoryPerspective
Physio-Logic-InvestorsRegulatoryPerspectivePhysio-Logic-InvestorsRegulatoryPerspective
Physio-Logic-InvestorsRegulatoryPerspective
Ā 
Agua y luz
Agua y luzAgua y luz
Agua y luz
Ā 
Device Sponsor Information Day: Session 2: Clinical evidence - pre-market and...
Device Sponsor Information Day: Session 2: Clinical evidence - pre-market and...Device Sponsor Information Day: Session 2: Clinical evidence - pre-market and...
Device Sponsor Information Day: Session 2: Clinical evidence - pre-market and...
Ā 
Fundarskƶp
FundarskƶpFundarskƶp
Fundarskƶp
Ā 
Medical Device Regulations
Medical Device RegulationsMedical Device Regulations
Medical Device Regulations
Ā 
Presentation: Manufacturing medical devices
Presentation: Manufacturing medical devicesPresentation: Manufacturing medical devices
Presentation: Manufacturing medical devices
Ā 
Exploring Relationship Between Risk & Compliance
Exploring Relationship Between Risk & ComplianceExploring Relationship Between Risk & Compliance
Exploring Relationship Between Risk & Compliance
Ā 
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Ā 
Medical Device Regulations Global Overview And Guiding Principles
Medical Device Regulations   Global Overview And Guiding PrinciplesMedical Device Regulations   Global Overview And Guiding Principles
Medical Device Regulations Global Overview And Guiding Principles
Ā 
Regulation of Medical Devices in US
Regulation of Medical Devices in USRegulation of Medical Devices in US
Regulation of Medical Devices in US
Ā 
Understanding FDA Requirements Medical Devices
Understanding FDA Requirements Medical DevicesUnderstanding FDA Requirements Medical Devices
Understanding FDA Requirements Medical Devices
Ā 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Ā 
Overview of FDA Regulation of Medical Devices
Overview of FDA Regulation of Medical DevicesOverview of FDA Regulation of Medical Devices
Overview of FDA Regulation of Medical Devices
Ā 
Keeping House Compliance Risk Assessment Medical Device Summit.PPTX
Keeping House Compliance Risk Assessment Medical Device Summit.PPTXKeeping House Compliance Risk Assessment Medical Device Summit.PPTX
Keeping House Compliance Risk Assessment Medical Device Summit.PPTX
Ā 

Similar to mHealth App: Balancing Agility, Risks, and Regulatory Compliance

Artificial Intelligence in Pharmacovigilance
Artificial Intelligence in PharmacovigilanceArtificial Intelligence in Pharmacovigilance
Artificial Intelligence in Pharmacovigilance
ClinosolIndia
Ā 
Research2Guidance_Mobiquity Webinar 11-19-2014_vF
Research2Guidance_Mobiquity Webinar 11-19-2014_vFResearch2Guidance_Mobiquity Webinar 11-19-2014_vF
Research2Guidance_Mobiquity Webinar 11-19-2014_vF
Ashkan Afkhami
Ā 

Similar to mHealth App: Balancing Agility, Risks, and Regulatory Compliance (20)

Silicon Peel Meetup #18
Silicon Peel Meetup #18Silicon Peel Meetup #18
Silicon Peel Meetup #18
Ā 
Development Standards and Regulations for HealthTech
Development Standards and Regulations for HealthTechDevelopment Standards and Regulations for HealthTech
Development Standards and Regulations for HealthTech
Ā 
Mobility Management in Healthcare: MDM, BYOD, mHealth
Mobility Management in Healthcare: MDM, BYOD, mHealthMobility Management in Healthcare: MDM, BYOD, mHealth
Mobility Management in Healthcare: MDM, BYOD, mHealth
Ā 
Artificial Intelligence in Pharmacovigilance
Artificial Intelligence in PharmacovigilanceArtificial Intelligence in Pharmacovigilance
Artificial Intelligence in Pharmacovigilance
Ā 
Overcoming Cloud-Based Mobility Challenges in Healthcare
Overcoming Cloud-Based Mobility Challenges in HealthcareOvercoming Cloud-Based Mobility Challenges in Healthcare
Overcoming Cloud-Based Mobility Challenges in Healthcare
Ā 
Patient Centric Healthcare App Market PPT: Growth, Outlook, Demand, Keyplayer...
Patient Centric Healthcare App Market PPT: Growth, Outlook, Demand, Keyplayer...Patient Centric Healthcare App Market PPT: Growth, Outlook, Demand, Keyplayer...
Patient Centric Healthcare App Market PPT: Growth, Outlook, Demand, Keyplayer...
Ā 
A Complete Guide to Developing Healthcare App
A Complete Guide to Developing Healthcare AppA Complete Guide to Developing Healthcare App
A Complete Guide to Developing Healthcare App
Ā 
OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT)...
OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT)...OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT)...
OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT)...
Ā 
So, My FitBit is Clinical Trial Grade Right?
So, My FitBit is Clinical Trial Grade Right?So, My FitBit is Clinical Trial Grade Right?
So, My FitBit is Clinical Trial Grade Right?
Ā 
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
Ā 
Group 17 white paper
Group 17 white paperGroup 17 white paper
Group 17 white paper
Ā 
Group 17 white paper
Group 17 white paperGroup 17 white paper
Group 17 white paper
Ā 
The integration of mobile and medical technologies
The integration of mobile and medical technologiesThe integration of mobile and medical technologies
The integration of mobile and medical technologies
Ā 
The integration of mobile and medical technologies
The integration of mobile and medical technologies  The integration of mobile and medical technologies
The integration of mobile and medical technologies
Ā 
Technologies that will change The Future of Healthcare
Technologies that will change The Future of Healthcare Technologies that will change The Future of Healthcare
Technologies that will change The Future of Healthcare
Ā 
Hanu Tech
Hanu TechHanu Tech
Hanu Tech
Ā 
From The Friengs To The Forefront mRAN is here to Transform Global Health
From The Friengs To The Forefront mRAN is here to Transform Global HealthFrom The Friengs To The Forefront mRAN is here to Transform Global Health
From The Friengs To The Forefront mRAN is here to Transform Global Health
Ā 
Digital Health & Wellness Summit @ Mobile World Congress 2016
Digital Health & Wellness Summit @ Mobile World Congress 2016Digital Health & Wellness Summit @ Mobile World Congress 2016
Digital Health & Wellness Summit @ Mobile World Congress 2016
Ā 
How to develop healthcare app.docx
How to develop healthcare app.docxHow to develop healthcare app.docx
How to develop healthcare app.docx
Ā 
Research2Guidance_Mobiquity Webinar 11-19-2014_vF
Research2Guidance_Mobiquity Webinar 11-19-2014_vFResearch2Guidance_Mobiquity Webinar 11-19-2014_vF
Research2Guidance_Mobiquity Webinar 11-19-2014_vF
Ā 

Recently uploaded

Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...
Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...
Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...
Sheetaleventcompany
Ā 
Difference Between Skeletal Smooth and Cardiac Muscles
Difference Between Skeletal Smooth and Cardiac MusclesDifference Between Skeletal Smooth and Cardiac Muscles
Difference Between Skeletal Smooth and Cardiac Muscles
MedicoseAcademics
Ā 
šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...
šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...
šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...
rajnisinghkjn
Ā 
šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...
šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...
šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...
Sheetaleventcompany
Ā 
Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...
Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...
Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...
Sheetaleventcompany
Ā 
šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...
šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...
šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...
Sheetaleventcompany
Ā 

Recently uploaded (20)

tongue disease lecture Dr Assadawy legacy
tongue disease lecture Dr Assadawy legacytongue disease lecture Dr Assadawy legacy
tongue disease lecture Dr Assadawy legacy
Ā 
Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...
Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...
Independent Bangalore Call Girls (Adult Only) šŸ’ÆCall Us šŸ” 7304373326 šŸ” šŸ’ƒ Escor...
Ā 
ā¤ļøChandigarh Escorts Serviceā˜Žļø9814379184ā˜Žļø Call Girl service in Chandigarhā˜Žļø ...
ā¤ļøChandigarh Escorts Serviceā˜Žļø9814379184ā˜Žļø Call Girl service in Chandigarhā˜Žļø ...ā¤ļøChandigarh Escorts Serviceā˜Žļø9814379184ā˜Žļø Call Girl service in Chandigarhā˜Žļø ...
ā¤ļøChandigarh Escorts Serviceā˜Žļø9814379184ā˜Žļø Call Girl service in Chandigarhā˜Žļø ...
Ā 
Difference Between Skeletal Smooth and Cardiac Muscles
Difference Between Skeletal Smooth and Cardiac MusclesDifference Between Skeletal Smooth and Cardiac Muscles
Difference Between Skeletal Smooth and Cardiac Muscles
Ā 
Call Girls in Lucknow Just Call šŸ‘‰šŸ‘‰8630512678 Top Class Call Girl Service Avai...
Call Girls in Lucknow Just Call šŸ‘‰šŸ‘‰8630512678 Top Class Call Girl Service Avai...Call Girls in Lucknow Just Call šŸ‘‰šŸ‘‰8630512678 Top Class Call Girl Service Avai...
Call Girls in Lucknow Just Call šŸ‘‰šŸ‘‰8630512678 Top Class Call Girl Service Avai...
Ā 
šŸ’°Call Girl In Bangaloreā˜Žļø63788-78445šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalo...
šŸ’°Call Girl In Bangaloreā˜Žļø63788-78445šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalo...šŸ’°Call Girl In Bangaloreā˜Žļø63788-78445šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalo...
šŸ’°Call Girl In Bangaloreā˜Žļø63788-78445šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalo...
Ā 
šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...
šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...
šŸ‘‰ Chennai Sexy Auntyā€™s WhatsApp Number šŸ‘‰šŸ“ž 7427069034 šŸ‘‰šŸ“ž JustšŸ“² Call Ruhi Colle...
Ā 
šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...
šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...
šŸ’šChandigarh Call Girls Service šŸ’ÆPiya šŸ“²šŸ”8868886958šŸ”Call Girls In Chandigarh No...
Ā 
Cardiac Output, Venous Return, and Their Regulation
Cardiac Output, Venous Return, and Their RegulationCardiac Output, Venous Return, and Their Regulation
Cardiac Output, Venous Return, and Their Regulation
Ā 
Call girls Service Phullen / 9332606886 Genuine Call girls with real Photos a...
Call girls Service Phullen / 9332606886 Genuine Call girls with real Photos a...Call girls Service Phullen / 9332606886 Genuine Call girls with real Photos a...
Call girls Service Phullen / 9332606886 Genuine Call girls with real Photos a...
Ā 
Call Girls Kathua Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kathua Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Kathua Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kathua Just Call 8250077686 Top Class Call Girl Service Available
Ā 
Call Girls Mussoorie Just Call 8854095900 Top Class Call Girl Service Available
Call Girls Mussoorie Just Call 8854095900 Top Class Call Girl Service AvailableCall Girls Mussoorie Just Call 8854095900 Top Class Call Girl Service Available
Call Girls Mussoorie Just Call 8854095900 Top Class Call Girl Service Available
Ā 
Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...
Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...
Pune Call Girl Service šŸ“ž9xx000xx09šŸ“žJust Call DivyašŸ“² Call Girl In Pune NošŸ’°Adva...
Ā 
šŸ’°Call Girl In Bangaloreā˜Žļø7304373326šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalor...
šŸ’°Call Girl In Bangaloreā˜Žļø7304373326šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalor...šŸ’°Call Girl In Bangaloreā˜Žļø7304373326šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalor...
šŸ’°Call Girl In Bangaloreā˜Žļø7304373326šŸ’° Call Girl service in Bangaloreā˜ŽļøBangalor...
Ā 
Call 8250092165 Patna Call Girls ā‚¹4.5k Cash Payment With Room Delivery
Call 8250092165 Patna Call Girls ā‚¹4.5k Cash Payment With Room DeliveryCall 8250092165 Patna Call Girls ā‚¹4.5k Cash Payment With Room Delivery
Call 8250092165 Patna Call Girls ā‚¹4.5k Cash Payment With Room Delivery
Ā 
šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...
šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...
šŸ’šCall Girls In Amritsar šŸ’ÆAnvi šŸ“²šŸ”8725944379šŸ”Amritsar Call Girl NošŸ’°Advance Cash...
Ā 
ā¤ļøCall Girl Service In Chandigarhā˜Žļø9814379184ā˜Žļø Call Girl in Chandigarhā˜Žļø Cha...
ā¤ļøCall Girl Service In Chandigarhā˜Žļø9814379184ā˜Žļø Call Girl in Chandigarhā˜Žļø Cha...ā¤ļøCall Girl Service In Chandigarhā˜Žļø9814379184ā˜Žļø Call Girl in Chandigarhā˜Žļø Cha...
ā¤ļøCall Girl Service In Chandigarhā˜Žļø9814379184ā˜Žļø Call Girl in Chandigarhā˜Žļø Cha...
Ā 
(RIYA)šŸŽ„Airhostess Call Girl Jaipur Call Now 8445551418 Premium Collection Of ...
(RIYA)šŸŽ„Airhostess Call Girl Jaipur Call Now 8445551418 Premium Collection Of ...(RIYA)šŸŽ„Airhostess Call Girl Jaipur Call Now 8445551418 Premium Collection Of ...
(RIYA)šŸŽ„Airhostess Call Girl Jaipur Call Now 8445551418 Premium Collection Of ...
Ā 
Call Girls Rishikesh Just Call 9667172968 Top Class Call Girl Service Available
Call Girls Rishikesh Just Call 9667172968 Top Class Call Girl Service AvailableCall Girls Rishikesh Just Call 9667172968 Top Class Call Girl Service Available
Call Girls Rishikesh Just Call 9667172968 Top Class Call Girl Service Available
Ā 
Race Course Road } Book Call Girls in Bangalore | Whatsapp No 6378878445 VIP ...
Race Course Road } Book Call Girls in Bangalore | Whatsapp No 6378878445 VIP ...Race Course Road } Book Call Girls in Bangalore | Whatsapp No 6378878445 VIP ...
Race Course Road } Book Call Girls in Bangalore | Whatsapp No 6378878445 VIP ...
Ā 

mHealth App: Balancing Agility, Risks, and Regulatory Compliance

  • 1. Achieve Business Agility in mHealth Development While Ensuring Compliance with Regulatory Requirements Victor Huynh, CISSP November 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit Princeton, NJ
  • 2. Disclaimer Nov. 16, 2016 The opinions expressed in this presentation are based on the personal experience of the presenter. They do not represent the approach, policy, or practice of any particular organization that is currently affiliated with the author. 2 2nd Annual Life Science Mobile Medical Apps Summit
  • 3. Agenda ā€¢ The mHealth Universe ā€¢ The mHealth Regulatory Landscape o Medical Device Regulations (FDA, MHRA, EMEA, etc.) o CE Mark (ISO 13485, ISO 14971, ISO 80001, etc.) o Privacy Regulations (FTC, HIPAA, EU Data Protection, etc.) ā€¢ Classification of mHealth ā€¢ Multi-compliance Risk Management for mHealth ā€¢ Effective Design Controls for mHealth ā€¢ Data Privacy Issues Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 3
  • 4. The mHealth Universe ā€¢ B2C business model o 90,055 mHealth for iOS* ā€¢ Digital Marketing apps ā€¢ Wearable accessory apps ā€¢ Medical Device accessory apps ā€¢ Stand-alone to complex ecosystem ā€¢ Customersā€™ expectations and ratings ā€¢ Patientā€™s safety and privacy ā€¢ Fluid regulatory environment Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 4 * IMS Institute for Healthcare Informatics, 2015
  • 5. The mHealth Universe ā€“ Consumer Sentiment* ā€¢ 45.7% of mHealth app users discontinue the use ā€¢ Reason for discontinuation o Too much time to enter data (44.5%) o Loss of interest (40.5%) o Hidden cost (36.1%) o App confusing to use (32.8%) o Data privacy concern (29%) * NIH National Survey of mHealth Apps, 2015 Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 5
  • 6. Evolution of Mobile Health Apps and Devices Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 6 2013 2014
  • 7. Evolution of Mobile Health Apps and Device Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 7 2015 2016 -
  • 8. Making of a Complex mHealth App supporting a Medical Device Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 8 Self-monitoring Device maintenance PaaS Access & Authentication SaaS Environmental Health Data SaaS Patient Health Data Implantable Device The Patient Predictive conditions Prescriptive changes Device maintenance Physician Portal The Physician The Device Manufacturer Monitoring Troubleshooting, CAPA Engineering IaaS Servers, databases, application
  • 9. Impact of Regulatory Requirements Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 9 PaaS Access & Authentication SaaS Environmental Health Data SaaS Patient Health Data Implantable Device Physician Portal IaaS Servers, databases, application QSR, MDD, IVDD QSR, MDD, IVDD FTC Security HIPAA HIPAA QSR, MDD, IVDD ISO 13485 ISO 14971 ISO 13485 ISO 14971 ISO 13485 ISO 14971 ISO 80001 EU Data Protection FTC Security HIPAA Where is my data? Is it safe? Is it secret? Will it work? Covered Entity? Whoā€™s responsible? Is the data accurate? How to comply? How to manage risk? How to make it usable? How to deploy it fast? FTC Security
  • 10. Regulatory Environment for mHeath ā€¢ Medical Device Regulations o U.S. 21 CFR Part 820, 807, 803, etc. ā€¢ Mobile Medical Applications Guidance ā€¢ Postmarket Management of Cybersecurity in Medical Devices o EU Medical Device Directive MDD 93/42/EEC, IVDD 98/79/EC ā€¢ MHRA Medical Device Stand-alone Software Including Apps o CE Marking (EU and non-US markets) ā€¢ ISO 13485, Medical Device Quality Management System ā€¢ ISO 14971, Medical Device Risk Management ā€¢ ISO 80001, Application of Risk Management for IT-networks incorporating medical devices ā€¢ Data Privacy Regulations o FTC Security Principles for the Internet of Things, FTC Notice/Consent & Security o HIPAA Security Rules o EU Data Protection Directive 95/46/EC Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 10
  • 11. Challenges of mHealth Apps and Devices ā€¢ Consumersā€™ sentiment and likes o Strong initial uptakes but could fizzle (e.g., Pokemon Go) o Well liked until a poor update released (e.g., Fitbit vs. Edmodo) ā€¢ Security Breach on 6 oā€™lock news (e.g., Starbuck) ā€¢ Privacy Minefield (HIPAA, FTC, EU Data Protection, etc.) ā€¢ Device Safety and Device Regulations o Digital Marketing has no exposure to device regulations o Product R&D has no exposure to cybersecurity risks affecting device safety o Neither has knowledge of data privacy ā€¢ Poorly managed mHealth Program would impact brand image Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 11
  • 12. A Study of 211 mHealth Apps by JAMA Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 12 Source: JAMA, Privacy Policies of Android Diabetes Apps and Sharing of Health Information, March 8, 2016
  • 13. Overall Process for Effective Management of mHealth Development Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 13 Classification Risk Assessment Design Control Release Support Mgmt. ā€¢ Regulated mHealth App ā€¢ Direct Impact ā€¢ Indirect Impact ā€¢ EU Class I/II ā€¢ Non-Regulated mHealth App ā€¢ Non-R. mHealth ā€¢ Data Privacy ā€¢ Promotional ā€¢ R. mHealth ā€¢ Patient Safety ā€¢ Effectiveness ā€¢ 3rd Party ā€¢ Cybersecurity ā€¢ Data Privacy ā€¢ Promotional ā€¢ Non-R. mHealth ā€¢ SDLC ā€¢ Software Quality ā€¢ R. mHealth ā€¢ 3rd Party Controls ā€¢ SDLC ā€¢ Design Verification ā€¢ Design Validation ā€¢ Security Design ā€¢ Risk Mgmt. Plan ā€¢ R. mHealth ā€¢ Complaints ā€¢ CAPA ā€¢ 3rd Party Audits ā€¢ Etc.
  • 14. mHealth App Classification ā€¢ Statement of intended use is key (instruction, promotional materials, etc.) ā€¢ Georgraphical location is critical (U.S., EU, etc.) ā€¢ Participation from key stakeholders is essential o R&D / Product Development o Quality Assurance o Information Security / IT Compliance / IT Risk Management o Legal, Regulatory o Commercial / Digital Marketing ā€¢ Classification Framework o Based on MHRA and FDA Guidance Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 14
  • 15. mHealth Device App Classification (MHRA) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 15
  • 16. mHealth App Classfication (FDA) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 16 Not a Regulated mHealth App Control device? Analyze device data? Active patient monitor? Extend functionality of medical device? Provide diagnostic? Recommend treatment? Yes Yes Yes No Directly Regulated mHealth App No Help patients to self managed disease w/o treatment suggestion? Help patients to track, access, organize, interact with e-PHI? HCP interaction? Secondary display of device data? Indirectly Regulated mHealth App No No Yes No Yes Yes
  • 17. mHealth App Classification Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 17 EU Class II App EU Class I mHealth App US Directly Regulated mHealth App U.S. Indirectly Regulated mHealth App Complex IT eco-system? Yes Basic Design Control & Risk Management Framework ISO Self- certification ā€¢ 21 CFR Part 807 ā€¢ 21 CFR Part 812/814 ā€¢ 21 CFR Part 820 ā€¢ 21 CFR Part 803 ā€¢ 21 CFR Part 11 ā€¢ ISO 13485 ā€¢ ISO 14971 ā€¢ ISO 80001 ā€¢ EU MDD ā€¢ EU IVDD Self CE Marking ISO Self- certification CE Marking
  • 18. mHealth App Risk Management ā€¢ Risks to device safety and privacy ā€¢ Device safety also affected by cybersecurity and availability for complex ecosystem mHealth apps ā€¢ Leveraging key partners to identify, evaluate, and control risks: o Information Security for cybersecurity risks o IT Enterprise Architecture for technology risks o Legal / Compliance for data privacy risks o Quality / Compliance for 3rd Party risks ā€¢ Leveraging IT Enterprise Architecture to manage technology risks Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 18
  • 19. mHealth Risk Assessment & Management Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 19 Device Risk Management Plan Intended Use Hazards Identification Risk Evaluation Risk Controls Standard ISO 14971 Device Risk Management Framework IT Security Threats Vectors / Vulnerabilities Security Risk Evaluation FTC Security Guide / Doctrine HIPAA Security Rules* IT Risk Management Plan Technical / Quality Agreement Cloud Service Provider Risk Controls FDA Cybersecurity Guidance Standard ISO 80001 IT-network Risk Management Framework Device Design Controls and Quality System External Compliance Requirements IT Risk Management & Quality System
  • 20. Example of Security Risk Evaluation Matrix Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 20
  • 21. Design Controls for Regulated mHealth App ā€¢ More about software and security than traditional medical devices ā€¢ Leverage IT expertise to build and deploy successful regulated mHealth App o IT Enterprise Architecture ā€“ technology to support the current and growth of the app o Information Security ā€“ risk identification, vulnerability assessment, and technical controls to safe guard the app and userā€™s data ā€¢ Use internal Quality Agreement / Technical Agreement to allow inclusion of IT activities into Design Controls Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 21
  • 22. Medical Device Quality System Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 22 Management Control CAPA & Device Reporting, Tracking Production & Process Control Facility & Equipment Control Records & Change Control Material Control Design Control ā€¢ General Requirements ā€¢ Design & Development Planning ā€¢ Design Input ā€¢ Design Output ā€¢ Design Review ā€¢ Design Verification ā€¢ Design Validation ā€¢ Design Changes ā€¢ Design Transfer ā€¢ Design History File Applicable for Regulated mHealth Apps based on classification and risks
  • 23. Design Control for Regulated mHealth Apps Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 23 Design Input Design Output Design Review Design Verification / Validation Design Design Transfer Standard ISO 13485 Medical Device Quality System / Design Controls Security Technical Standards Security / EA Technical Review Security Vulnerability Code Scanning App Store Deployment Quality Agreement between IT and Device Design Control Enterprise Architecture Standards IT Infrastructure Standards Based on the framework and principles of ISO 80001 and ISO 27001
  • 24. Data Privacy ā€¢ Involvement of Legal and Privacy Office ā€¢ Important of Data Flow Mapping to identify PII and PHI ā€¢ HIPAA authorization from Covered Entities for PHI data ā€¢ FTC legal authority to regulate app security under unfairness doctrine (unfair or deceptive practices by business) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 24
  • 25. Data Privacy and mHealth Apps Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 25 PaaS Access & Authentication SaaS Environmental Health Data SaaS Patient Health Data Implantable Device Physician Portal IaaS Servers, databases, application Userā€™s Personal Identifiable Information Patient Health Information FTC Regulates under Unfairness Doctrine* * FTC v. Wyndham Worldwide Corp. ā€“ court affirmed FTCā€™s juridiction to regulate data security. FTC notice / consent & security FTC notice / consent & security FTC notice / consent & security HIPAA BA HIPAA BA HIPAA Authorization
  • 26. Data Privacy ā€“ FTC Security Principles ā€¢ Start with Security by Design o Donā€™t Collect PII if not needed o Hold on to PII only as long as legimitate business needs ā€¢ Control Access to PII o Restrict access to employees and limit admin access ā€¢ Use Secure Passwords and Authentication o Complex passwords, keep passwors secured o Guarding against brute force attack / authentication bypass ā€¢ Secure PII in transit and at rest with industry-tested methods ā€¢ Segmentation and monitoring network ā€¢ Secure remote access to network ā€¢ Train developers in current secured coding / practices ā€¢ Include security in 3rd Party Contracts and audit for compliance ā€¢ Have information security SOPs and dispose PII securely 26
  • 27. Examples of FTC Enforcement under Unfairness Doctrine ā€¢ FTC v. RockYou (collections of PII during registration not demonstrated by business need and store PII in clear text) ā€¢ FTC v. Guidance Software (store user credentials in clear text) ā€¢ FTC v. Twitter (failure to guard against bruce force attack) ā€¢ FTC v. Twitter (almost all employees has admin access) ā€¢ FTC v. Twitter (no security policy prohibited employees from storing admin passwords in plain text in personal email accounts) ā€¢ FTC v. Fandago (improper use of SSL encryption in mobile app) ā€¢ FTC v. Upromise (failure to audit 3rd party developer for compliance) Nov. 16, 2016 2nd Annual Life Science Mobile Medical Apps Summit 27
  • 28. Questions & Answers Nov. 16, 2016 28 Email: huynh_victor@allergan.com 2nd Annual Life Science Mobile Medical Apps Summit www.linkedin.com/in/victorhuynh