Just as the Food and Drug Administration recommends that medical device makers build security into their products' development lifecycles to help protect safety, so too must makers of internet of things devices implement health data protections, says regulatory attorney Elliot Golding.
"We're seeing an explosion in the use of internet connected devices in the medical context, and a lot of people have been pointing to the security issues associated with that," says Golding of the law firm Squire Patton Boggs.
While medical devices fall under the regulatory scope of the FDA, consumer-oriented IoT devices that handle health data - but aren't used to treat or diagnose patients - fall under the increasing regulatory scrutiny of other agencies when it comes to security-related issues, he says.
"The Federal Trade Commission has issued specific guidance on this - they are really looking at companies at each stage of a product development life cycle to be thinking about privacy and security issues," he says in an interview with Information Security Media Group. "Does the device really need this data? Are we telling people what we're collecting [and] making it clear and getting [consumer] consent if necessary?"
All these factors must be carefully considered during product development, Golding says. "If you rush something to market that is not safe or secure, or doesn't have appropriate privacy controls in place, it doesn't matter if you're first [to market] if the regulators come knocking at your door ... saying you have an unfair, deceptive trade practice."
If an IoT device is handling health information, Golding recommends taking extra precautions. "You probably want to obtain [consumer] consent in more cases," when it comes to collecting data, he advises.
In the interview (see audio link below photo), Golding also discusses:
- Emerging security and privacy concerns involving IoT devices;
- What's on the regulatory horizon for IoT security issues;
- Circumstances when medical device makers could potentially be liable as a business associate under HIPAA.
Golding is a partner at the law firm Squire Patton Boggs' data privacy and cybersecurity group, based in Washington. He provides advice to a wide range of clients, with a particular focus on companies that handle health information or work with healthcare organizations. Golding also co-chairs the E-privacy Committee within the American Bar Association Section of Science and Technology Law.