Share this e-Alert:

Polsinelli - Health Care Technology Polsinelli - Health Care Technology


August 2015


Mobile Health Devices and Cybersecurity: Federal Guidance for Management of Threats in Medical Devices






Best Lawyers - Law Firm of the Year - U.S. News and World Report - Health Care Law - 2015


Modern Healthcare - by the numbers 2015 - No. 1 Polsinelli - Largest healthcare law firms


For more information about this e-Alert, please contact:


Kathryn T. Allen


Email | Bio


Lauren Z. Groebe


Email | Bio



Health Care Technology Practice Leaders:


Gregory M. Kratofil, Jr.

Practice Area Co-Chair


Email | Bio


Jean Marie R. Pechette

Practice Area Co-Chair


Email | Bio


To learn more about our Health Care Technology practice, to contact one of our Health Care Technology attorneys, or for more Health Care Technology Intelligence, click here.


View Polsinelli documents on JD Supra  


LinkedIn Twitter Facebook Polsinelli Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.

New Technology = New Threats

With new technology comes new security concerns. But when that new technology is in the medical field, the cybersecurity vulnerabilities can be particularly devastating.

The Department of Homeland Security is currently investigating two dozen medical devices and other pieces of health technology equipment for potential cybersecurity vulnerabilities. In the wake of two computer bugs that infiltrated and wreaked havoc on hospital computer systems around the country, Shellshock and Heartbleed, the health care community is especially sensitive to cybersecurity breaches and the vast amount of financial and reputational damage such breaches can cause.

mHealth – the Positives and Negatives

Mobile medical health ("mHealth") is the generation, aggregation and dissemination of health information through mobile and wireless devices. Such devices (like medicine infusion pumps or implantable heart devices) benefit patients because they allow around-the-clock monitoring of the patient's health without tethering them to a clinical setting. However, industry watch groups have long warned that cybercriminals could take over such devices and extract valuable health data stored in them or worse, cause actual harm to patients.

While there haven't been any documented breaches to these types of devices thus far, it is clear that mHealth devices pose particular security concerns for patients, health care providers and manufacturers. Cybersecurity vigilance, oversight and appropriate management are the best ways to reduce the risk to patients and health care providers by decreasing the likelihood that device functionality is intentionally (or unintentionally) compromised.

FDA Guidance

In response to these particular concerns, the Food and Drug Administration ("FDA"), which regulates the sales of mHealth devices, recently released guidance for both the manufacturers and users of such devices. Although the guidance sets forth only voluntary standards, companies wishing to minimize potential liability in enforcement actions and/or civil litigation should take notice. The FDA's standards are viewed by many industry observers as the new benchmark against which personal health information ("PHI"), breach-preparedness and response efforts may be measured. Failing to analyze the best practices and proactively implement applicable standards may leave health care companies and manufacturers open to accusations from regulators, class action plaintiffs and even shareholders for failing to satisfy this new standard of care.

For Manufacturers - The FDA recommends that medical device manufacturers consider the following cybersecurity framework to guide their cybersecurity activities:

1. Identify and Protect
The extent to which security controls are needed will depend on the device's intended use, the type of data it culls, where it is used and by whom it is accessed - for example, use outside of a health care facility, and the risk of patient harm due to a cybersecurity breach.

Limit Access to Trusted Users Only

  • Limit access to devices through the authentication of users (e.g. user ID and password, smartcard, biometric)
  • Use automatic timed methods to terminate sessions within the system where appropriate for the use environment
  • Where appropriate, employ a layered authorization model by differentiating privileges based on the user role (e.g. caregiver, system administrator) or device role

Ensure Trusted Content

  • Restrict software or firmware updates to authenticated code (e.g. code signature verification)
  • Use systematic procedures for authorized users to download software and firmware updates from the manufacturer
  • Ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption

2. Detect, Respond and Recover

  • Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use
  • Develop and provide information to the end users concerning appropriate actions to take upon detection of a cybersecurity event
  • Implement device features that protect critical functionality, even when the device's cybersecurity has been compromised
  • Provide methods for retention and recovery of device configuration by an authenticated, privileged user

For Health Care Providers - The following are the types of documentation that a health care provider can ask a manufacturer for that will help the health care provider judge the efficacy of the manufacturer's management and implantation of a quality cybersecurity control system:

  • Design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device, including:
    • A specific list of all risks that were considered in the design of device
    • Specific list and justification of all cybersecurity controls that were established for device
  • A matrix that links actual cybersecurity controls to the risks that were determined
  • A summary of manufacturer's plan for providing validated software updates and patches for the lifecycle of the device (to ensure its safety and efficacy)
  • Summary of controls that are in place to assure device software will maintain its integrity (e.g. withstand malware)
  • Device instructions and product specifications related to cybersecurity controls (e.g. anti-virus software, use of firewall)

And because no device is fool-proof, health care providers and manufacturers should review and reevaluate their cyber insurance policy each year as this can help protect them from paying large fines entirely on their own in the event a breach occurs and HIPAA penalties are levied.

For More Information

Issues of privacy and data security and how to manage cybersecurity effectively for a health care provider or medical device manufacturer can be difficult to manage given the seemingly endless onslaught of new regulations and regulatory guidance. Polsinelli's team of health care regulatory, health care technology and privacy and data security professionals can help you manage your risk from both the technical and regulatory perspectives. To learn more about our Health Care Technology practice, or to contact one of our attorneys, click here.

  • Kathryn T. Allen | 816.572.4884 | Email
  • Lauren Z. Groebe | 816.572.4588 | Email














Atlanta  Chattanooga  Chicago  Dallas  Denver  Kansas City  Los Angeles  Nashville  New York
Overland Park  Phoenix  Raleigh  St. Joseph  St. Louis  San Francisco  Springfield  Washington, D.C.  Wilmington








real challenges. real answers.SM  
Polsinelli is an Am Law 100 firm with more than 750 attorneys in 18 offices, serving corporations, institutions, entrepreneurs and individuals nationally. Ranked in the top five percent of law firms for client service and top five percent of firms for innovating new and valuable services*, the firm has risen more than 100 spots in Am Law's annual firm ranking over the past six years. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on health care, financial services, real estate, life sciences and technology, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.

* BTI Client Service A-Team 2015 and BTI Brand Elite 2015







Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2015 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Polsinelli Health Care Health Care