Recent reports indicate that Food and Drug Administration (FDA) plans to build a digital health unit within and assign a number of digital scientists to the Center for Devices and Radiological Health. The digital health unit addresses the proliferation of digital technology and software being used in the medical community, specifically in medical devices. As connected medical technology grows well beyond digital step counters and heart rate monitors, FDA has reacted with greater interest and regulation. The pace of technology in this area has accelerated with the advent of cloud computing and viable artificial intelligence. Companies are now offering highly sophisticated medical devices with technology to promote individualized health outcomes and to aid in self-monitoring. Health care institutions leverage patient data and artificial intelligence to identify new health care risks, make diagnoses and provide better healthcare services. These types of tools are something that FDA has been aware of and has taken an interest in, but it has struggled to keep pace. FDA’s Digital Health Program, “which seeks to better protect and promote public health and provide continued regulatory clarity,”[1] and staffing additions look to change that.    

Why is this important? Digital healthcare is a growing area of interest and concern for the medical device industry, medical professionals, patients and lawmakers, especially with respect to cybersecurity. The staffing ramp-up shows FDA’s commitment to digital health and finding individuals who have the knowledge and capability to address the ever-growing web of concerns related to the use of sophisticated software in medical devices.

This is not to say that FDA has not been interested in the use of software in medical devices in the past. In fact, FDA has published a number of guidance documents related to the topic. For example, in December 2016, FDA issued a final guidance to industry relating to the post-market management of cybersecurity in medical devices. The guidance addresses FDA’s recommendations for managing the cybersecurity of medical devices that are being marketed and distributed. According to the FDA Voice, the best way to combat the ongoing cybersecurity threats to medical devices “is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device. In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” This final guidance is coupled with a final guidance published in October 2014 relating to premarket considerations for the management of cybersecurity.

The topics at issue in these guidance documents make clear FDA’s concerns about protecting patients and users of medical devices containing digital technology. FDA is not the only agency taking notice of the proliferation of digital technology in the medical device space. The Federal Trade Commission (FTC) has made tools available to mobile health app developers to help them understand the regulatory framework(s) under which they are operating, including HIPAA, the FTC Act and the FD&C Act.

While regulators are continuing to shift their focus to these types of devices and how to best regulate in this area, developers must find solutions that are viable within the regulatory scheme and amenable to intellectual property protection to secure their market position. Given that so many connected medical devices are software-driven, the Supreme Court’s Alice decision has made it more challenging to obtain patent protection for software alone. Likewise, concepts of indirect infringement have been viewed narrowly, increasing the importance of protecting novel aspects of such devices implemented by a single actor. Since connected devices involve not only novel structures and processes but also creative expression in terms of the software code and in the interfaces and devices, developers will find that layered intellectual property protection schemes that combine not only utility patents but also design patents, copyrights and, where applicable, trade secret protection provide the best opportunity to maintain exclusive rights in such devices. When data structures are involved, provisions of the Digital Millennium Copyright Act provide additional rights relating to access controls that may be used to address unauthorized attempts to access data, along with the protections provided by other data privacy schemes.

Protection of product innovation and anticipation of regulation are two important considerations in the development of digital medical devices or applications. Developers should consider not only how best to protect patients who use their devices from threats like cyberattacks but also how their innovations will fit within the FDA’s regulatory scheme and how to protect the innovations used in the new healthcare technology landscape through intellectual property law. BakerHostetler’s upcoming webinar titled “Medical Device Connectivity: HIPAA, FDA and IP Considerations” addresses those very issues concerning not only regulators but also those developers entering the uncharted territory of medical devices in the digital age.

[1] FDA, Digital Health Program,