The depth and scope of NowSecure Platform testing gives customers assurance that their mobile AppSec programs meet the highest industry standard.

Media Announcement
magnifying glass icon

FDA Regulation: Ensuring the Safety & Security of Medical Mobile Apps

Posted by

Amy Schurr

Content Marketing Director
Amy Schurr is content marketing director for NowSecure. A former B2B journalist, she has spent her career covering technology and how it enables organizations.

Mobile health (mHealth) apps revolutionize healthcare delivery and transform patient outcomes. mHealth apps empower patients to better manage their health by providing personalized monitoring, tracking and therapeutic support, all from the convenience of their mobile apps. 

Buoyed by the COVID-19 pandemic and the rise of remote patient monitoring, there are now more than 350,000 health apps found in app stores worldwide. The GlobalData ‘Regulated mHealth Apps’ report forecasts the regulated medical apps market to reach $156 billion in 2033. 

As demand for mHealth apps continues to climb, threats to mobile application security, privacy and compliance also grow. IoT mobile apps connected to medical devices to measure heart rate, blood pressure and glucose levels collect and transmit a plethora of personal medical information. The broad threat landscape puts sensitive patient data at risk. In addition to compromising privacy, mobile application security vulnerabilities can jeopardize patient safety, propagate false or malicious data, trigger legal consequences and regulatory fines and tarnish brand reputation.

The U.S. Food & Drug Administration (FDA) regulates mobile medical apps to protect patients and ensure the apps meet high standards of safety, effectiveness and security. When medical devices have a mobile app, the FDA considers the cybersecurity posture of the mobile app as an important part of the medical device review and approval process. 

“You cannot have a safe and effective device if you don’t have a cybersecure device,” said Jessica Wilkerson, a senior cybersecurity policy advisor and medical device cybersecurity team lead for the FDA in a recent UCSF-Stanford Center for Excellence in Regulatory Science and Innovation (CERSI) seminar. “We’ve seen this over and over again with the ransomware incidents in hospitals that have created issues for medical device cybersecurity and safety. We’ve seen this with the cybersecurity vulnerabilities specific to medical devices that if exploited, could lead to patient harm. So this is not a really question, but it is a fact: You must have a cybersecure device to have a safe and effective device.” 

You cannot have a safe and effective device if you don’t have a cybersecure device. – Jessica Wilkerson, Senior Cybersecurity Policy Advisor and Medical Device Cybersecurity Team Lead, U.S. Food & Drug Administration

What Are Mobile Medical Apps?

According to FDA policy, the key distinction over whether an mHealth app is subject to FDA regulations lies in the mobile app’s intended use and its potential impact on patient safety. Certain mHealth apps and other software that transform a mobile platform into a regulated medical device or function as an accessory to a medical device fall under FDA oversight. The FDA defines these as mobile medical apps

Mobile medical apps are those intended for use in the diagnosis, cure, mitigation, treatment or prevention of disease:

  • Diagnostic apps that analyze medical data or images
  • Patient monitoring apps that track health parameters and provide feedback
  • Therapeutic apps that recommend treatment for specific conditions
  • Medical device accessories that connect and control medical devices.

Among the many mobile medical apps available, popular apps for patient monitoring include:

  • Accu-chek Connect
  • Asthma+me
  • BreatheSmart
  • ECK Check
  • Livongo
  • mySugr
  • Optum Telehealth
  • ProAir Digihaler
  • Samsung Health

Mobile app developers must implement strong cybersecurity measures to obtain pre-market approval of mobile medical apps prior to release and may undergo post-market surveillance after a major update. 

The FDA reserves the right to exercise enforcement discretion for other types of mobile medical apps that pose low risk to patients. Examples include apps that provide general health information, tools to help users manage their apps and apps that assist patients with maintaining a healthy lifestyle. 

Medical device makers seeking regulatory approval of mobile medical apps must submit evidence demonstrating the mobile app’s safety and effectiveness. These requirements include cybersecurity measures to protect patient data and uphold app integrity. For example, developers can expect to apply secure by design principles and secure coding practices such as encryption and code hardening to guard against code tampering and reverse engineering.

Many mHealth Apps Fall Short on Security

Despite the sensitive nature of mobile medical apps and mHealth apps in general, a NowSecure mobile security benchmark report shows mobile apps have several security and privacy shortcomings. We tested thousands of mobile apps against  OWASP Mobile Application Security Verification Standard (MASVS) requirements. OWASP MASVS sets a minimum security and privacy bar for mobile security professionals and developers to follow when building and testing mobile apps. 

As part of the benchmark, we tested a group of more than 600 mHealth apps that included many mobile medical apps. Our vertical industry benchmark testing found that 95% of healthcare apps failed one or more OWASP MASVS checks, putting organizations at significant risk of data breaches and leaks.

Among the healthcare-specific findings, 55% of mHealth apps had insecure network connections. 49% suffered from insecure platform interaction, 48% had insecure code quality issues and 43% had insecure storage. The results demonstrate the need to upskill mHealth app developers in secure coding practices and perform continuous mobile application security testing throughout the software development lifecycle to find and fix security, privacy and compliance issues prior to release. (Check the NowSecure MobileRiskTracker to see the current risk profile for sets of industry apps )

How NowSecure Can Help

The FDA doesn’t explicitly specify what is needed to get cybersecurity approval of a mobile app to give itself more discretion and latitude in the review process. The impact for vendors embarking on the review process is that the probability of being approved is directly related to the depth and detail of cybersecurity analysis data that is submitted to the FDA.

NowSecure can help businesses maintain and achieve FDA approval for mobile medical apps. NowSecure Academy offers free self-paced online courses to train developers and security analysts on mobile security practices. And NowSecure Platform automated mobile AppSec testing enables DevSecOps teams to find and fix security and privacy issues prior to release and monitor for any changes to the app that could introduce risk. NowSecure Platform comprehensive testing generates detailed reports with the evidence necessary to demonstrate that mobile apps are secure and comply with industry standards.