Meeting FDA Requirements for BLE Mobile Medical Apps: Webinar

Despite a lack of specific guidance and constantly evolving standards, mobile medical apps and their companion Bluetooth Low Energy (BLE)-enabled medical devices consistently make it through the FDA clearance process. Manufacturers obtain clearance for their apps by meeting the FDA’s requirements for mobile platform compatibility, cybersecurity and other domains. What are those requirements, how do you fulfill them, and how do you maintain device safety and effectiveness when mobile platforms and cybersecurity threats inevitably evolve?

Orthogonal and MedSec hosted a webinar on September 16th as part of our joint Bluetooth Low Energy for Medical Devices Webinar Series. Bernhard Kappe, Orthogonal’s CEO and Founder, and Buddy Smith, MedSec’s Director of Technical Consulting, shared insights and experiences gained from preparing mobile medical apps connected to BLE medical devices for FDA submission. The webinar was moderated by Randy Horton, Chief Solutions Officer at Orthogonal.

Video Recording

Key Takeaway Points

1. The FDA, in their mandate to foster safety and innovation, takes a cautious approach to reviewing new devices and new technologies in devices, especially devices and technologies that break new ground.
2. Cybersecurity has become a much bigger focus for the FDA in recent years; the final version of their guidance on cybersecurity was just published, and they recently received additional statutory authority from Congress to oversee medical device cybersecurity. Today, the FDA often asks more cybersecurity-related questions in pre-submissions than they did just a few years ago, which can impact the overall time that it takes to go through the submissions process.
3. To meet the FDA’s cybersecurity requirements for Bluetooth-enabled medical devices and their companion mobile medical apps, a device manufacturer can’t assume that Bluetooth on its own is secure enough. Instead, the mantra needs to be, “Trust, but verify.” Manufacturers will need to implement security outside of the Bluetooth layer, including encryption at rest and encryption in transit; detect jailbroken phones and decide what parts of the app should be allowed to run, if at all. They will also need to identify security holes in third party apps that live on the users’ smartphone and establish trusted communication with SDKs.
4. To meet the FDA’s validation requirements, it’s recommended to take a risk-based approach. Manufacturers should look at where actual patient and cybersecurity risk exists, and make sure to test for those scenarios. Manufacturers should do activities such as testing frequently and in a variety of environments; running penetration tests on the entire system at least every 12 months; and scoping their threat modeling broadly.
5. It’s important not to lose sight of the patient experience when trying to meet regulations. Patient satisfaction is a critical aspect of device success.
6. It’s common for patients with comorbid conditions to use multiple apps for treatment (e.g., an app to manage blood glucose and an app to monitor hypertension). When the configuration parameters for one app conflict with the other (i.e., whether auto updates should be turned off or on) it can create unforeseen issues for patient satisfaction. This kind of opposite operating system-level configuration has even been seen on different apps that come from the same device manufacturer.

Speakers

Bernhard Kappe, CEO and Founder, Orthogonal

Bernhard Kappe is the Founder and CEO of Orthogonal. For over a decade, Bernhard has provided thought leadership and innovation in the fields of Software as a Medical Device (SaMD), Digital Therapeutics (DTx) and connected medical device systems. As a leader in the MedTech industry, Bernhard has a passion for launching successful medical device software that makes a difference for providers and patients, as well as helping companies deliver more from their innovation pipelines. He’s the author of the eBook Agile in an FDA Regulated Environment and a co-author of the AAMI Consensus Report on cloud computing for medical devices. Bernhard was the founder of the Chicago Product Management Association (ChiPMA) and the Chicago Lean Startup Challenge. He earned a Bachelor’s and Masters in Mathematics from the University of Pennsylvania, and a Bachelor’s of Science and Economics from the Wharton School of Business.

Buddy Smith, Director of Technical Consulting, MedSec

Buddy Smith is a security engineer focused on protecting electronic devices from attack. He has an extensive background in firmware development, bringing his passion for embedded development to the security world. In his 15 years of experience, Buddy has worked in cryptography, hardware design, firmware engineering, and information security. In his role at MedSec, he has supported clients with regulatory filings, performed penetration tests of devices and created threat models for systems, from long-lived implantable devices to bedside infusion pumps.

Buddy holds a Bachelor of Science in Computer Engineering from the Georgia Institute of Technology, and is an Offensive Security Certified Professional. He is also an IEEE Senior member.

Moderator

Randy Horton, Chief Solutions Officer, Orthogonal

Randy Horton is Chief Solutions Officer at Orthogonal, a software consulting firm that improves patient outcomes faster by helping MedTech firms accelerate their development pipelines for Software as a Medical Device (SaMD), digital therapeutics (DTx) and connected medical device systems. Orthogonal makes that acceleration happen by fusing modern software engineering and product management tools and techniques (e.g., Agile, Lean Startup, User-Centered Design and Systems Thinking) with the regulated focus on device safety and effectiveness that is at the heart of MedTech.

Horton serves as Co-Chair for AAMI’s Cloud Computing Working Group, as well as AAMI CR:510(2021) and the in-process Technical Information Report #115, all of which address how to safely move medical device computing functions into the cloud. He is a frequent speaker at conferences and webinars, including events hosted by AdvaMed, AAMI, HLTH, RAPS and the Human Factors and Ergonomics Society (HFES).