The Food and Drug Administration’s recent guidance on mobile medical applications illustrates the FDA’s growing efforts to combat emerging cybersecurity issues that affect patient safety. The guidance, issued in February 2015, announces the FDA’s intent to regulate certain mobile medical apps used by doctors to diagnose and monitor patient health as medical devices. While the guidance provides much-needed clarity and predictability for mobile app developers and manufacturers, it leaves some questions open, and—given how rapidly the technologies are evolving—is likely not the last guidance the FDA will issue addressing cybersecurity and medical devices.

In October 2014, the FDA issued similar guidance addressing cybersecurity in implantable medical devices. The FDA recommended that developers and manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. For devices that are already on the market, the FDA instructs developers and manufacturers to submit any plans for providing updates to the data-related operating systems and software related to such devices.

The February guidance builds on the October guidance by announcing the FDA’s intention to treat certain mobile medical apps as medical devices. Apps that the FDA intends to regulate under the February guidance will have to go through normal FDA clearance processes, including premarket approval, labeling approval, and medical device reporting for adverse events. The guidance separates mobile medical apps into three categories:

  • Mobile apps that are considered medical devices, and which the FDA intends to regulate
  • Mobile apps that may be considered medical devices, but which the FDA does not intend to regulate
  • Mobile apps that could be used in a health care environment, but are not considered medical devices by the FDA

Whether or not a mobile medical app will be subject to FDA regulation depends on the app’s intended use. Specifically, the guidance notes that the FDA will focus its oversight on mobile apps that either are meant to be used as an accessory to a regulated medical device or are intended to transform a mobile platform into a regulated device. In other words, the guidance explains that “if a mobile app is intended for use in performing a medical function (i.e., for diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease) it is a medical device [subject to FDA regulation], regardless of the platform on which it is run.”

The FDA is primarily interested in regulating mobile apps whose functionality could pose a risk to a patient’s safety if the app does not function appropriately. Examples of mobile apps that the FDA considers to be medical devices include apps that control infusion pumps, calibrate hearing aids, control cochlear implants, connect to cardiac monitors and transfer data to a central platform, display images for diagnostic review, or connect to a perinatal monitoring system for remote monitoring of labor.

Though app manufacturers and developers should take steps to determine whether their apps will be subject to FDA regulation, a majority of mobile apps will likely not be subject to regulation. This is because the apps either do not meet the FDA’s current definition of a medical mobile app, or they are in a category in which the FDA intends to exercise enforcement discretion. Since the FDA is particularly concerned with mobile apps that can transform a mobile platform into a regulated medical device by using attachments, display screens, sensors, or other such methods, the FDA intends to regulate only a subset of apps. In this way, the guidance illustrates the FDA’s ongoing attempt to balance its growing concern about cybersecurity issues, which affect patient safety, with its desire to regulate only technologies that transform a mobile platform into a regulated medical device.

The convergence of regulations surrounding mobile apps can be complex. A mobile platform could be used in a clinical setting with a variety of different apps, some of which transform it into a medical device and others of which do not. Further, in light of the FDA’s prior cybersecurity guidance concerning, mobile apps that are not ultimately regulated as medical devices may still fall under FDA jurisdiction if they pose cybersecurity risks in the health care industry. Apps that offer data storage or data delivery services may be pulled into the FDA clearance process if they connect with medical devices. The FDA’s recent guidance signals the agency’s attempt to manage the evolving and complicating role that technology is playing in the health care industry. As the FDA refines its cybersecurity guidance, mobile app developers and manufacturers should begin to consider the costs and risks of regulation.

Ballard Spahr’s Privacy and Data Security Group monitors legislative and regulatory developments at both the federal and state levels and can assist with establishing or enhancing cybersecurity programs. Attorneys in the firm’s Life Sciences and Technology Group counsel frontline businesses engaged in innovation, development, and commercialization activities, and the institutions that support them.

If you have questions on the latest FDA guidance, please contact Philip N. Yannella at 215.864.8180 or, John W. Devine at 215.864.8322 or, or Kimberly W. Klayman at 215.864.8792 or

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Life Sciences and Technology
Privacy and Data Security