The U.S. Food and Drug Administration's warning to healthcare organizations to stop using a line of infusion pumps because of cybersecurity flaws is only one of the regulatory developments affecting medical device makers and pharmaceutical firms, attorney Anna Spencer says in an interview with HealthcareInfoSecurity.
Still, the agency sent "a very powerful message to the industry" to be more focused on risk management, says Spencer, a partner and team leader for health information policy in Sidley Austin LLP's healthcare and privacy, data security and information law practices.
At the same time, companies also must grapple with how to apply older laws to the use of new technology, she adds.
"There are some really exciting new technologies, like the Internet of Things," Spencer says. "Experienced privacy and data security professionals are thinking through the ... issues early on in product development, which is really important to avoid major problems down the road. There's not a lot of guidance on how the federal privacy standards, HIPAA, and other privacy laws at the state and federal levels apply in this context. So it can be really challenging to navigate the legal issues."
The Department of Health and Human Services' Office for Civil Rights plans to seek comments in December on a proposal in which any individual harmed by a HIPAA violation would receive a percentage of any penalty collected by the government, she says. This would provide a powerful incentive for people to bring complaints to OCR about possible HIPAA violations. Such a practice would lead to even more enforcement.
The Internet of Things used in healthcare could have an economic impact ranging from $170 billion to $1.7 trillion a year, McKinsey & Co. reported recently.
One software group has been lobbying Congress for a clear legal framework for accessing confidential data so IoT technology and mHealth tools can move forward more quickly and efficiently while ensuring consumer privacy.
To learn more:
- listen to the interview