Updates are Not Available : FDA Regulations Deter Manufacturers from Quickly and Effectively Responding to Software Problems Rendering Medical Devices Vulnerable to Malware and Cybersecurity Threats

Many medical devices contain proprietary or off-the-shelf software, which the device relies on for its operation. Like most software, this software often contains errors and vulnerabilities that may lead to malfunction or failures either as a result of the error itself or due to malware infection, or cybersecurity threats. Software errors and vulnerabilities are commonly addressed through software updates, however, manufacturer approval and issuance of updates for software on medical devices is often hindered by the confusion over regulatory requirements. This Article analyzes the regulations applying to software updates on medical devices that have been approved through premarket application, 510(k) clearance, or alternatively as a combination product. There are three obligations when issuing a software update for a medical device: (1) reporting obligation, (2) whether to resubmit for 510(k) clearance or file a PMA supplement, and (3) quality system obligation to verify and validate the update. Not all software updates will engage the first two types of obligations and require FDA approval or clearance, such as anti-virus security patches. However, due to the expense to manufacturers to even fulfill the quality system obligations, there is an imminent need to clarify the process for issuing updates and also when updates must be made. This Article describes detailed recommendations for clarifications to the current regulations to assist manufacturers in determining their specific obligations. Additionally, this Article explores the difficult problem of determining what level of software vulnerability is acceptable in a medical device, particularly when dealing with malware and cybersecurity threats. This Article further explores the software update issues that arise in the context of mobile medical applications (ex. smartphone or tablet apps) that are regulated as medical devices. In general, mobile medical applications run on restrictive platforms which device manufacturers have relatively little control over. This Article highlights the difficulties that will arise in regulating such mobile medical applications in the same manner as other medical devices and stresses the need to clarify the device manufacturers obligations for preventing users from using the application on unapproved hardware models or operating system versions