Medical Devices: Unique Compliance Issues

Medical devices have come a long way since Dr. Perkins’s patented tractors, two rods of brass and iron claimed to eliminate disease from the body—a device that even President Washington is reported to have purchased before it was exposed as a fraud (Rados). But it is in the last 20 years that the developments have been most marked.

Once, medical devices were stand-alone, physical things—scalpels, titanium prosthetic knees, light microscopes. Now, more and more devices contain software; in fact, in 2006, over half of all new medical devices contained software (Fu). Moreover, until fairly recently, device manufacturers designed and produced all their own hardware and software components in-house; now, they often rely on commercial hardware and software components for their platforms and operating systems (OSs), further increasing vulnerabilities and cyberrisks (IHE).

Because these devices are complex and are often integrated and networked with other hospital systems, they are vulnerable to cyberattacks and system failures. These devices also capture protected health information (PHI) and transmit it to clinicians and other users.

Based on present trends, by 2020, at least 160 million people in the United States will be monitored and treated remotely (Taper). Additionally, although manufacturers were once nearly the exclusive seller of medical devices, physicians involved in physician-owned intermediaries (POIs) may sell devices for their own use to the hospitals where they practice.

These developments mean that hospitals must consider not just U.S. Food and Drug Administration (FDA) laws and regulations when their medical staff or employees use medical devices, but...