The mobile technology must ensure the security and confidentiality of the data when the
technology is used in clinical investigations (see 21 CFR 11.10 and 11.30). If the data
are transmitted wirelessly from the mobile technology to the sponsor’s EDC system in a
clinical investigation, the data must be encrypted at rest and in transit to prevent access
by intervening or malicious parties (see § 11.30).
For wearable biosensors and other portable or electronic implantable devices, data
encryption may be sufficient to ensure the security and confidentiality of the data. On the
other hand, additional controls may be important when using mobile apps and mobile
platforms. In addition to having encryption and basic user access controls in place (see
section IV.D.Q17), sponsors should consider implementing additional security safeguards
as follows:
• Remote wiping and remote disabling
• Disable function for installing and using file-sharing applications
• Firewalls
• Procedures and processes to delete all stored health information before discarding
or reusing the mobile device