Cybersecurity Back on FDA Radar Screen

Cybersecurity is becoming an increasingly prominent concern for the FDA and the industries it regulates, but the latest draft guidance for premarket requirements for cybersecurity was not well received by device makers. However, the FDA also posted a notice on March 21 regarding cybersecurity related to several cardiology devices , a bit of bad news that gives the agency little leeway when it comes to tighter scrutiny.

The agency’s previous premarket cybersecurity guidance for medical devices was barely four years old when the FDA posted a new draft guidance in October 2018, a document that came with a five-month comment period. In the meantime, the agency held a two-day workshop to address cybersecurity, but shortly after the comment period on the 2018 draft closed, the FDA posted a safety communication for several models of implantable defibrillators and cardiac resynchronization devices. The agency said the affected units are associated with the use of a wireless telemetry protocol, which provides remote monitoring and allows clinician to make changes to the device’s settings. The telemetry device and software are alleged to lack encryption, authentication and authorization protocols, the FDA said, problems the manufacturer said it is working to address.

Cybersecurity Risk Framework Seen as Distracting

The October 2018 cybersecurity draft guidance proposed a two-tier cybersecurity risk framework that respondents to the docket said were impractical, given that they would seem to conflict with the underlying risk of the device. The draft guidance acknowledges that this approach “may not track to FDA’s existing statutory device classifications,” but said the two-tier cybersecurity risk framework is an attempt to align with cybersecurity standards published by the National Institute for Standards and Technology. That approach drew negative responses from several who commented to the docket, including the Medical Imaging & Technology Alliance (MITA) and the Advanced Medical Technology Association (AdvaMed), who said this approach would be cumbersome, confusing or both, particularly that the existing postmarket cybersecurity guidance does not feature this concept.

Another feature of this latest draft guidance is that it calls for a cybersecurity bill of materials (CBOM) to be provided with premarket applications. Brian Scarpelli with the Connected Health Initiative said the phrase “software bill of materials” (SBOM) is already in widespread use, and encouraged the agency to go with the SBOM moniker to avoid confusion. That position was echoed by MITA and AdvaMed, along with concerns as to whether an SBOM should include a listing of hardware and firmware along with software. MITA’s executive director, Patrick Hope, also said it is not clear whether the scope of the CBOM as described in the draft would be limited to known vulnerabilities, and the question of whether the terms of the draft would apply retroactively was also raised.

Other Agencies Involved, Possible Legal Liability

While the FDA is certainly in the lead among regulatory agencies when it comes to digital regulation and cybersecurity, there are other agencies that are pushing their own efforts along. Among these is Australia’s Therapeutic Goods Administration, whose December 2018 cybersecurity draft guidance is directed toward both pre- and postmarket considerations. The government of Singapore might feel compelled to jump on board the cybersecurity bandwagon in the near future as well, given that the Health Sciences Authority recently acknowledged in a press release that one of the agency’s vendors had not adequately protected a database with the records for hundreds of thousands of blood donors.

Regardless of where device makers stand on the FDA premarket draft guidance, it is clear that cybersecurity requirements across the globe will become both more commonplace, more stringent and more expensive to implement, particularly given that this is an area of liability law that has not yet been explored in the courts. However, the sponsors of at least one website dedicated to class-action lawsuits made it clear recently that they see cybersecurity lapses as fodder for liability claims.

China, FDA Sources of New Regulatory Developments

As two recent developments make clear, fledgling regulatory frameworks for medical devices are in a state of churn in several nations, but the more mature regulatory systems are anything but static. The first of these two latest developments bodes well for industry where a massive Asian market is concerned, but the second would seem to suggest that digital health has a number of hurdles to overcome in the U.S.

China Overhauls Medical Device Regulations

China’s State Drug Administration recently announced several proposed changes to its regulatory framework for devices and diagnostics, but the changes arrived as Washington and Beijing haggle over trade in a dispute that could lead to a significant boost in tariffs.

One of the more significant of the proposed SDA changes is that industry would not have to obtain approval for manufacturing in China prior to obtaining marketing approval for that device. Another important change is that the SDA would no longer require that the manufacturer also serve as the holder of the certificate, which would free up device makers to do business with local representatives who are in a better position to avoid delays. These two changes alone would seem to represent a significant reduction in time and/or hassle to market.

Another significant change is that SDA may accept clinical studies conducted outside China, although this provision would not apply to high-risk devices. Precisely how much this helps device makers is not clear inasmuch as clinical studies are categorically mandated only for high-risk devices. One bit of seemingly good news on the moderate-risk device front is that provincial authorities will no longer be tasked with premarket review, a switch that hopefully will create a more predictable process.

The agency also said it intends to form a dedicated facility inspectorate by hiring inspectors on a full-time basis. The impact of this change might not be obvious in the near term, but the fact that these inspectors will not be distracted with other matters might at least lend more consistency to inspections.

By some accounts, the draft rule would eliminate the nation-of-origin rule that has rankled device makers for a number of years. Device makers in the U.S. have argued for some time that nation-of-origin rules left device makers in other nations at a competitive advantage. That particular problem may soon be a thing of the past. SDA is taking comment on the proposal through July 24.

Device makers have worked for years to pry open the Chinese market with middling success, but the ongoing trade controversy could be a setback. Among the targets of the Trump administration’s tariff list on Chinese products are medical devices, and U.S. device makers are concerned that a retaliatory tariff may be in the offing. The predicament is serious enough that Rep. Erik Paulsen (R-Minn.) penned a May 15 letter to the U.S. Trade Representative recommending caution, given that the trade deficit for medical technology is relatively narrow and actually favors the U.S. in some categories. Trade discussions between Washington and Beijing are ongoing, however, and both sides still have ample room in which to negotiate.

Legality of FDA’s Precert Program Questioned Again

The FDA’s effort to streamline its review of software as a medical device (SaMD), a vital cog in its overall digital health enterprise, revolves around a program for precertification of SaMD vendors, but the latest update has prompted observers to question again whether the agency can legally step around its current authorities to deploy the program. At stake is the future of a program seen as critical to sustaining the digital health pipeline, although some might question whether there will be a challenge to what some argue is the FDA’s extralegal approach to digital health regulation.

As previously discussed in the May 17 blog, the agency’s digital precert program would replace a product-by-product review process with one that certifies the vendor’s quality program instead. This approach carries with it a presumption that the FDA will more closely track outcomes and adverse events associated with the SaMD in question, and possibly exercise more rapid remediation of any problems than might otherwise be the case.

Version 0.2 of the precert program emerged in late June, proposing to revise the two levels of precert accreditation. Previously, the FDA had proposed a leaner precert process for companies with histories of successful navigation of the agency’s premarket and postmarket requirements, but the latest update would eliminate prior regulatory experience as a determinant, and instead allow entities that score well on a number of key performance indicators to employ the less cumbersome process.

The questions surrounding the legality of the precert program were not long in coming. In an Aug. 16, 2017, post at the blog for Health Affairs, a trio of authors described the precert program as “an experiment in medical product regulation” that lacks any statutory backing, even with passage of the 21st Century Cures Act, which FDA commissioner Scott Gottlieb has cited as an authorizing text.

The authors of the Health Affairs editorial are not the only ones who have misgivings. Bradley Thompson of Epstein Becker Green gave voice to a similar concern recently. Thompson, who has represented several ad hoc medical technology alliances over the past few years, suggested the precert pilot as currently understood would amount to a suspension of both statutory and regulatory authority.

Obviously industry will not want to make waves in connection with the precert program, but there are other stakeholders with different incentives. Public Citizen and the National Center for Health Research are well known for looking askance on device approvals, and so can be expected to track the precert program as it moves along. Any related litigation would end up in the U.S. District Court for the District of Columbia – which is known for giving federal agencies the benefit of the doubt – but a lawsuit could impede the precert program considerably, even if it did not derail the program entirely.

Digital Desires; the FDA’s December Guidance Trove

The end of the year is a time for reflection and maybe even gratitude, but as we can all testify, holiday shopping can be an irritating experience. The FDA got an early start on its holiday shopping list in the first week of December with the publication of several guidances as part of the overhaul of its approach to digital health. As might be expected, though, the experience is a decidedly mixed bag of items, one of which seems likely to be returned for exchange.

SaMD Final: A Leaner, Nicer Approach

On the positive side, the final guidance for software as a medical device (SaMD), the draft of which was written by the International Medical Device Regulators Forum, eliminates some of the seemingly compulsory tone of the draft. Nonetheless, the FDA went to some lengths to emphasize in the final that industry should not read too much into the use of words such as “requirements,” explaining that related provisions fall into the category of recommendations. Given the recent congressional emphasis on the least burdensome standard, the agency perhaps had little choice but to make such a conciliatory gesture.

The final SaMD guidance is 15 pages leaner than the draft (30 pages rather than 45), and large portions of the draft have either slimmed down or disappeared entirely. Definitions have become less descriptive, thus lending an unmistakable air of flexibility to the document. Whereas the draft commits page after page to discussions of generating evidence for scientific and analytical validity, the final guidance offers mere paragraphs for considerations such as analytical and technical validation.

The net effect is that of a high-level document that avoids the quagmire associated with the fine details of product development and testing. Whether this is the last word for some time on SaMD is difficult to forecast, but the reader will note that the agency took the unusual step of announcing the final guidance in the Federal Register, complete with the associated docket number.

The Risk of Saying Nothing About Risk

Conversely, the draft guidance for clinical decision support (CDS) systems presents the reader with a decidedly different dilemma, although it offers some useful content. The draft includes a section spelling out instances in which a CDS would not fall under FDA regulations, such as software that provides recommendations as to the use of a drug within the labeled indication. This document also provides a number of examples of uses of a CDS that would qualify the item as a device, but Bradley Merrill Thompson of Epstein Becker Green had a few choice words regarding the draft.

Thompson, who serves as the general counsel for the CDS Coalition, said the CDS draft lacks clarity on the point of how a vendor might determine how the risks associated with that product’s use might push the CDS into the agency’s regulatory territory. Thompson said this is particularly problematic given the recent and coming advances in artificial intelligence, although others indicated some relief that patient use of CDS was written into the document.

One way of looking at the risk question in this guidance – or more properly, the failure of the draft to directly address the risk question – is that the agency believes it might be a more economical use of its time to draw feedback from stakeholders before committing anything to ink. The docket is open for only sixty days, however, and it seems fairly plausible that the Feb. 6, 2018 deadline for comment will be extended if indeed the FDA intends to provide at least some discussion of risk. After all, the agency’s device center has expended a considerable amount of effort to talk about benefits and risks, including the final guidance on how the FDA will handle the hazards of dealing with problematic devices that may or may not warrant withdrawal.

The last of the three guidances released by the FDA on Dec. 7 was the draft guidance dealing with policy changes to four existing guidances, including the guidance for medical device data systems (MDDS). The agency’s proposal to regulate such software in 2011 sparked a lot of pushback from stakeholders with a lot of bandwidth on Capitol Hill, and the agency walked back from several major features of its early proposals several years ago. This guidance will be substantially revamped, although in its current form it is apparently not operational, as the saying goes.

The general wellness app guidance is also scheduled for a thorough rewrite, as are the guidances for mobile medical applications and off-the-shelf software used in medical devices. Device makers have the 21st Century Cures Act to thank for much of this, but the agency’s latest commissioner, Scott Gottlieb, might have pushed for many of these changes even without the help of the Cures Act. All in all, Dec. 7 was not a bad start to the holiday season, even if one or two items will eventually be re-gifted to the giver.