Cybersecurity Back on FDA Radar Screen

Cybersecurity is becoming an increasingly prominent concern for the FDA and the industries it regulates, but the latest draft guidance for premarket requirements for cybersecurity was not well received by device makers. However, the FDA also posted a notice on March 21 regarding cybersecurity related to several cardiology devices , a bit of bad news that gives the agency little leeway when it comes to tighter scrutiny.

The agency’s previous premarket cybersecurity guidance for medical devices was barely four years old when the FDA posted a new draft guidance in October 2018, a document that came with a five-month comment period. In the meantime, the agency held a two-day workshop to address cybersecurity, but shortly after the comment period on the 2018 draft closed, the FDA posted a safety communication for several models of implantable defibrillators and cardiac resynchronization devices. The agency said the affected units are associated with the use of a wireless telemetry protocol, which provides remote monitoring and allows clinician to make changes to the device’s settings. The telemetry device and software are alleged to lack encryption, authentication and authorization protocols, the FDA said, problems the manufacturer said it is working to address.

Cybersecurity Risk Framework Seen as Distracting

The October 2018 cybersecurity draft guidance proposed a two-tier cybersecurity risk framework that respondents to the docket said were impractical, given that they would seem to conflict with the underlying risk of the device. The draft guidance acknowledges that this approach “may not track to FDA’s existing statutory device classifications,” but said the two-tier cybersecurity risk framework is an attempt to align with cybersecurity standards published by the National Institute for Standards and Technology. That approach drew negative responses from several who commented to the docket, including the Medical Imaging & Technology Alliance (MITA) and the Advanced Medical Technology Association (AdvaMed), who said this approach would be cumbersome, confusing or both, particularly that the existing postmarket cybersecurity guidance does not feature this concept.

Another feature of this latest draft guidance is that it calls for a cybersecurity bill of materials (CBOM) to be provided with premarket applications. Brian Scarpelli with the Connected Health Initiative said the phrase “software bill of materials” (SBOM) is already in widespread use, and encouraged the agency to go with the SBOM moniker to avoid confusion. That position was echoed by MITA and AdvaMed, along with concerns as to whether an SBOM should include a listing of hardware and firmware along with software. MITA’s executive director, Patrick Hope, also said it is not clear whether the scope of the CBOM as described in the draft would be limited to known vulnerabilities, and the question of whether the terms of the draft would apply retroactively was also raised.

Other Agencies Involved, Possible Legal Liability

While the FDA is certainly in the lead among regulatory agencies when it comes to digital regulation and cybersecurity, there are other agencies that are pushing their own efforts along. Among these is Australia’s Therapeutic Goods Administration, whose December 2018 cybersecurity draft guidance is directed toward both pre- and postmarket considerations. The government of Singapore might feel compelled to jump on board the cybersecurity bandwagon in the near future as well, given that the Health Sciences Authority recently acknowledged in a press release that one of the agency’s vendors had not adequately protected a database with the records for hundreds of thousands of blood donors.

Regardless of where device makers stand on the FDA premarket draft guidance, it is clear that cybersecurity requirements across the globe will become both more commonplace, more stringent and more expensive to implement, particularly given that this is an area of liability law that has not yet been explored in the courts. However, the sponsors of at least one website dedicated to class-action lawsuits made it clear recently that they see cybersecurity lapses as fodder for liability claims.

China, FDA Sources of New Regulatory Developments

As two recent developments make clear, fledgling regulatory frameworks for medical devices are in a state of churn in several nations, but the more mature regulatory systems are anything but static. The first of these two latest developments bodes well for industry where a massive Asian market is concerned, but the second would seem to suggest that digital health has a number of hurdles to overcome in the U.S.

China Overhauls Medical Device Regulations

China’s State Drug Administration recently announced several proposed changes to its regulatory framework for devices and diagnostics, but the changes arrived as Washington and Beijing haggle over trade in a dispute that could lead to a significant boost in tariffs.

One of the more significant of the proposed SDA changes is that industry would not have to obtain approval for manufacturing in China prior to obtaining marketing approval for that device. Another important change is that the SDA would no longer require that the manufacturer also serve as the holder of the certificate, which would free up device makers to do business with local representatives who are in a better position to avoid delays. These two changes alone would seem to represent a significant reduction in time and/or hassle to market.

Another significant change is that SDA may accept clinical studies conducted outside China, although this provision would not apply to high-risk devices. Precisely how much this helps device makers is not clear inasmuch as clinical studies are categorically mandated only for high-risk devices. One bit of seemingly good news on the moderate-risk device front is that provincial authorities will no longer be tasked with premarket review, a switch that hopefully will create a more predictable process.

The agency also said it intends to form a dedicated facility inspectorate by hiring inspectors on a full-time basis. The impact of this change might not be obvious in the near term, but the fact that these inspectors will not be distracted with other matters might at least lend more consistency to inspections.

By some accounts, the draft rule would eliminate the nation-of-origin rule that has rankled device makers for a number of years. Device makers in the U.S. have argued for some time that nation-of-origin rules left device makers in other nations at a competitive advantage. That particular problem may soon be a thing of the past. SDA is taking comment on the proposal through July 24.

Device makers have worked for years to pry open the Chinese market with middling success, but the ongoing trade controversy could be a setback. Among the targets of the Trump administration’s tariff list on Chinese products are medical devices, and U.S. device makers are concerned that a retaliatory tariff may be in the offing. The predicament is serious enough that Rep. Erik Paulsen (R-Minn.) penned a May 15 letter to the U.S. Trade Representative recommending caution, given that the trade deficit for medical technology is relatively narrow and actually favors the U.S. in some categories. Trade discussions between Washington and Beijing are ongoing, however, and both sides still have ample room in which to negotiate.

Legality of FDA’s Precert Program Questioned Again

The FDA’s effort to streamline its review of software as a medical device (SaMD), a vital cog in its overall digital health enterprise, revolves around a program for precertification of SaMD vendors, but the latest update has prompted observers to question again whether the agency can legally step around its current authorities to deploy the program. At stake is the future of a program seen as critical to sustaining the digital health pipeline, although some might question whether there will be a challenge to what some argue is the FDA’s extralegal approach to digital health regulation.

As previously discussed in the May 17 blog, the agency’s digital precert program would replace a product-by-product review process with one that certifies the vendor’s quality program instead. This approach carries with it a presumption that the FDA will more closely track outcomes and adverse events associated with the SaMD in question, and possibly exercise more rapid remediation of any problems than might otherwise be the case.

Version 0.2 of the precert program emerged in late June, proposing to revise the two levels of precert accreditation. Previously, the FDA had proposed a leaner precert process for companies with histories of successful navigation of the agency’s premarket and postmarket requirements, but the latest update would eliminate prior regulatory experience as a determinant, and instead allow entities that score well on a number of key performance indicators to employ the less cumbersome process.

The questions surrounding the legality of the precert program were not long in coming. In an Aug. 16, 2017, post at the blog for Health Affairs, a trio of authors described the precert program as “an experiment in medical product regulation” that lacks any statutory backing, even with passage of the 21st Century Cures Act, which FDA commissioner Scott Gottlieb has cited as an authorizing text.

The authors of the Health Affairs editorial are not the only ones who have misgivings. Bradley Thompson of Epstein Becker Green gave voice to a similar concern recently. Thompson, who has represented several ad hoc medical technology alliances over the past few years, suggested the precert pilot as currently understood would amount to a suspension of both statutory and regulatory authority.

Obviously industry will not want to make waves in connection with the precert program, but there are other stakeholders with different incentives. Public Citizen and the National Center for Health Research are well known for looking askance on device approvals, and so can be expected to track the precert program as it moves along. Any related litigation would end up in the U.S. District Court for the District of Columbia – which is known for giving federal agencies the benefit of the doubt – but a lawsuit could impede the precert program considerably, even if it did not derail the program entirely.

Digital Desires; the FDA’s December Guidance Trove

The end of the year is a time for reflection and maybe even gratitude, but as we can all testify, holiday shopping can be an irritating experience. The FDA got an early start on its holiday shopping list in the first week of December with the publication of several guidances as part of the overhaul of its approach to digital health. As might be expected, though, the experience is a decidedly mixed bag of items, one of which seems likely to be returned for exchange.

SaMD Final: A Leaner, Nicer Approach

On the positive side, the final guidance for software as a medical device (SaMD), the draft of which was written by the International Medical Device Regulators Forum, eliminates some of the seemingly compulsory tone of the draft. Nonetheless, the FDA went to some lengths to emphasize in the final that industry should not read too much into the use of words such as “requirements,” explaining that related provisions fall into the category of recommendations. Given the recent congressional emphasis on the least burdensome standard, the agency perhaps had little choice but to make such a conciliatory gesture.

The final SaMD guidance is 15 pages leaner than the draft (30 pages rather than 45), and large portions of the draft have either slimmed down or disappeared entirely. Definitions have become less descriptive, thus lending an unmistakable air of flexibility to the document. Whereas the draft commits page after page to discussions of generating evidence for scientific and analytical validity, the final guidance offers mere paragraphs for considerations such as analytical and technical validation.

The net effect is that of a high-level document that avoids the quagmire associated with the fine details of product development and testing. Whether this is the last word for some time on SaMD is difficult to forecast, but the reader will note that the agency took the unusual step of announcing the final guidance in the Federal Register, complete with the associated docket number.

The Risk of Saying Nothing About Risk

Conversely, the draft guidance for clinical decision support (CDS) systems presents the reader with a decidedly different dilemma, although it offers some useful content. The draft includes a section spelling out instances in which a CDS would not fall under FDA regulations, such as software that provides recommendations as to the use of a drug within the labeled indication. This document also provides a number of examples of uses of a CDS that would qualify the item as a device, but Bradley Merrill Thompson of Epstein Becker Green had a few choice words regarding the draft.

Thompson, who serves as the general counsel for the CDS Coalition, said the CDS draft lacks clarity on the point of how a vendor might determine how the risks associated with that product’s use might push the CDS into the agency’s regulatory territory. Thompson said this is particularly problematic given the recent and coming advances in artificial intelligence, although others indicated some relief that patient use of CDS was written into the document.

One way of looking at the risk question in this guidance – or more properly, the failure of the draft to directly address the risk question – is that the agency believes it might be a more economical use of its time to draw feedback from stakeholders before committing anything to ink. The docket is open for only sixty days, however, and it seems fairly plausible that the Feb. 6, 2018 deadline for comment will be extended if indeed the FDA intends to provide at least some discussion of risk. After all, the agency’s device center has expended a considerable amount of effort to talk about benefits and risks, including the final guidance on how the FDA will handle the hazards of dealing with problematic devices that may or may not warrant withdrawal.

The last of the three guidances released by the FDA on Dec. 7 was the draft guidance dealing with policy changes to four existing guidances, including the guidance for medical device data systems (MDDS). The agency’s proposal to regulate such software in 2011 sparked a lot of pushback from stakeholders with a lot of bandwidth on Capitol Hill, and the agency walked back from several major features of its early proposals several years ago. This guidance will be substantially revamped, although in its current form it is apparently not operational, as the saying goes.

The general wellness app guidance is also scheduled for a thorough rewrite, as are the guidances for mobile medical applications and off-the-shelf software used in medical devices. Device makers have the 21st Century Cures Act to thank for much of this, but the agency’s latest commissioner, Scott Gottlieb, might have pushed for many of these changes even without the help of the Cures Act. All in all, Dec. 7 was not a bad start to the holiday season, even if one or two items will eventually be re-gifted to the giver.

Going Solo, and Who Needs Government Anyway?

Some days it seems the idea of interdependence is really gaining ground, but then there are days that seem to trash the idea completely. Below are a couple of stories of the latter variety, stories that might seem more pointed to the diversity ethic that is also very much in vogue in these early years of the 21st Century. First, however, we ask whether the FDA’s device center is losing its appetite for heavy-handed regulation.

FDA Going Soft on Software?

The Center for Devices and Radiological Health at the FDA was pretty quiet for the first half of the year, but is a little more active recently. For instance, CDRH published a digital health action plan in response to pressure from Congress, but the plan is also a tacit admission from the agency that its quality systems regulations (QSRs) don’t always work well where software is concerned.

The reader may remember the FDA’s interest in medical device data systems dating back to 2011. Hospital administrators were wary of the cost and hassle of standing up a QSR-compliant regime in the first place, but four years would pass before the agency renounced the idea, undoubtedly with the help of some arm-twisting from Capitol Hill.

The FDA’s digital health innovation action plan includes a precertification pilot that calls for a review of a publisher’s approach to software quality control rather than a full-blown premarket review of each product. The program is limited to items that qualify as software as a medical device (SaMD), however, and excludes items such as software integrated into devices.

The precertification pilot does include site visits, but the agency is willing to conduct virtual site visits in lieu of the real thing. Ergo, one can argue that this is QSR-lite at worst. Still, one has to wonder how much time will pass before an SaMD will start pushing the FDA’s safety and efficacy buttons despite FDA commissioner Scott Gottlieb’s assertion that the program is strictly for “certain lower-risk devices.” That lower-risk assurance seems odd, given that the sponsor will be on the hook for collecting post-market data for that product.

The day one of these calls for a de novo application might herald a time when the agency will scrutinize these SaMDs individually, but how long after that will a sponsor discover they have tripped the class III/PMA trigger? Only time will tell.

Disharmony from Asia

Some see global regulatory harmonization as a pipe dream, and India’s Central Drug Standards Control Organization has released a draft guidance dealing with standards for safety and performance of medical devices that would seem to support that view. This document, which supplements a novel regulatory framework specific to med tech in India, suggests that CDSCO will handle stand-alone software in the same manner as traditional medical devices despite the FDA’s hands-off approach.

CDSCO gave interested parties only three weeks to comment, hardly sufficient time to absorb the implications of such a document, particularly since the document is undated, other than to note the month of publication (July). The agency said it does not want to dictate how a device maker might demonstrate compliance, but the scope of the 27-page document encompasses a wide range of product categories, including combination products, a breadth of scope which might come across to some as lack of specificity disguised as flexibility.

In any case, the document also takes aim at devices “that incorporate software and stand-alone medical device software,” which is where it rubs up against the new approach at FDA in a disharmonious manner.

As noted above, the American regulator is steering an entirely novel tack for its regulation of SaMD, which had said last year would revolved around a guidance drafted by the International Medical Device Regulators Forum. India is not a participant in the IMDRF effort, although it is a member of the Asian Harmonization Working Party (AHWP), which is an IMDRF affiliate and which has inked its own SaMD proposal, said to be built around the IMDRF effort.

One way of looking at this is that the FDA is the outlier and that the disharmony is coming from Silver Spring, Md., and not from New Delhi, although it may be instructive to note that the latter has a very limited body of experience with med tech-specific regulations. Either way, publishers of SaMD will continue to face very different regulatory regimes if they want to do business in both the world’s richest market and its second most populous market.

No DOJ? No Problem

As is commonly known, the Department of Justice does not dive head first into every qui tam action that pops up, but government attorneys seem to be involved in nearly every whistleblower suit that costs the target company money. Celgene of Summit, N.J. offers the exception, getting stung with a $280 million hit in a False Claims Act case that asked the federal government to do nothing more than accept a nice, fat check from the company.

The company denied any culpability, and Celgene may have a case given that the Centers for Medicare & Medicaid Services is somewhat more lenient about off-label use of oncology drugs. However, court documents indicated that Celgene helped patients financially by contributing money to two patient-directed organizations, which were said to have “acted as conduits for Celgene” and thus had “eliminated any price sensitivity” for both patients and prescribing physicians.

The court also said “the United States did not intervene” without comment, although the court pointed to two other qui tam actions against the company, both of which were dismissed.

The biggest problem for Celgene might have been that the company purportedly persuaded physicians to influence guidelines published by the National Comprehensive Cancer Network, and was alleged to have “caus[ed] doctors to change ICD-9 diagnosis codes.” The lay person sitting in a jury box might find it difficult to hear of manipulation of codes used in Medicare billing without thinking the source of that manipulation was up to no good, particularly given how much very visible emphasis there is these days on Medicare fraud.