regulatory and quality system professionals | 919.313.3960
Cybersecurity’s Impact on Health Systems

Cybersecurity’s Impact on Health Systems

We are currently seeing significant technological advances in medical devices, hospital networks and patient care. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect a device’s performance, functionality and safety to the patient. In recent years, researchers have demonstrated the potential threat of medical device and healthcare system hacking. They have been able to tamper with pacemakers, insulin pumps and other devices, which, if hacked, could cause serious harm, including death, to a patient. Recently, the FDA identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and the corresponding Merlin@home Transmitter. These vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. While no patients were harmed, this serves as a warning that similar devices containing configurable embedded computer systems can be vulnerable to cybersecurity intrusions and exploits, as well. To address these technological risks, in December 2016, the FDA finalized the guidance, “Postmarket Management of Cybersecurity in Medical Devices.” In reference to the guidance, Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health stated that, “manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” The new guidance...

How the 21st Century Cures Act Impacts Medical Device Software

There has been a lot of discussion surrounding medical device software and how it should be regulated. Concern about software of this nature will continue to rise to the forefront of conversations because there will be an increasing number of these products in the marketplace. The 21st Century Cures Act specifically addresses which types of medical device software will be exempt from regulation. Section 3060, Clarifying Medical Software Regulation, identifies five categories of medical software that will not be regulated as medical devices by the FDA due to their potential low level of risk to patients. The software categories that may be excluded from device regulation include: Administrative & Operational Software: that provides administrative support of a healthcare facility, such as that for appointment scheduling, health benefit eligibility and processing financial records. While this software is included in the provision, it was not considered a medical device to begin with. Wellness Apps: for maintaining or encouraging a healthy lifestyle that is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition. This is consistent with FDA’s General Wellness and Mobile Medical Applications guidance documents. Electronic Patient Record Software: provided that it is only intended to transfer, store, convert formats or display the equivalent of a medical chart. There are some caveats to this exception, however: Records must be created, stored, transferred or reviewed by healthcare professionals; Records must be part of health information technology certified under section 3001(c)(5) of the Public Health Service Act; and The software must not be intended to interpret or analyze patient data or images for the diagnosis, cure, mitigation, prevention, or...
Obama Signs the 21st Century Cures Act into Law

Obama Signs the 21st Century Cures Act into Law

Last night, President Obama signed the 21st Century Cures Act into law. Most of what people will be hearing from the media will be focused on the Act’s support of cancer research, mental health policies, brain research to tackle diseases like Alzheimer’s and the funding allocated for these initiatives. However, the 996-page bill also includes major changes that impact the way the FDA regulates drugs, devices and biologics. Those who have spoken out against the Cures Act have done so out of fear of a weakened system that would allow for less rigorous examination of products before they go to market. While there are sections of the act that appear to streamline submission and review processes, until the FDA develops the necessary guidances based on their interpretation of the requirements, the industry will not know what to expect. The best way to approach these pending changes is to become familiar with the areas that might impact your device. The following summarizes provisions relevant to medical device companies: Sec. 3001 Patient Experience Data Under the Cures Act, FDA would be required to include a statement regarding any patient experience data that was used at the time of a drug’s approval. The bill defines patient experience data as “data collected by any persons (including patients, family members and caregivers of patients, patient advocacy organizations, disease research foundations, researchers, and drug manufacturers).” While this section specifically refers to drugs, this may come into play for combination products, as well. This requirement, as well as section 3002, is one to watch to determine if it affects your product commercialization goals. Sec. 3033 Accelerated...
Software and the FDA Refuse to Accept Policy for 510(k)s 2015 Guidance

Software and the FDA Refuse to Accept Policy for 510(k)s 2015 Guidance

The path to medical device commercialization requires FDA clearance, which most often means filing a pre-marketing notification, also known as a 510(k). The FDA has specific criteria for accepting a 510(k), and they just released their new acceptance policy. This new standard, which will be effective October 1, 2015, replaces the old FDA Refuse to Accept Policy for 510(k) Guidance of 2012. The purpose of this Refuse to Accept Guidance is to explain the FDA’s procedures and criteria in assessing whether a 510(k) submission meets a minimum threshold of acceptability and should be accepted for further review. Using the pre-market notification, or 510(k) process, the FDA evaluates whether or not the submission demonstrates substantial equivalence to a predicate device and that the device is as safe and effective as its predicate. Interestingly, the old 2012 Guidance mentions “software” only 18 times. The new 2015 Guidance uses the word “software” 33 times. Additionally, the new Guidance is more specific about the acceptance criteria around software. There is now an entire section (section H) dedicated specifically to device software. This section covers: Whether the device includes software or firmware Whether the device requires software or firmware The level of concern created by the software Software documentation based on the level of concern as described in Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices In only 3 years’ time, the new Guidance has dramatically increased its focus on software, indicating the FDA’s growing concerns around medical device software. As the FDA gets a handle on software-dependent medical devices, manufacturers will be faced with a quality framework that...
Colliding Cultures: Software Development and the Medical Device Industry

Colliding Cultures: Software Development and the Medical Device Industry

Part 1 – Medical Device Software, the FDA and the US Congress Preface: In any given 2-week period, an average of 15% to 20% of the applications on my smartphone have new versions to fix software bugs. Others I speak with experience similar statistics. And, that doesn’t include how often my smartphone software crashes while executing tasks it was intended to perform. We don’t complain about it. Instead, we accept this state of constant, almost continuous, software revision to fix bugs as a matter of “how things are.” We have come to terms with the fact that the normal state of software is for it to be broken, in need of repair and “acceptably” functional, while simultaneously defective. One might think, given the prevalence and importance of software, we would reject software disrepair as normal – especially for critical applications that impact safety. But, the evidence suggests otherwise. If you perform a search on the FDA Medical Device Recall Database from January 1, 2013 to August 14, 2015, you will see 500 device recalls reported. This is the maximum number of rows the FDA report supports in a single query (meaning more than 500 devices were recalled). Enter the keyword “software” into the search, and the query returns 344 recalls due to medical device software. Reviewing randomly through these notices confirms that software issues played an instrumental – or the only – role in the recalls. And, all but nine are Class I or Class II recalls in response to a risk of temporary or serious adverse health consequences due to software problems. Is software so difficult and challenging...