regulatory and quality system professionals | 919.313.3960
FDA to Create a Digital Health Unit

FDA to Create a Digital Health Unit

The FDA has announced that it is forming a digital health unit within the Center for Devices and Radiological Health (CDRH). The digital health unit will develop software and technical expertise to assist manufacturers with devices that incorporate digital health technologies, as well as assessing digital health improvements and monitoring and reporting on the digital health premarket review timelines. Digital health includes categories such as mobile health (mHealth), health information technology (IT), wearable devices, telehealth and telemedicine, and personalized medicine. The creation of this unit is part of the Medical Device User Fee Act (MDUFA). MDUFA is the program that authorizes FDA to collect user fees from medical device manufacturers in support of streamlining the regulatory approval process. Negotiations between FDA and the medical device industry regarding the fourth version of MDUFA are currently underway. As part of the negotiation process, FDA proposed to hire technical experts to staff the new digital health unit. In addition to MDUFA, the 21st Century Cures Act requires FDA to develop a framework for evaluating real world evidence. FDA envisions that the digital health unit will monitor and implement the use of real world evidence to support the regulatory approval process. FDA issued a draft guidance in July 2016, Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices, that identifies how real world data will be evaluated to determine if it is sufficiently relevant and reliable enough to be used. While the FDA sees the digital health unit as a means of streamlining the regulatory approval process, it also recognizes it will require coordination with industry and other government agencies because digital health touches on...
Cybersecurity’s Impact on Health Systems

Cybersecurity’s Impact on Health Systems

We are currently seeing significant technological advances in medical devices, hospital networks and patient care. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect a device’s performance, functionality and safety to the patient. In recent years, researchers have demonstrated the potential threat of medical device and healthcare system hacking. They have been able to tamper with pacemakers, insulin pumps and other devices, which, if hacked, could cause serious harm, including death, to a patient. Recently, the FDA identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and the corresponding Merlin@home Transmitter. These vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. While no patients were harmed, this serves as a warning that similar devices containing configurable embedded computer systems can be vulnerable to cybersecurity intrusions and exploits, as well. To address these technological risks, in December 2016, the FDA finalized the guidance, “Postmarket Management of Cybersecurity in Medical Devices.” In reference to the guidance, Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health stated that, “manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” The new guidance...
Avoid Common Medical Device Software Development Life Cycle Pitfalls

Avoid Common Medical Device Software Development Life Cycle Pitfalls

Learn Potential Software Development Life Cycle Pitfalls to Pay Attention To IEC 62304 is the international standard that defines software development life cycle requirements for medical device software. IEC 62304 was developed from the perspective that product testing alone is insufficient to ensure patient safety. It provides a common framework for medical device manufacturers to develop software components. Conformance with this standard demonstrates that there is a software development process in place that fulfills the requirements of the Medical Device Directive. If your medical device has software that regulates its functionality in a way that contributes to Basic Safety or Essential Performance, then you will need to comply with IEC 62304. This standard requires all aspects of the Software Development Life Cycle (SDLC) to be managed to ensure patient safety, including: Development and code reviews Risk management Configuration management Incident and bug resolution Validation Maintenance The most common mistake medical device manufacturers make is failing to assess which elements of risk their software mitigates. These are the elements that must be addressed by IEC 62304. For example, what would happen if the creator of a hoist didn’t properly vet the software that signaled the hoist to lower the patient at a certain speed? If a patient were lowered too quickly – or not at all – there would be a risk management nightmare. Since software plays a role in the Basic Safety functions of the hoist, it must comply with 62304’s requirements. Common software functionality manufacturers fail to recognize as IEC 62304 compliance issues include: Alarms and Alerts – often an Essential Performance requirement because they are intended to detect abnormalities Speed & Position...