On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks.  Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices.  However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation.  As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.

There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT.  Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components.  These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.

The FDA guidance addresses a number of key areas of risk.  In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices.  For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data.  Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety.  Finally, a number of devices are vulnerable to malware without the ability to apply security patches.

To reduce risk, there are several measures that can be implemented to enhance device security.   For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties).  As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.

EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.


Brian Hedgeman


Alaap B. Shah

The federal government entered into a partial shutdown at midnight on Saturday, December 22, 2018. The implications of the ongoing shutdown are far-reaching, but its impact on the Food and Drug Administration (“FDA”) is of particular concern to members of FDA-regulated industries and those with a role in ensuring the public health. Thousands of FDA employees considered non-essential were furloughed and, consequently, routine regulatory and compliance activities at FDA were put on hold. On his Twitter account (@SGottliebFDA), Scott Gottlieb, M.D., Commissioner of the FDA (“Dr. Gottlieb”), has tweeted frequent updates regarding FDA operations. As he explained, FDA officials initially consulted with public health experts and other senior leaders regarding which FDA activities address threats to human life and safety and, thus, should continue during the shutdown.

Many FDA operations halted for two weeks during the holidays, according to schedule. Accordingly, many activities were not considered delayed until early January when FDA was scheduled to resume all operations. To provide examples of the shutdown’s implications at FDA, FDA is currently not accepting new medical product applications that require fee payment or reviewing drug applications that are not user-funded, and FDA’s Center for Drug Evaluation and Research (“CDER”) has paused all non-emergency over-the-counter monograph drug activities because these activities were determined not to address immediate threats to human life and safety. In addition, the thirty-day waiting period before sponsors of investigational new drugs may conduct clinical trials is paused during the shutdown unless the drugs are considered emergency drugs.

During the shutdown, FDA will utilize carryover “user fee” funding to continue review of certain applications that require a user fee, such as New Drug Applications, Biologics License Applications, and Premarket Approval applications for medical devices, if such fee has been paid. However, FDA may require more time than what agency timeframes allot to review these applications. FDA cannot accept new user fees during the shutdown. If fee payment is required, sponsors must wait until the government reopens. Some companies and industry segments, such as allergenic products, negotiated to be excluded from user fees and chose to instead rely on budget authority. Accordingly, when budget authority lapses, routine review activity for these products halts unless an emergency involving safety of human life warrants review.

As the shutdown entered week three, FDA determined it would resume activities necessary to identify and respond to threats to the safety of human life. On January 15, 2019, furloughed food safety inspectors returned to work without pay after Dr. Gottlieb days earlier sought and received permission from the Department of Health and Human Services and the White House to call the inspectors back to work. Resumed FDA activities include:

  • expanded monitoring and analysis of food safety surveillance and detection;
  • surveillance sampling of high-risk foods, drugs, and devices;
  • expanded monitoring and evaluating of medical device adverse event and malfunction reports to include additional types of medical devices;
  • expanded activities related to surveillance and response for recalls as necessary to identify and respond to threats to the safety of human life; and
  • expanded inspection activities beyond “for-cause” inspections to also include foreign and domestic food, drug, medical, device, and pharmacy compounding surveillance inspections focused on the highest risk products and facilities.

Resumed activities are being funded by carryover user fees and from the reduction of any overhead charges to CDER and the Center for Biologics Evaluation and Research. Dr. Gottlieb claims these funding sources give FDA roughly five weeks of funding to review new drug applications. FDA is seemingly operating at the best of its ability despite the circumstances. According to Dr. Gottlieb, carryover user fees supported the January 16, 2019 FDA guidance on drug development to treat rare diseases. Also on January 16, FDA issued draft guidance to support companies seeking final approval for tentatively-approved generic drug applications to promote timely access to safe and effective generic medicines. However, the Prescription Drug User Fee Act, which authorizes FDA to collect fees from companies that produce certain human drug and biological products, is the most vulnerable program, likely to run out of money the first week of February.

Manufacturers, researchers, and others involved in the creation of these products should continue to monitor for developments but should expect likely delays in all FDA review activity. Additional operations may resume as determined to be necessary if the shutdown continues. If the shutdown lasts for more than five additional weeks, it is unclear which FDA operations not addressing an immediate threat to human life can continue. Once the government reopens, FDA will still face a backlog of applications and other regulatory activity, almost guaranteeing a ripple effect of delays that will continue for the foreseeable future.

On December 7, 2018, the U.S. Food and Drug Administration (“FDA”) published a proposed rule (“Proposed Rule”) that, if finalized, would clarify the de novo classification process for medical devices, including (1) the format and contents of a de novo request and (2) the criteria for accepting or denying a de novo request. FDA intends to “enhance regulatory clarity and predictability… [and] provide a regulatory framework that sets clear standards, expectations and processes for de novo classification” through this proposed rulemaking.[1]

FDA regulates medical devices based on risk and has established three general classifications: “class I” (general controls required to provide reasonable assurance of the safety and effectiveness of the device), “class II” (special controls required), or class III (premarket approval required). The regulatory framework for class III devices is especially stringent—FDA reviews class III device safety and effectiveness under a premarket approval (“PMA”) application that takes six months or more to approve, if the device is found suitable for marketing. The 510(k) “premarket notification” submission, however, enables lower-risk devices that are “substantially equivalent” to existing, legally marketed (“predicate”) devices not subject to a PMA to obtain marketing clearance without a PMA. Under section 513(f)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), new devices receiving not substantially equivalent (“NSE”) determinations are automatically designated a class III device. The de novo process serves as an alternative pathway for receiving marketing authorization for class I or II devices.

In the Proposed Rule, FDA seeks to clarify and formalize the de novo pathway for novel devices without predicates. Many of these proposals are contained in various recent guidances from FDA.[2] Below we break down key components of the Proposed Rule:

 

FDA Reviewing Procedures: Facility Inspections Proposed

Perhaps the most controversial component of the proposed de novo pathway is a provision that enables FDA to conduct premarket manufacturing inspections of “relevant facilities” as part of its de novo review process. Although these manufacturing inspections are authorized under the FDCA as an element of the PMA application review, the FDCA does not grant this authority to FDA for de novo review.[3] If this provision remains upon rule finalization, de novo requesters must have their quality systems prepared for inspection. Failing to permit an authorized FDA employee to inspect a relevant facility results in automatic “withdrawal” of the de novo request.

This provision may also be problematic in light of FDA’s proposed timeline for de novo request acceptance. The Proposed Rule requires FDA to grant or decline a de novo request within 120 days from when it receives the request or any additional information. While de novo request devices are required to be classified within the same timeframe under the FDCA, 120 days is rarely met. According to the Medical Device User Fee Amendments 2017 (“MDUFA IV”), FDA articulates that it aims to “issue a MDUFA decision within 150 FDA days of receipt of the submission for . . . 55% of de novo requests received in FY 2019.” (emphasis added). FDA’s self-stated goals appear to make the proposed 120-day codification lofty, especially considering FDA’s authorization and intention to make premarket manufacturing inspections during its de novo request reviews.

 

Notable De Novo Request Content Requirements

The Proposed Rule intends to clarify the minimum content requirements as prescribed in section 513(f)(2) of the FDCA. Most of these components are consistent with de novo guidance recommendations, but there are a handful of new proposed requirements:

  • Bibliography of “all published reports” and other unpublished “identification, discussion, and analysis of any other data, information, or report” relevant to the safety and effectiveness of the device. This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(8).
  • Samples of the device and its components (if requested by FDA). This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(9).
  • Proposed advertisements and labels for the device. Although not uncommon for companies to include sample labeling information in 510(k) notifications, this proposed provision would now make it a requirement in de novo requests, similar to PMA applications under 21 C.F.R. 814.20(b)(10).
  • Information about “known or reasonably known existing [device] alternative[s].”
  • Statement that provides (1) a list of any required information that is omitted in the de novo request and (2) “a justification” for any omissions.

 

Acceptance Review

FDA proposes an acceptance review stage for de novo submissions during which FDA makes a “threshold determination” as to whether the de novo request contains sufficient information to warrant substantive review. Within 15 days of receiving the de novo request or additional information, FDA must complete the acceptance review and notify the requester—after 15 days, the de novo request is automatically accepted for substantive review. The Proposed Rule identifies several “deficiencies” that warrant a refusal to accept (“RTA”), including: (1) incorrect de novo request format; (2) incomplete submission of required content; and (3) the failure to provide a “complete response” to FDA requests for additional information or deficiencies identified by FDA in any prior submissions for the same device. These deficiencies are similar to the Refuse to Accept Policy for 510(k)s guidance and “Acceptance Checklist[s]” issued by FDA in January 2018.

 

Confidentiality Provisions

FDA sets forth confidentiality provisions that are similar to other FDA marketing submissions. FDA must maintain confidentiality of the requester’s de novo application until it issues an order granting the request. FDA must also maintain confidentiality of all information provided in the request. Public disclosure by the requester, however, renders these confidentiality requirements inapplicable.

The preamble makes it clear that FDA is proposing this rule to bring greater structure, clarity, and efficiency to the de novo classification process. This rule essentially formalizes many of the criteria recommended in various FDA guidances and provides more certainty (albeit less flexibility) for both de novo requesters and FDA enforcement.

The Proposed Rule is available for public comment until March 7, 2019. If finalized, FDA the regulations would go into effect 90 days after the final rule is published.

 

[1] 83 Fed. Reg. 63,129 (Dec. 7, 2018).

[2] See, e.g., U.S. FDA, Guidance: De Novo Classification Process (Evaluation of Automatic Class III Designation) (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm080197.pdf; U.S. FDA, Draft Guidance: Acceptance Review for De Novo Classification Requests (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm582251.pdf.

[3] In fact, the FDCA expressly prohibits FDA from conducting these premarket facility inspections in its 510(k) review (“other than a finding that there is a substantial likelihood that the failure to comply with such regulations will potentially presents a serious risk to human health”). See FDCA Sec. 513(f)(5).

The Federal Trade Commission (“FTC”) and the Antitrust Division of the Department of Justice (“Antitrust Division”) released their respective year-end reviews highlighted by aggressive enforcement in the health care industry. The FTC, in particular, indicated that 47% of its enforcement actions during calendar year 2016 took place in the health care industry (including pharmaceuticals and medical devices). Of note were successful challenges to hospital mergers in Pennsylvania (Penn State Hershey Medical Center and Pinnacle Health System), and Illinois (Advocate Health Care Network and North Shore University Health System). In both actions, the FTC was able to convince the court that the merger would likely substantially lessen competition for the provision of general acute-care hospital services in relevant areas in violation of section 7 of the Clayton Act. See FTC v. Penn State Hershey Med. Center, 838 F. 3d 327 (3d Cir. 2016); and FTC v. Advocate Health Care Network et al No. 1:15-cv-11473, 2017 U. S. Dist. LEXIS 37707 (N.D. Ill.Mar. 16, 2017)

The Antitrust Division, in similar fashion, touted its actions to block the mergers of Aetna and Humana, and Anthem and Cigna. Complaints against both mergers were filed simultaneously in July of 2016, and tried before different judges in the Federal District Court for the District of Columbia. After extensive trials, Judge Bates blocked the Aetna/Humana deal, and Judge Amy Berman Jackson blocked the Anthem/Cigna transaction. United States v. Aetna Inc., No. 1:16-cv-1494, 2017 U.S. Dist. LEXIS 8490 (D.D.C. Jan 23, 2017) and United States v. Anthem Inc., No. 1:16-cv-01493, 2017 U.S. Dist. LEXIS 23614 (D.D.C. Feb8, 2017).

In addition to their enforcement activities, the agencies promoted jointly issued policy guidelines, including their “Antitrust Guidance for Human Resources Professionals.” Although not specific to any industry, this guidance has particular relevance to the health care industry. Among other things, this guidance makes clear that naked wage-fixing (such as the wave of wage fixing claims relating to nurses) and no-poaching agreements (that would include agreements not to hire competing physicians) are not only per se illegal, but also subject to criminal prosecution.

While a marginal enforcement shift may be in store as a result of the change in administration, most signs point to a continued focus on the health care industry. Maureen K. Ohlhausen, appointed by President Trump as acting Chair of the FTC, reiterated in a speech recently delivered at the spring meeting of the American Bar Association’s antitrust section, that “[i]t’s extremely important we continue our enforcement in the health care space.” Likewise the Acting Director of the FTC’s Bureau of Competition – Abbott (Tad) Lipsky, appointed by Chairman Ohlhausen, applauded the FTC’s success in challenging the Advocate/Northshore Hospital merger noting, in a related FTC press release, that the “merger would likely have reduced the quality, and increased the cost, of health care for residents of the North Shore area of Chicago.”

Makan Delrahim, President Trump’s selection (awaiting confirmation) to head the Antitrust Division, recently lobbied on behalf of Anthem and its efforts to acquire Cigna, and has openly stated with respect to certain announced mergers, that size alone does not create an antitrust problem. Nevertheless, given the political climate and overall impact the health care industry has on the U.S. economy, the Antitrust Division’s efforts to open markets in the health care sector, particularly to generics and new medical technologies by challenging pay for delay deals and scrutinizing unnecessarily restrictive agreements among medical device manufacturers is likely to continue.

A wild card affecting future antitrust enforcement is increasing possibility of passage of the Standard Merger and Acquisitions Review Through Equal Rights Act of 2017 (H.R. 659 a/k/a the “SMARTER ACT”). This bill, recently approved by the House Judiciary Committee, would eliminate the FTC’s administrative adjudication process as it relates to merger enforcement, forcing the FTC to bring all such actions in court. In addition, it would align current preliminary injunction standards such that both the FTC and DOJ would face the same thresholds required of the Clayton Act rather than the more lenient standard under the FTC Act. A similar bill passed the House in 2016, but was not taken up by the Senate.

On May 17, 2016, FDA issued Draft Guidance for Industry on Use of Electronic Health Record Data in Clinical Investigations (“Draft Guidance”).  This Draft Guidance builds on prior FDA guidance on Computerized Systems Used in Clinical Investigations and Electronic Source Data in Clinical Investigations, and provides information on FDA’s expectations for the use of Electronic Health Record (“EHR”) data to clinical investigators, research institutions and sponsors of clinical research on drugs, biologics, medical devices and combination products conducted under an Investigational New Drug Application or Investigational Device Exemption.

While the recommendations set forth in the Draft Guidance do not represent a significant departure from existing guidance, research sponsors, institutions and investigators should consider the extent to which their existing policies and procedures, template agreements, protocols and informed consent documents should be updated to incorporate FDA’s recommendations.

Specifically, the draft guidance provides additional detail on FDA’s expectations for the due diligence to be performed by sponsors prior to determining the adequacy of any EHR system used by a clinical investigator to capture source data for use in a clinical investigation. FDA expects sponsors to assess whether systems have adequate controls in place to ensure the confidentiality, integrity, and reliability of the data. FDA encourages the use of EHR systems certified through the ONC Health IT Certification Program, and will presume that source data collected in Health IT certified EHR systems is reliable and that the technical and software components of privacy and security protection requirements have been met. Sponsors should consider requesting additional detail in site pre-qualification questionnaires or pre-study visits regarding any EHR system utilized by clinical investigators to record source data, including whether such systems are Health IT certified. Sponsors may also consider the extent to which their existing site qualification policies and clinical trial agreements templates adequately reflect the technical requirements for sites utilizing EHR systems to record source data, the need to ensure that any updates to those systems do not impact the reliability of the security of the data, and the extent to which the data, including all required audit trails, are backed up and retained by the site to ensure necessary access by FDA.

The Draft Guidance also includes recommendations regarding the information it expects to be included in study protocols and informed consent documents. When the use of EHR systems is contemplated, FDA recommends that study protocols include a description or diagram of the electronic data flow between the EHR and the sponsor’s EDC system, along with information regarding the manner in which the data are extracted and imported from the EHR and monitored for consistency and completeness. FDA also recommends incorporation into informed consent forms of information regarding the extent of access to EHRs granted to sponsors, contract research organizations, and study monitors, as well as a description of any reasonably foreseeable risks with the use of EHRs, such as those involving an increased risk of data breaches. While information related to third party access to health information is typically addressed in informed consent documents, specific details related to access to EHRs and their associated risks are less common. Sponsors and research institutions should consider the extent to which their template informed consent documents should be updated to incorporate the best practice recommendation in the Draft Guidance.

In addition, in the Draft Guidance, FDA encourages the development and use of interoperable EDC and EHR systems to permit electronic transfer of EHR data into the eCRFs being utilized for a clinical trial, including the adoption of data standards and standardization requirements of the ONC Health Information Technology (Health IT) Certification Program. While interoperability of EHR and EDC systems offers the promise of increasing efficiency of clinical trial data collection and reducing the transcription errors that commonly result from the maintenance of this information in separate repositories, FDA acknowledges challenges related to the diverse ownership of the data and EHR systems used to capture them, and the confidentiality of clinical trial information, that will need to be overcome in order to realize the benefits offered by interoperability.

The Food and Drug Administration (“FDA”) recently announced that it will be hosting a public workshop on October 21 and 22, 2014, in Arlington, Virginia, entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”

Officials from FDA, the Department of Health and Human Services (“HHS”), and the Department of Homeland Security (“DHS”) will bring together medical device manufacturers, insurers, cybersecurity researchers, trade organizations, government officials, and other stakeholders to discuss the numerous challenges faced in medical device cybersecurity.

CDRH OFFICIAL: BE AWARE OF DEVICE RISKS

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA Security

In her presentation “Medical Devices: A Practical Guide for Securing Patient Data“, Dr. Schwartz, from the FDA Center for Device and Radiological Health, emphasized the need for a collaborative approach in the medical device ecosystem to ensure security. Because most of the millions of hospital discharges, hospital outpatient visits, physician office visits and prescriptions in the US involve networked medical devices, Dr. Schwartz indicated that securing these devices is of the utmost importance for both regulatory and practical purposes.

MEDICAL DEVICES HAVE INHERENT VULNERABILITIES

Dr. Schwartz noted that as medical devices become increasingly connected through wireless and wired networks, it is critical to ensure adequate controls are in place on the network. Computers, wireless and mobile devices, and the medical devices themselves can be infected or disabled with malware. Security vulnerabilities also exist in the form of sharing of passwords, lack of proper training for personnel, and failure to update and patch software on the network.

Several medical devices have already been compromised in the past few years. For example, researchers demonstrated in 2013 that about 300 medical devices from around 40 vendors contained hard-coded passwords, making them highly vulnerable. In 2011, a hacker presented his findings related to his own insulin pump, which could easily be compromised and the pump’s levels remotely changed to a lethal dose.

FDA OFFERS STANDARDS, GUIDANCE

FDA has recognized standards for cybersecurity and interoperability as well as wireless technology in medical devices. Additionally, on October 2, FDA released final guidance, on the content of premarket submissions for medical device cybersecurity.  Those of you who are familiar with the draft guidance should note that the final guidance is substantially similar to the draft guidance with some additional emphasis on balance, emphasizing that security should not unreasonably limit the ability to use a device in emergency situations.

For those who are not familiar with the draft guidance, the final guidance describes the information that manufacturers should include in their premarket submission.  It recommends medical device manufacturers consider the following as part of their cybersecurity activities:

  • Identify and protect by limiting access to trusted users and ensuring trusted content;
  • Implement features to detect security compromises
  • Inform the end user about the appropriate action to take if a security compromise is detected
  • Protect critical functions, even in the event of a security compromise

Device stakeholders would do well to review these documents and ensure that they understand the steps they should take to meet these standards and comply with the HIPAA Security Rule.

WHAT STAKEHOLDERS SHOULD DO

There are a number of good steps which can be taken to reduce risk. Properly training all personnel is critical to avoid loss of devices, phishing attacks, and more. Ensuring that software is always the most up-to-date version is an easy and important measure to improve security. Additionally, segregating network functions will ensure that any compromise will not affect the entire universe of networked devices. New devices and software should be thoroughly inspected for potential security vulnerabilities before adding them to the network.

On top of those steps, healthcare entities should conduct regular risk assessments and network security audits. Crafting policies to comply with standards such as ISO-27001, COBIT 5, or the HITRUST Common Security Framework is a must.

by Wendy C. Goldstein and Kathleen A. Peterson

On December 27, 2011, the U.S. Food & Drug Administration ("FDA"), Office of Prescription Drug Promotion ("OPDP") (formerly the Division of Drug Marketing, Advertising, and Communications) released a new draft guidance document titled "Guidance for Industry on Responding to Unsolicited Requests for Off-Label Information About Prescription Drugs and Medical Devices" (the "Draft Guidance"). The OPDP will accept comments on the Draft Guidance through March 29, 2011.

The FDA has a longstanding policy of permitting pharmaceutical manufacturers to respond to unsolicited requests for medical information about their products, even where such information pertains to unapproved products or uses. However, there has been considerable debate over what constitutes "unsolicited" in this regard. In July 2011, a group of seven manufacturers filed a "citizen petition" with the FDA, requesting FDA clarification of the following issues: (1) Manufacturer Responses to Unsolicited Requests; (2) "Scientific Exchange"; (3) Interactions with Formulary Committees, Payors, and Similar Entities; and (4) Dissemination of Third-Party Clinical Practice Guidelines.

The Draft Guidance relates only to the first of these requests. The Draft Guidance further states that it is not intended to address unsolicited requests for information about products that are not approved for any use.

Read the full alert here