• FDA issues final guidance on discerning device recalls from market withdrawals related to medical device enhancements in apparent bid to appease industry concern over draft being overly broad, lacking in term definitions
• FDA attempts to increase security of mobile devices in midst of growing threat of cyberattacks with guidance focusing on security-by-design, while some say focus should be on data
• FDA puts final touches on inspection guidance to provide more clarity and respond to industry concerns, while maintaining strong stance on its photography authority
• FDA to undergo changes as recommendations for re-alignment are released amid "unparalleled challenges" posed by product complexity and globalization
FDA issues final guidance on discerning device recalls from market withdrawals related to medical device enhancements in apparent bid to appease industry concern over draft being overly broad, lacking in term definitions
The regulator put out the final guidance document to ensure companies are able to clearly distinguish a recall from a market withdrawal after the draft version sparked concern and confusion throughout the industry.
The agency's Center for Devices and Radiological Health put the finishing touches on a controversial guidance document on how to distinguish the recall of a device from a market withdrawal, issuing final guidance that makes many changes relative to a 2013 draft.
Medical device makers have historically struggled with determining what constitutes a recall. While scenarios involving medical device defects or failures are typically clear, other situations exist that pose uncertainty regarding whether the previous version needs to be recalled, such as the release of a new and improved version of an existing product.
The 2013 draft of the guidance had set off widespread concern throughout the industry, namely about creating paperwork burdens and new ammunition for product liability lawsuits when it proposed requiring the reporting of any enhancement aimed at reducing health risks. That requirement could conceivably have covered not only important changes to previously sold devices but also minor modifications to unsold products.
The document was also criticized for creating confusion by not defining certain terms like “initiated” in relation to a recall, “risk to health” and “minor violations.”
To address confusion related to circumstances under which a product must be recalled, the FDA issued a guidance document in its final form that provides increased specificity in its definitions and is intended to help manufacturers identify when they need to notify the FDA of recalls.
Some of the biggest changes relate to contested definitions, with the FDA clarifying terms such as “correction” and “removal,” and providing definitions for terms such as "routine servicing." The FDA also added examples describing hypothetical changes to devices and its position on whether those actions would likely constitute recalls or enhancements.
With “Distinguishing Medical Device Recalls from Medical Device Enhancements,” the FDA also eliminated a section of the draft guidance requiring an 806 report for enhancements, specifically stating that enhancements don’t necessitate the submission of an 806 report. The move will likely appease device makers that were alarmed with the FDA’s proposal and had questioned its authority under the Federal Food, Drug and Cosmetic Act for the reporting requirement.
FDA attempts to increase security of mobile devices in midst of growing threat of cyberattacks with guidance focusing on security-by-design, while some say focus should be on data
As the regulator attempts to play catch-up with the fast-evolving world of connected devices by issuing guidance, critics fear the regulations fail to fully address the complexity of cyber threats.In a bid to bolster the safety of medical devices, which have become increasingly interconnected and interoperable, the regulator finalized recommendations to manufacturers for managing cybersecurity risks to better safeguard patient health and information.
The guidance comes amid concerns about cybersecurity vulnerabilities, including malware infections on network-connected medical devices or computers and mobile devices used to access patient data, and failure to provide timely security software updates and patches to medical devices and networks, among others. According to a report by PwC, 47 percent of healthcare providers and payer respondents have integrated consumer products such as wearables or operational technologies such as automated pharmacy-dispensing systems, while only 53 percent employed security controls for these devices.
The agency issued the guidance to supplement previously released information, and while it views medical device security as a shared responsibility between stakeholders, the FDA called on manufacturers to “develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety.”
The final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that cybersecurity risks be taken into account as part of the design and development of a medical device, and that documentation be submitted to the FDA about the risks identified and measures established to mitigate those risks. The guidance also advises manufacturers to submit their plans for providing patches and updates to operating systems and medical software.
The FDA recommended developers take the following precautions:
• Identify assets, threats and vulnerabilities;
• Assess the impact of threats and vulnerabilities on device functionality and end users;
• Rate the likelihood of a threat or vulnerability being exploited;
• Determine risk levels and mitigation strategies; and
• Assess residual risk and risk acceptance criteria.
Though the regulator’s efforts are well-intended, certain experts are arguing that the guidance came in too late. Ryan Kalember, chief product officer at WatchDox, said that while the FDA’s guidance focuses largely on security at the point of manufacture, the data is the real risk, not the device. According to Kalember, the FDA’s approach won’t likely be sufficient in protecting from security breaches because the data is most vulnerable when in transit.
According to Chris Petersen, chief technology officer and co-founder of LogRhythm, the FDA waited too long to issue these guidelines, contending the guidance puts the spotlight on devices moving forward, but it fails to address the millions of IP-enabled devices already in operation across healthcare networks globally.
Though there haven’t been any reported cyber-related incidents with medical devices thus far, the FDA may eventually be forced to take into account not only devices already on the market, but how partners and suppliers are protecting systems and data.
In 2013, the FDA issued a draft guidance document, “Circumstances that Constitute Delaying, Denying, Limiting, or Refusing a Drug Inspection,” in an attempt to clarify its newfound authority under the Food and Drug Administration Safety and Innovation Act, under which drugs can be considered adulterated due to “circumstances that constitute delaying, denying, limiting or refusing a drug inspection.” That provision has since led to numerous FDA warning letters to manufacturers.
Before the rule passed, some firms sought to refuse or delay entry of FDA inspectors into their facility in a bid to use the additional time to clean up or expunge certain records. The 2013 guidance served as the industry’s first look at how the FDA would interpret and put into practice legislators’ authority.
Of the draft’s sections, the one on photography was likely the one to garner the most attention, and the final version is meaningfully similar to the language in the draft guidance. Some companies contended the provision could threaten their IP rights, and other legal experts questioned whether the photography provision might stand up to legal scrutiny if challenged in court. While some urged the FDA to offer flexibility in regard to inspectors’ unequivocal authorization to take photographs, the final guidance actually eliminated possible loopholes.
The FDA did, however, clarify that companies can object to the photographing of an area in the event that the photograph would "adversely affect product quality."
The final guidance also addresses a main point of uncertainty in the draft version by adding material describing “reasonable explanations” for delays, denials and limitations, and eliminating the words “adequate justification.”
FDA to undergo changes as recommendations for re-alignment are released amid "unparalleled challenges" posed by product complexity and globalization
More than a year after its creation, the Program Alignment Group (PAG) issued final recommendations on how to realign the FDA, releasing six distinct "Action Plans" in a bid to improve the agency’s structure and regulation.
The PAG, composed of senior FDA officials, was created in 2013 to identify and develop plans to adjust the FDA’s functions, processes and structure. The changes are aimed at meeting the challenges posed by scientific innovation, globalization, the increasing scope and complexity of the products regulated by the FDA, and new legal authorities.
Officials were charged with developing action plans to revise the FDA’s functions and processes to address these challenges. The Directorates, Centers and the Office of Regulatory Affairs (ORA) worked closely to define the changes required, resulting in each regulatory program establishing detailed action plans.
The action plans represent the critical actions to fulfil the FDA’s mission in the key areas of specialization; training; work planning; compliance policy and enforcement strategy; imports; laboratory optimization; and information technology.
FDA Commissioner Margaret Hamburg said that the revamp would more fully align ORA centers without losing operational, organizational or fiscal resources. Hamburg also noted the PAG’s endorsement of more specialized resources, as some medical devices are now so complex that it may require sub-specialists in one specific area to be able to perform effective oversight of a single manufacturer, saying this would necessitate advanced training resources and new methods of management within ORA.
Concerning compliance, the PAG found that centers should be charged with creating new program-based work planning regimens that use risk factors, public health outcomes, past inspectional history and operational experience as the basis of compliance activities.
Notable changes recommended in the action plans include the creation of "senior executive program directors" in ORA, giving the centers a single senior executive responsible for each commodity program, as opposed to having several ORA units responsible for given programs.
Also, centers will work to develop new inspection approaches, with the Center for Devices and Radiological Health working with ORA to focus inspection on critical medical device characteristics and features, for example. Hamburg also said that at the Center for Biologics Evaluation and Research, ORA will work on crafting a biologics training curriculum and new certification tools for its inspectors.
In a broader sense, the FDA will also be developing a multi-year plan to enhance the quality of its scientific laboratories, hiring new analysts and buying new equipment to ensure cutting-edge products can be regulated. The majority of major changes will come in the first two quarters of 2015, with more substantial modifications taking even longer.
This report is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This report does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.