Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile Health (mHealth) Zachary Rothstein, Associate Vice President, Technology & Regulatory Affairs, Advamed Jeffrey K. Shapiro, Director, Hyman, Phelps & McNamara, P.C. Moderated by Sonali Gunawardhana, Of Counsel, Wiley Rein LLP
FDLI Enforcement, Litigation, and Compliance Workshop mHealth Panel December 10, 2015 Zach Rothstein Associate Vice President Technology & Regulatory Affairs AdvaMed
Topics 1.Defining mHealth 2.The Digital Health Revolution 3.Regulatory and Policy Issues
What is mHealth? Utilization of mobile technologies to provide health related solutions
The Digital Health Revolution A Timeline Perspective Phase I: Health and Wellness Products Phase II: New Form Factors of Existing Medical Technologies Phase III: Substantially New Medical Technologies
The Digital Health Revolution Phase I: Health and Wellness
The Digital Health Revolution Phase II: New Form Factors of Existing Med Tech
The Digital Health Revolution Phase III: Substantially New Medical Technologies
The Digital Health Revolution Moore’s Law: The number of transistors per square inch on integrated circuits doubles about every two years
The Digital Health Revolution
The Digital Health Revolution A Timeline Perspective Phase I: Health and Wellness Products Phase II: New Form Factors of Existing Medical Technologies Phase III: Substantially New Medical Technologies
The Digital Health Revolution Implementation Challenges 1.Regulatory/Policy Considerations 2.Payment Considerations 3.Validation/Usability/Review Considerations
FDLI Enforcement, Litigation, and Compliance Workshop mHealth Panel December 10, 2015 Jeffrey K. Shapiro Director Hyman, Phelps & McNamara
Definition of mHealth The use of mobile devices such as smartphones and tablets –to deliver healthcare –while the patient is outside of the doctor’s office/hospital –as well as in traditional healthcare settings
Definition of Medical Device Defined in the Federal Food, Drug and Cosmetic Act as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is... [either] intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals....” Intended use is determined based upon labeling and advertising claims
Overlap is plain As Zach showed, a variety of intended uses are possible –Health and wellness –New form factor for existing technologies –Substantially new medical technologies
Does FDA have authority to regulate all of it? Potentially, most of it – some close cases The statutory definition is very broad
Does FDA want to regulate all of it? Mobile Apps Guidance (Sept 24, 2013) –An in-depth explanation of the agency’s “current thinking” on the appropriate regulation of mobile apps –Not legally binding, but very authoritative as to the agency’s posture –Can be extrapolated to other mHealth (not just apps)
No: Three Buckets “Not regulated” - mobile apps that are not considered medical devices under the FDA regulations “Enforcement discretion” - FDA’s decision not to enforce requirements under the Food, Drug, and Cosmetics Act (FD&C Act) on mobile apps that are medical devices, but pose a low risk to patients “Regulated” - mobile apps that are considered medical devices under the FDA regulations, i.e., “mobile medical apps”
Unregulated Mobile apps used for provider or patient medical training and education Mobile apps used to automate operations in a healthcare setting and not for use in the diagnosis or treatment of disease
Enforcement Discretion Mobile apps that help patients self-manage their disease or conditions without providing specific treatment suggestions Mobile apps that automate simple tasks for health care providers
Enforcement Discretion Mobile apps that help patients self-manage their disease or conditions without providing specific treatment suggestions Mobile apps that automate simple tasks for health care providers Mobile apps that use patient characteristics to provide patient specific screening, counseling and preventive recommendations from well known and established authorities
Regulated Mobile apps that connect to medical devices to control them or to display, store, analyze or transmit patient specific medical device data Mobile apps that transform a mobile platform with device functionality by using attachments, display screens, or sensors Mobile apps that perform patient specific analysis and provide patient specific diagnosis or treatment recommendations
Clinical Decision Support Pending FDA guidance Proposed legislation (Medtech Act / SOFTWARE Act) Rx v. Consumer
Manufacturers Creates, designs, develops, labels, re-labels, remanufactures, modifies, or creates –A mobile medical app software system –From multiple components. –Could include a mobile medical app from commercial off the shelf (COTS) software components if marketed to perform as a mobile medical app
Manufacturers Initiates specifications or requirements for mobile medical apps or procures product development / manufacturing services from other individuals or entities (second party) for subsequent commercial distribution NOT a manufacturer –Manufacturers or distributors of mobile platforms who solely distribute or market their platform and do not “intend” for it to perform medical device functions –When mobile medical apps are run on a mobile platform, the mobile platform is treated as a component of the mobile medical app’s intended use
Questions?
FDLI’s Enforcement, Litigation, and Compliance Conference December 9-10, 2015 Renaissance Hotel DuPont Circle Sonali P. Gunawardhana, Of Counsel
Breakout Session: Medical Devices: Mobile Health (mHealth) FDA’s Cybersecurity Guidance In June 2013, FDA issued a safety communication entitled “Cybersecurity for Medical Devices and Hospital Networks,” in which the FDA recommended that medical device manufacturers and healthcare facilities adopt appropriate safeguards to reduce the risk of device failure due to a cyberattack.
Safety Communication: Cybersecurity for Medical Devices and Hospital Networks/ Threats Network-connected/configured medical devices infected or disable by malware Malware on hospital computers, smartphones, and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted devices Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for software intended for privileged device access (e.g., by administrative, technical, and maintenance personnel) Failure to provide timely security software updates and patches to medical device and networks, and failure to address related vulnerabilities in older medical device models (legacy devices) Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection
FDA Recommendations to Combat Threat Take steps to limit device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include user authentication (for example, user ID and password, smartcard or biometric); strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards. Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches, and methods to restrict software or firmware updates to authenticated code. Note that FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity. Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.” Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely, and manufacturers should consider incident response plans that address the possibility of degraded operation, as well as efficient restoration and recovery
FDA Suggestions for Preventative Action for Health Care Facilities Restrict unauthorized access to the network and networked medical devices. Make certain that appropriate antivirus software and firewalls are up-to-date. Monitor network activity for unauthorized use. Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services. Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) may be able to assist in vulnerability reporting and resolution. Develop and evaluate strategies to maintain critical functionality during adverse conditions.
Additional FDA Intiatives Regarding Cybersecurity Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication/ July 2015 Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff/ October 2014 Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software/ October 2014 FDA held a public workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity/ October 2014 FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC). NH-ISAC is a non-profit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response./ August 2014
Moving Forward: Collaborative Approaches to Medical Device Cybersecurity; Public Workshop; Request for Comments The purpose of this workshop is to highlight past collaborative efforts; increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization's processes) which are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity. The public workshop will be held January 20-21, 2016, from 9 a.m. to 5:30 p.m. May submit comments to FDA on the public workshop by February 22, 2016
Contact Information Sonali P. Gunawardhana 1776 K Street, NW Washington, DC (202)
Questions?