Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile Health (mHealth) Zachary Rothstein, Associate Vice President,

Published byDina Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile Health (mHealth) Zachary Rothstein, Associate Vice President,"— Presentation transcript:

1 Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile Health (mHealth) Zachary Rothstein, Associate Vice President, Technology & Regulatory Affairs, Advamed Jeffrey K. Shapiro, Director, Hyman, Phelps & McNamara, P.C. Moderated by Sonali Gunawardhana, Of Counsel, Wiley Rein LLP

2 FDLI Enforcement, Litigation, and Compliance Workshop mHealth Panel December 10, 2015 Zach Rothstein Associate Vice President Technology & Regulatory Affairs AdvaMed

3 Topics 1.Defining mHealth 2.The Digital Health Revolution 3.Regulatory and Policy Issues

4 What is mHealth? Utilization of mobile technologies to provide health related solutions

5 The Digital Health Revolution A Timeline Perspective Phase I: Health and Wellness Products Phase II: New Form Factors of Existing Medical Technologies Phase III: Substantially New Medical Technologies

6 The Digital Health Revolution Phase I: Health and Wellness

7 The Digital Health Revolution Phase II: New Form Factors of Existing Med Tech

8 The Digital Health Revolution Phase III: Substantially New Medical Technologies

9 The Digital Health Revolution Moore’s Law: The number of transistors per square inch on integrated circuits doubles about every two years

10 The Digital Health Revolution

11

12 The Digital Health Revolution A Timeline Perspective Phase I: Health and Wellness Products Phase II: New Form Factors of Existing Medical Technologies Phase III: Substantially New Medical Technologies

13 The Digital Health Revolution Implementation Challenges 1.Regulatory/Policy Considerations 2.Payment Considerations 3.Validation/Usability/Review Considerations

14 FDLI Enforcement, Litigation, and Compliance Workshop mHealth Panel December 10, 2015 Jeffrey K. Shapiro Director Hyman, Phelps & McNamara jshapiro@hpm.com

15 Definition of mHealth The use of mobile devices such as smartphones and tablets –to deliver healthcare –while the patient is outside of the doctor’s office/hospital –as well as in traditional healthcare settings

16 Definition of Medical Device Defined in the Federal Food, Drug and Cosmetic Act as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is... [either] intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals....” Intended use is determined based upon labeling and advertising claims

17 Overlap is plain As Zach showed, a variety of intended uses are possible –Health and wellness –New form factor for existing technologies –Substantially new medical technologies

18 Does FDA have authority to regulate all of it? Potentially, most of it – some close cases The statutory definition is very broad

19 Does FDA want to regulate all of it? Mobile Apps Guidance (Sept 24, 2013) –An in-depth explanation of the agency’s “current thinking” on the appropriate regulation of mobile apps –Not legally binding, but very authoritative as to the agency’s posture –Can be extrapolated to other mHealth (not just apps)

20 No: Three Buckets “Not regulated” - mobile apps that are not considered medical devices under the FDA regulations “Enforcement discretion” - FDA’s decision not to enforce requirements under the Food, Drug, and Cosmetics Act (FD&C Act) on mobile apps that are medical devices, but pose a low risk to patients “Regulated” - mobile apps that are considered medical devices under the FDA regulations, i.e., “mobile medical apps”

21 Unregulated Mobile apps used for provider or patient medical training and education Mobile apps used to automate operations in a healthcare setting and not for use in the diagnosis or treatment of disease

22 Enforcement Discretion Mobile apps that help patients self-manage their disease or conditions without providing specific treatment suggestions Mobile apps that automate simple tasks for health care providers

23 Enforcement Discretion Mobile apps that help patients self-manage their disease or conditions without providing specific treatment suggestions Mobile apps that automate simple tasks for health care providers Mobile apps that use patient characteristics to provide patient specific screening, counseling and preventive recommendations from well known and established authorities

24 Regulated Mobile apps that connect to medical devices to control them or to display, store, analyze or transmit patient specific medical device data Mobile apps that transform a mobile platform with device functionality by using attachments, display screens, or sensors Mobile apps that perform patient specific analysis and provide patient specific diagnosis or treatment recommendations

25 Clinical Decision Support Pending FDA guidance Proposed legislation (Medtech Act / SOFTWARE Act) Rx v. Consumer

26 Manufacturers Creates, designs, develops, labels, re-labels, remanufactures, modifies, or creates –A mobile medical app software system –From multiple components. –Could include a mobile medical app from commercial off the shelf (COTS) software components if marketed to perform as a mobile medical app

27 Manufacturers Initiates specifications or requirements for mobile medical apps or procures product development / manufacturing services from other individuals or entities (second party) for subsequent commercial distribution NOT a manufacturer –Manufacturers or distributors of mobile platforms who solely distribute or market their platform and do not “intend” for it to perform medical device functions –When mobile medical apps are run on a mobile platform, the mobile platform is treated as a component of the mobile medical app’s intended use

28 Questions?

29 FDLI’s Enforcement, Litigation, and Compliance Conference December 9-10, 2015 Renaissance Hotel DuPont Circle Sonali P. Gunawardhana, Of Counsel

30 Breakout Session: Medical Devices: Mobile Health (mHealth) FDA’s Cybersecurity Guidance In June 2013, FDA issued a safety communication entitled “Cybersecurity for Medical Devices and Hospital Networks,” in which the FDA recommended that medical device manufacturers and healthcare facilities adopt appropriate safeguards to reduce the risk of device failure due to a cyberattack.

31 Safety Communication: Cybersecurity for Medical Devices and Hospital Networks/ Threats Network-connected/configured medical devices infected or disable by malware Malware on hospital computers, smartphones, and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted devices Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for software intended for privileged device access (e.g., by administrative, technical, and maintenance personnel) Failure to provide timely security software updates and patches to medical device and networks, and failure to address related vulnerabilities in older medical device models (legacy devices) Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection

32 FDA Recommendations to Combat Threat Take steps to limit device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include user authentication (for example, user ID and password, smartcard or biometric); strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards. Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches, and methods to restrict software or firmware updates to authenticated code. Note that FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity. Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.” Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely, and manufacturers should consider incident response plans that address the possibility of degraded operation, as well as efficient restoration and recovery

33 FDA Suggestions for Preventative Action for Health Care Facilities Restrict unauthorized access to the network and networked medical devices. Make certain that appropriate antivirus software and firewalls are up-to-date. Monitor network activity for unauthorized use. Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services. Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) may be able to assist in vulnerability reporting and resolution. Develop and evaluate strategies to maintain critical functionality during adverse conditions.

34 Additional FDA Intiatives Regarding Cybersecurity Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication/ July 2015 Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff/ October 2014 Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software/ October 2014 FDA held a public workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity/ October 2014 FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC). NH-ISAC is a non-profit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response./ August 2014

35 Moving Forward: Collaborative Approaches to Medical Device Cybersecurity; Public Workshop; Request for Comments The purpose of this workshop is to highlight past collaborative efforts; increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization's processes) which are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity. The public workshop will be held January 20-21, 2016, from 9 a.m. to 5:30 p.m. May submit comments to FDA on the public workshop by February 22, 2016

36 Contact Information Sonali P. Gunawardhana 1776 K Street, NW Washington, DC 20006 (202) 719- 7454 sgunawardhana@wileyrein.com http://www.wileyrein.com/professionals.cfm?sp=bio&id=1624

37 Questions?

Download ppt "Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile Health (mHealth) Zachary Rothstein, Associate Vice President,"

Similar presentations

Geneva, Switzerland, 25-26 September 2012 Mobile Medical Applications The FDA Regulatory Approach Prof. Lucien Rapp, Avocat au Barreau de Paris, Watson,

Geneva, Switzerland, September 2012 Mobile Medical Applications The FDA Regulatory Approach Prof. Lucien Rapp, Avocat au Barreau de Paris, Watson,
Regulatory Pathway for Platform Technologies

Regulatory Pathway for Platform Technologies
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Introduction to Regulation

Introduction to Regulation
Special Topics in IND Regulation

Special Topics in IND Regulation
Medical Devices Approval Process

Medical Devices Approval Process
The FDA Landscape AdvaMed September 2008 Judith K. Meritz

The FDA Landscape AdvaMed September 2008 Judith K. Meritz
Network security policy: best practices

Network security policy: best practices
+ Medical Devices Approval Process. + Objectives Define a medical device Be familiar with the classification system for medical devices Understand the.

+ Medical Devices Approval Process. + Objectives Define a medical device Be familiar with the classification system for medical devices Understand the.
Center for Devices and Radiological Health U. S. Department of Health and Human Services Al Taylor Acting Chief, Medical Electronics Branch Office of Science.

Center for Devices and Radiological Health U. S. Department of Health and Human Services Al Taylor Acting Chief, Medical Electronics Branch Office of Science.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Center for Veterinary Medicine (CVM) RECALLS.  21 CFR 7.40 provides guidance on the policy, procedures, and industry responsibilities for recalls. 

Center for Veterinary Medicine (CVM) RECALLS.  21 CFR 7.40 provides guidance on the policy, procedures, and industry responsibilities for recalls. 
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google