Enforcement Litigation and

Compliance

Washington, DC

December 9-10, 2015

Medical Devices: Mobile Health (mHealth)

Zachary Rothstein, Associate Vice President, Technology & Regulatory Affairs, Advamed

Jeffrey K. Shapiro, Director, Hyman, Phelps & McNamara, P.C.

Moderated by Sonali Gunawardhana, Of Counsel, Wiley Rein LLP

FDLI Enforcement, Litigation, and Compliance Workshop

mHealth PanelDecember 10, 2015

Zach RothsteinAssociate Vice PresidentTechnology & Regulatory AffairsAdvaMed

Topics

1. Defining mHealth

2. The Digital Health Revolution

3. Regulatory and Policy Issues

What is mHealth?

Utilization of mobile technologies to provide health related solutions

Digital Health

Telehealth

eHealth

Connected Health

Smart Health

The Digital Health RevolutionA Timeline Perspective

Phase I: Health and Wellness

Products

Phase II: New Form Factors of

Existing Medical Technologies

Phase III: Substantially New Medical

Technologies

The Digital Health Revolution• Phase I: Health and Wellness

The Digital Health Revolution• Phase II: New Form Factors of Existing Med Tech

The Digital Health Revolution• Phase III: Substantially New Medical Technologies

The Digital Health Revolution

Moore’s Law:

The number of transistors per square inch on integrated circuits doubles about every two years

The Digital Health Revolution

The Digital Health Revolution

The Digital Health RevolutionA Timeline Perspective

Phase I: Health and Wellness

Products

Phase II: New Form Factors of

Existing Medical Technologies

Phase III: Substantially New Medical

Technologies

2006 2015 ?

The Digital Health Revolution• Implementation Challenges

1. Regulatory/Policy Considerations

2. Payment Considerations

3. Validation/Usability/Review Considerations

FDLI Enforcement, Litigation, and Compliance Workshop

mHealth PanelDecember 10, 2015

Jeffrey K. ShapiroDirectorHyman, Phelps & McNamarajshapiro@hpm.com

Definition of mHealth• The use of mobile devices such as

smartphones and tablets – to deliver healthcare – while the patient is outside of the doctor’s

office/hospital – as well as in traditional healthcare settings

Definition of Medical Device• Defined in the Federal Food, Drug and Cosmetic Act as “an

instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is. . . [either] intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals . . . .”

• Intended use is determined based upon labeling and advertising claims

Overlap is plain• As Zach showed, a variety of intended

uses are possible– Health and wellness– New form factor for existing technologies– Substantially new medical technologies

Does FDA have authority to regulate all of it?

• Potentially, most of it – some close cases• The statutory definition is very broad

Does FDA want to regulate all of it?

• Mobile Apps Guidance (Sept 24, 2013)– An in-depth explanation of the agency’s “current

thinking” on the appropriate regulation of mobile apps– Not legally binding, but very authoritative as to the

agency’s posture– Can be extrapolated to other mHealth (not just apps)

No: Three Buckets• “Not regulated” - mobile apps that are not considered medical

devices under the FDA regulations • “Enforcement discretion” - FDA’s decision not to enforce

requirements under the Food, Drug, and Cosmetics Act (FD&C Act) on mobile apps that are medical devices, but pose a low risk to patients

• “Regulated” - mobile apps that are considered medical devices under the FDA regulations, i.e., “mobile medical apps”

Unregulated

• Mobile apps used for provider or patient medical training and education

• Mobile apps used to automate operations in a healthcare setting and not for use in the diagnosis or treatment of disease

Enforcement Discretion• Mobile apps that help patients self-manage

their disease or conditions without providing specific treatment suggestions

• Mobile apps that automate simple tasks for health care providers

Enforcement Discretion• Mobile apps that help patients self-manage their disease or

conditions without providing specific treatment suggestions• Mobile apps that automate simple tasks for health care

providers• Mobile apps that use patient characteristics to provide

patient specific screening, counseling and preventive recommendations from well known and established authorities

Regulated• Mobile apps that connect to medical devices to control them or

to display, store, analyze or transmit patient specific medical device data

• Mobile apps that transform a mobile platform with device functionality by using attachments, display screens, or sensors

• Mobile apps that perform patient specific analysis and provide patient specific diagnosis or treatment recommendations

Clinical Decision Support• Pending FDA guidance• Proposed legislation (Medtech Act /

SOFTWARE Act)• Rx v. Consumer

Manufacturers• Creates, designs, develops, labels, re-labels,

remanufactures, modifies, or creates – A mobile medical app software system – From multiple components. – Could include a mobile medical app from commercial off the shelf

(COTS) software components if marketed to perform as a mobile medical app

Manufacturers• Initiates specifications or requirements for mobile medical apps or

procures product development / manufacturing services from other individuals or entities (second party) for subsequent commercial distribution

• NOT a manufacturer– Manufacturers or distributors of mobile platforms who solely distribute or market

their platform and do not “intend” for it to perform medical device functions– When mobile medical apps are run on a mobile platform, the mobile platform is

treated as a component of the mobile medical app’s intended use

Questions?

FDLI’s Enforcement, Litigation, and Compliance Conference

December 9-10, 2015

Renaissance Hotel DuPont Circle

Sonali P. Gunawardhana, Of Counsel

Breakout Session: Medical Devices: Mobile Health (mHealth)

FDA’s Cybersecurity Guidance• In June 2013, FDA issued a safety communication entitled

“Cybersecurity for Medical Devices and Hospital Networks,” in which the FDA recommended that medical device manufacturers and healthcare facilities adopt appropriate safeguards to reduce the risk of device failure due to a cyberattack.

Safety Communication: Cybersecurity for Medical Devices and Hospital Networks/

Threats• Network-connected/configured medical devices infected or disable by malware• Malware on hospital computers, smartphones, and tablets, targeting mobile devices using

wireless technology to access patient data, monitoring systems, and implanted devices• Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for

software intended for privileged device access (e.g., by administrative, technical, and maintenance personnel)

• Failure to provide timely security software updates and patches to medical device and networks, and failure to address related vulnerabilities in older medical device models (legacy devices)

• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection

FDA Recommendations to Combat Threat• Take steps to limit device access to trusted users only, particularly for those devices that are life-sustaining

or could be directly connected to hospital networks.• Appropriate security controls may include user authentication (for example, user ID and password,

smartcard or biometric); strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.

• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches, and methods to restrict software or firmware updates to authenticated code. Note that FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.

• Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”

• Provide methods for retention and recovery after an incident where security has been compromised.• Cybersecurity incidents are increasingly likely, and manufacturers should consider incident response plans

that address the possibility of degraded operation, as well as efficient restoration and recovery

FDA Suggestions for Preventative Action for Health Care Facilities

• Restrict unauthorized access to the network and networked medical devices.• Make certain that appropriate antivirus software and firewalls are up-to-date.• Monitor network activity for unauthorized use.• Protect individual network components through routine and periodic evaluation, including

updating security patches and disabling all unnecessary ports and services.• Contact the specific device manufacturer if you think you may have a cybersecurity problem

related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) may be able to assist in vulnerability reporting and resolution.

• Develop and evaluate strategies to maintain critical functionality during adverse conditions.

Additional FDA Intiatives Regarding Cybersecurity

• Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication/ July 2015

• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff/ October 2014

• Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software/ October 2014

• FDA held a public workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity/ October 2014

• FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC). NH-ISAC is a non-profit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response./ August 2014

Moving Forward: Collaborative Approaches to Medical Device Cybersecurity; Public Workshop;

Request for Comments• The purpose of this workshop is to highlight past collaborative efforts; increase awareness of

existing maturity models (i.e. frameworks leveraged for benchmarking an organization's processes) which are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.

• The public workshop will be held January 20-21, 2016, from 9 a.m. to 5:30 p.m. • May submit comments to FDA on the public workshop by February 22, 2016

Contact InformationSonali P. Gunawardhana1776 K Street, NWWashington, DC 20006(202) 719- 7454 sgunawardhana@wileyrein.comhttp://www.wileyrein.com/professionals.cfm?sp=bio&id=1624

Questions?