Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile...
-
Upload
dina-hines -
Category
Documents
-
view
223 -
download
0
Transcript of Enforcement Litigation and Compliance Washington, DC December 9-10, 2015 Medical Devices: Mobile...
Enforcement Litigation and
Compliance
Washington, DC
December 9-10, 2015
Medical Devices: Mobile Health (mHealth)
Zachary Rothstein, Associate Vice President, Technology & Regulatory Affairs, Advamed
Jeffrey K. Shapiro, Director, Hyman, Phelps & McNamara, P.C.
Moderated by Sonali Gunawardhana, Of Counsel, Wiley Rein LLP
FDLI Enforcement, Litigation, and Compliance Workshop
mHealth PanelDecember 10, 2015
Zach RothsteinAssociate Vice PresidentTechnology & Regulatory AffairsAdvaMed
Topics
1. Defining mHealth
2. The Digital Health Revolution
3. Regulatory and Policy Issues
What is mHealth?
Utilization of mobile technologies to provide health related solutions
Digital Health
Telehealth
eHealth
Connected Health
Smart Health
The Digital Health RevolutionA Timeline Perspective
Phase I: Health and Wellness
Products
Phase II: New Form Factors of
Existing Medical Technologies
Phase III: Substantially New Medical
Technologies
The Digital Health Revolution• Phase I: Health and Wellness
The Digital Health Revolution• Phase II: New Form Factors of Existing Med Tech
The Digital Health Revolution• Phase III: Substantially New Medical Technologies
The Digital Health Revolution
Moore’s Law:
The number of transistors per square inch on integrated circuits doubles about every two years
The Digital Health Revolution
The Digital Health Revolution
The Digital Health RevolutionA Timeline Perspective
Phase I: Health and Wellness
Products
Phase II: New Form Factors of
Existing Medical Technologies
Phase III: Substantially New Medical
Technologies
2006 2015 ?
The Digital Health Revolution• Implementation Challenges
1. Regulatory/Policy Considerations
2. Payment Considerations
3. Validation/Usability/Review Considerations
FDLI Enforcement, Litigation, and Compliance Workshop
mHealth PanelDecember 10, 2015
Jeffrey K. ShapiroDirectorHyman, Phelps & [email protected]
Definition of mHealth• The use of mobile devices such as
smartphones and tablets – to deliver healthcare – while the patient is outside of the doctor’s
office/hospital – as well as in traditional healthcare settings
Definition of Medical Device• Defined in the Federal Food, Drug and Cosmetic Act as “an
instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is. . . [either] intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals . . . .”
• Intended use is determined based upon labeling and advertising claims
Overlap is plain• As Zach showed, a variety of intended
uses are possible– Health and wellness– New form factor for existing technologies– Substantially new medical technologies
Does FDA have authority to regulate all of it?
• Potentially, most of it – some close cases• The statutory definition is very broad
Does FDA want to regulate all of it?
• Mobile Apps Guidance (Sept 24, 2013)– An in-depth explanation of the agency’s “current
thinking” on the appropriate regulation of mobile apps– Not legally binding, but very authoritative as to the
agency’s posture– Can be extrapolated to other mHealth (not just apps)
No: Three Buckets• “Not regulated” - mobile apps that are not considered medical
devices under the FDA regulations • “Enforcement discretion” - FDA’s decision not to enforce
requirements under the Food, Drug, and Cosmetics Act (FD&C Act) on mobile apps that are medical devices, but pose a low risk to patients
• “Regulated” - mobile apps that are considered medical devices under the FDA regulations, i.e., “mobile medical apps”
Unregulated
• Mobile apps used for provider or patient medical training and education
• Mobile apps used to automate operations in a healthcare setting and not for use in the diagnosis or treatment of disease
Enforcement Discretion• Mobile apps that help patients self-manage
their disease or conditions without providing specific treatment suggestions
• Mobile apps that automate simple tasks for health care providers
Enforcement Discretion• Mobile apps that help patients self-manage their disease or
conditions without providing specific treatment suggestions• Mobile apps that automate simple tasks for health care
providers• Mobile apps that use patient characteristics to provide
patient specific screening, counseling and preventive recommendations from well known and established authorities
Regulated• Mobile apps that connect to medical devices to control them or
to display, store, analyze or transmit patient specific medical device data
• Mobile apps that transform a mobile platform with device functionality by using attachments, display screens, or sensors
• Mobile apps that perform patient specific analysis and provide patient specific diagnosis or treatment recommendations
Clinical Decision Support• Pending FDA guidance• Proposed legislation (Medtech Act /
SOFTWARE Act)• Rx v. Consumer
Manufacturers• Creates, designs, develops, labels, re-labels,
remanufactures, modifies, or creates – A mobile medical app software system – From multiple components. – Could include a mobile medical app from commercial off the shelf
(COTS) software components if marketed to perform as a mobile medical app
Manufacturers• Initiates specifications or requirements for mobile medical apps or
procures product development / manufacturing services from other individuals or entities (second party) for subsequent commercial distribution
• NOT a manufacturer– Manufacturers or distributors of mobile platforms who solely distribute or market
their platform and do not “intend” for it to perform medical device functions– When mobile medical apps are run on a mobile platform, the mobile platform is
treated as a component of the mobile medical app’s intended use
Questions?
FDLI’s Enforcement, Litigation, and Compliance Conference
December 9-10, 2015
Renaissance Hotel DuPont Circle
Sonali P. Gunawardhana, Of Counsel
Breakout Session: Medical Devices: Mobile Health (mHealth)
FDA’s Cybersecurity Guidance• In June 2013, FDA issued a safety communication entitled
“Cybersecurity for Medical Devices and Hospital Networks,” in which the FDA recommended that medical device manufacturers and healthcare facilities adopt appropriate safeguards to reduce the risk of device failure due to a cyberattack.
Safety Communication: Cybersecurity for Medical Devices and Hospital Networks/
Threats• Network-connected/configured medical devices infected or disable by malware• Malware on hospital computers, smartphones, and tablets, targeting mobile devices using
wireless technology to access patient data, monitoring systems, and implanted devices• Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for
software intended for privileged device access (e.g., by administrative, technical, and maintenance personnel)
• Failure to provide timely security software updates and patches to medical device and networks, and failure to address related vulnerabilities in older medical device models (legacy devices)
• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection
FDA Recommendations to Combat Threat• Take steps to limit device access to trusted users only, particularly for those devices that are life-sustaining
or could be directly connected to hospital networks.• Appropriate security controls may include user authentication (for example, user ID and password,
smartcard or biometric); strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches, and methods to restrict software or firmware updates to authenticated code. Note that FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
• Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
• Provide methods for retention and recovery after an incident where security has been compromised.• Cybersecurity incidents are increasingly likely, and manufacturers should consider incident response plans
that address the possibility of degraded operation, as well as efficient restoration and recovery
FDA Suggestions for Preventative Action for Health Care Facilities
• Restrict unauthorized access to the network and networked medical devices.• Make certain that appropriate antivirus software and firewalls are up-to-date.• Monitor network activity for unauthorized use.• Protect individual network components through routine and periodic evaluation, including
updating security patches and disabling all unnecessary ports and services.• Contact the specific device manufacturer if you think you may have a cybersecurity problem
related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) may be able to assist in vulnerability reporting and resolution.
• Develop and evaluate strategies to maintain critical functionality during adverse conditions.
Additional FDA Intiatives Regarding Cybersecurity
• Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication/ July 2015
• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff/ October 2014
• Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software/ October 2014
• FDA held a public workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity/ October 2014
• FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC). NH-ISAC is a non-profit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response./ August 2014
Moving Forward: Collaborative Approaches to Medical Device Cybersecurity; Public Workshop;
Request for Comments• The purpose of this workshop is to highlight past collaborative efforts; increase awareness of
existing maturity models (i.e. frameworks leveraged for benchmarking an organization's processes) which are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.
• The public workshop will be held January 20-21, 2016, from 9 a.m. to 5:30 p.m. • May submit comments to FDA on the public workshop by February 22, 2016
Contact InformationSonali P. Gunawardhana1776 K Street, NWWashington, DC 20006(202) 719- 7454 [email protected]://www.wileyrein.com/professionals.cfm?sp=bio&id=1624
Questions?