Certain Medical Devices Exempted from 510(k) Requirements
The Food and Drug Administration (FDA) recently identified a list of Class II Medical Devices that, when finalized, will be exempt from premarket notification (510(k)) requirements. This publication was made by the FDA pursuant to the 21st Century Cures Act, signed into law on December 13, 2016.
Premarket notification (510(k)) is one of several alternative procedures that medical device manufacturers must undergo before being able to market their medical devices intended for human use. The 510(k) notification is required for medical devices that do not need to receive premarket approval (PMA) from the FDA and are not exempt from the 510(k) requirement. The FDA explains that medical devices are classified into three classes (Classes I, II, and III) based on based on the level of control necessary to assure the safety and effectiveness of the device. Most Class I and II devices and a few Class III are subject to the 510(k) requirement. Although a 510(k) applicant does not need to provide scientific evidence of safety and effectiveness for the intended use of its device, the applicant must demonstrate that the device is at least as safe and effective (“substantially equivalent”) to a legally marketed device (“predicate device”).
The FDA may exempt devices from 510(k) requirement. A list of factors that the FDA use to determine whether the device is exempt from 510(k) requirements includes: (1) whether the device does not have a significant history of false or misleading claims or of risks associated with inherent characteristics of the device; (2) whether characteristics of the device necessary for its safe and effective performance are well established; (3) whether changes in the device that could affect safety and effectiveness will either (a) be readily detectable by users by visual examination or other means before causing harm or (b) not materially increase the risk of injury, incorrect diagnosis, or ineffective treatment; and (4) any changes to the device would not likely to result in the device’s classification.
Section 3054 of the 21st Century Cures Act amended sections 510(l) and 510(m) of the Federal Food, Drug, and Cosmetic Act (FD&C Act). The amended sections 510(l) and 510(m) of the FD&C Act require the FDA to publish any Class I and Class II devices that the FDA determines no longer require premarket notifications under section 510(k) of the FD&C Act to provide reasonable assurance of safety and effectiveness. The FDA is required to publish initial lists for Class II devices and Class I devices within 90 days and 120 days, respectively, after the enactment of the 21st Century Cures Act and then to update the lists at least once every 5 years.
A list of 510(k)-exempt Class I devices is expected to be published in about 30 days.
Hackers Steal 600K Records from Health Care Firms – Could Your Wearable Device Be Next?
Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data. In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers. Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).
Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry. In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.
According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited. Furthermore, medical devices face certain unique cybersecurity pitfalls. For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.
Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges. For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety. A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president. While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.
While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern. Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices. These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication. Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.
With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.
FDA Issues Proposed Guidance for Changes to Medical Device Software
The U.S. Food & Drug Administration (FDA) issued a proposed guidance on August 8, 2016, regarding software changes to medical devices. The proposed guidance relates to requirements for submitting medical device software changes to the FDA for approval. The final document will provide assistance to medical device companies and the FDA for determining when changes to software or firmware for a medical device require FDA clearance. The medical devices covered include 510(k)-cleared devices and preamendments devices subject to 510(k).
The FDA’s proposed guidance explains that premarket notifications are generally submitted for commercially-distributed medical devices undergoing significant changes in design. Such changes include modifications that “could significantly affect the safety or effectiveness of the device” or a “major change or modification in the intended use of the device.” The proposed guidance relates to software changes and is an update to the original guidance issued in 1997 regarding changes to existing devices.
The “software” subject to the proposed guidance is defined as “electronic instructions used to control the actions or output of a medical device, to provide input to or output from a medical device, or to provide the actions of a medical device.” This includes software embedded in a device, software that is an accessory to another device, and “software that is intended to be used for one or more medical purposes that performs these purposes without being part of a hardware medical device.”
The FDA provides a flow chart for assisting with the determination, see below. Issues addressed in the determination include changes related to: strengthening cyber security; meeting specifications of the most recently cleared device; introducing or affecting hazardous situations; creating new risk control measures; and affecting clinical functionality or intended use of the device. Additional factors to consider beyond those in the flow chart and some examples of modifications are provided in the draft guidance as well.
The proposed guidance notes that in some cases a new 510(k) is not necessary, and that existing Quality System (QS) requirements may suffice. Such QS requirements mandate, among other things, that the manufacturer maintains records, for production upon request, regarding such changes and the processes used to determine the changed device meet the design specifications. Further, the proposed guidance does not apply to software for which the FDA has previously said it will not enforce compliance, including some mobile apps used with medical devices.
Some observers think the proposed guidance will help with improving cybersecurity of connected medical devices. The public may provide comments to the FDA on the proposed guidance until November 7, 2016: comments may be submitted electronically here.
Share
