Two Drugs Recalled Due to Manufacturing Issues
(December 13, 2021) Two pharmaceutical companies have issued recalls in December due to manufacturing issues that may impact the safety and quality of their drug products.
Edge Pharma issued a voluntary recall for all drug products produced in its FDA-registered 503B outsourcing facility in Colchester, VT. Edge stated that products were removed as a result of “process issues” that may have impacted the sterility of its drug products. The recall includes a wide variety of sterile products. These include lidocaine, vancomycin, norepinephrine, and methotrexate, as well as a number of non-sterile products. The use of non-sterile drug products that are intended to be sterile may result in serious, possibly fatal, infections.
Also this month, Teligent, Inc. issued a voluntary worldwide recall on two lots of their topical lidocaine solution due to superpotency. The two lots had been distributed throughout the United States. Superpotent lidocaine can be dangerous to patients and has the potential to cause systemic toxicity leading to hypotension, brachycardia, and possible cardiovascular collapse. In October, the New Jersey company issued a similar recall in connection with five lots of topical lidocaine solution.
Fortunately, no adverse events related to the December recalls by either Edge or Teligent have been reported.
Recall Highlights Medical Device Cybersecurity Issues
On August 29, the FDA announced a recall of 465,000 implantable pacemakers, citing concerns that hackers may be able to take control of the pacemakers’ settings. This would open patients up to danger from improper pacing or rapid depletion of the devices’ batteries, according to the FDA’s statement. Instead of removing and replacing the pacemakers, the recall is designed so that doctors will install a firmware upgrade that removes the vulnerability.
Newsfactor reports that there have been no reported exploits of the vulnerability and no devices have yet been compromised.
The recall highlights that medical device manufacturers are beginning to take a more focused approach to cybersecurity. Mac McMillan, CEO of privacy and cybersecurity firm Cynergistek, told Modern Healthcare that “If devicemakers didn’t already have developers sitting around looking at cybersecurity, they now have to incur the costs of making sure their devices stay current. In the past, they’ve developed devices and put them on the market and moved onto the next device. This is a new thing for them.”
Mike Kijewski, CEO of medical device security company Medcrypt, also suggested that the FDA should update its regulations to help medical device companies stay on top of cybersecurity threats. “If the FDA can say you’re just doing the update for cybersecurity and the changes are minimal and the functionality of the device isn’t changing, they can make the update happen faster,” Kijewski suggested.
Canada’s equivalent of the FDA, Health Canada, is still looking into the vulnerability and its proposed solution, and has set a target of 75 days to resolve the situation.
Hackers Steal 600K Records from Health Care Firms – Could Your Wearable Device Be Next?
Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data. In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers. Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).
Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry. In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.
According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited. Furthermore, medical devices face certain unique cybersecurity pitfalls. For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.
Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges. For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety. A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president. While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.
While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern. Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices. These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication. Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.
With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.
Share
