Blog Tag: regulation
In a recent report, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General (OIG) recommended that the U.S. Food & Drug Administration (FDA) include cybersecurity review as a greater part of the premarket review process for medical devices. In particular, the report suggests including cybersecurity documentation as a criterion in the FDA’s Refuse-To-Accept (RTA) checklist, using presubmission meetings to address cybersecurity questions, and including cybersecurity as an element of the FDA’s Smart template.
The FDA has been ramping up its cybersecurity review lately to deal with increased cybersecurity concerns. For example, a ransomware attack caused an Indiana hospital to shut down its system. Other cyberattacks may have gone undetected.
Currently, the FDA reviews documentation that manufacturers submit regarding cybersecurity as part of the premarket submissions. The FDA uses this information to consider known cybersecurity risks and threats when reviewing submissions that deal with networked medical devices. The FDA may request additional information from applicants when submissions require clarification or when cybersecurity documentation is lacking. In view of these requests, the FDA regularly approves manufacturers on cybersecurity issues when sufficient documentation is provided.
For example, in one review of a glucose monitoring system, an FDA reviewer did not find “any information on how the manufacturer included cybersecurity in the device’s design,” according to the report. “The FDA reviewer explained that the device relied heavily on users to protect against cybersecurity threats by using antivirus software and enabling firewalls. The FDA reviewer requested that the manufacturer update its hazard analysis to address the missing information. The manufacturer did so, and FDA found the update to be acceptable.”
Because of examples like this, the report suggests using cybersecurity documentation as an element in the FDA’s RTA checklist. The RTA checklist is a screen against incomplete applications. Were cybersecurity part of these checklists, failure by a manufacturer to provide adequate cybersecurity documentation could prevent the FDA to accept the submission for substantive review.
The report also suggests that the FDA use presubmission meetings to address cybersecurity-related questions. These meetings serve as a way for manufacturers to ask the FDA specific questions, such as whether the submission satisfies the FDA’s standards. During these meetings, the FDA can include cybersecurity as part of the discussion, which may reduce the amount of time for the FDA review.
Finally, the report recommended that cybersecurity be a stand-alone element in the FDA’s Smart template. A dedicated section on cybersecurity could allow FDA reviewers to explain the results of their review regarding cybersecurity in a standard format.
The FDA has agreed with these recommendations and has begun taking steps to implement them, such as by including cybersecurity in the Smart template. The FDA also said that it “intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.” The FDA is also currently considering new rules that may require submission of software as part of a premarket submission.
Healthcare apps are becoming a greater part of everyday life. The increasing prominence and functionality of these apps has lead to the question of when healthcare apps should be regulated as medical devices. In the United States, the FDA has issued some guidance on how it will treat healthcare-related apps. However, the FDA’s guidance only provides a list of examples of what constitutes a medical device, leaving the app developers to try and analogize their new apps to the examples or interpret the statutory language.
The United Kingdom Medicines and Healthcare Products Regulatory Agency (MHRA) has attempted to simplify the regulatory determination for app developers by updating its guidance on classifying health apps as medical devices. As part of the update, the MHRA published a”step-by-step interactive PDF” to assist app developers in determining whether their app will be regulated.
According to the press release, “[a]pp users can use this guidance to check if their health app is a medical device.” The goal of the update is to “aid developers in navigating the regulatory system so they are aware what procedures they need to have in place to get a CE mark which indicates acceptable safety standards and performance, and what their reporting responsibilities are when things change or go wrong.” John Wilkinson, MHRA’s Director of Medical Devices stated:
Where apps or stand-alone software make a diagnosis or recommend a treatment, people should check for CE-marking before using their apps and developers should make sure they are complying with the appropriate medical device regulations.
To further MHRA’s goal of assisting app developers with CE marking regulation, the interactive PDF provides a flow chart to help app creators determine whether their app could potentially be classified as a medical device.
The interactive PDF also provides additional flow charts for determining whether an app has a medical purpose and whether an app works directly with in vitro diagnostic (IVD) data. Additionally, the interactive PDF also sets forth the “essential requirements” that app developers must meet in the event their app is classified as a medical device. MHRA has inserted explanatory comments into these requirements section that give simple examples or a brief interpretation of the regulatory text. MHRA also provided links in the PDF where app developers can go for additional guidance.
A roundup of the FDA’s Quality System program for 2015 shows 2,104 inspections, compared to 2,213 in 2014, a decrease the FDA calls “slight.” The Quality System program began in the mid-1990s and is designed to ensure ongoing safety and quality in the design, manufacturing, packaging, labeling, storing, and servicing of medical devices. The FDA can inspect facilities used by medical device manufacturers as well as issue warning letters to potentially non-compliant manufacturers under the regulation.
Despite the drop of around 5% in inspections overall, inspections of non-U.S. manufacturers rose from 594 in 2014 to 620 in 2015. China and Germany accounted for most of the foreign inspections, with 126 and 90 respectively. No other country had more than 50 inspections last year. The FDA noted that it has “been working toward increased foreign inspections as foreign manufacturer inventory has been growing rapidly.”
The number of warning letters issued by the FDA under the Quality System program remained the same from 2014 to 2015, at 121 warning letters. The number of warning letters issued by the FDA had previously been decreasing by about 20 per year.
The FDA hopes that by releasing this data, industry can “improve device quality by sharing common observations from inspections” and avoid receiving warning letters.
The report was prepared by the FDA’s Center for Devices and Radiological Health, which promotes safety and innovation in the medical device field.