The U.S. Food and Drug Administration (FDA) announced an agreement with the U.S. Department of Homeland Security (DHS) to strengthen the partnership between the agencies and “stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities.”
The agreement formalizes a long-standing relationship by developing a new framework for greater coordination and cooperation. As part of the new framework, specific responsibilities have been assigned to the FDA and the National Protection and Programs Directorate (NPPD), a component of the DHS. The following table provides a breakdown of the responsibilities outlined in the agreement:
|FDA Responsibilities||NPPD Responsibilities|
|1. Coordinate and participate in regular, ad hoc, and emergency coordination calls to enhance mutual awareness of vulnerabilities and threats||1. Serve as central medical device vulnerability coordination center|
|2. Provide NPPD with draft public releases to facilitate coordination of messaging||2. Participate in regular, ad hoc, and emergency coordination calls with FDA to enhance mutual awareness of vulnerabilities and threats|
|3. Comment in a timely manner on NPPD draft advisories and alerts||3. Confer with entities providing sensitive information prior to sharing any CCI, trade secret, or PCII-protected vulnerability or product information with the FDA|
|4. Assess the risk to health and patient harm when potential impact is disputed||4. Coordinate with FDA on the content of alerts and advisories to be published by DHS|
|5. Submit requests to NPPD for independent third-party technical assistance to analyze and test medical systems||5. Maintain technical capabilities to support requests for independent third-party analysis regarding the impact of vulnerabilities|
|6. Share non-trade secret information to resolve disputes of risk, impacts, and communication||6. Publish healthcare and public health related alerts and advisories|
In summary, the DHS will serve as the central coordination center and interface with appropriate stakeholders, and the FDA will provide technical and clinical expertise regarding medical devices.
FDA Commissioner Scott Gottlieb, M.D., during his discussion of the new agreement, addressed the FDA’s continued commitment to confront cybersecurity risk, while also recognizing the need for increased coordination between government agencies:
The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns . . . But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges. That’s why this announcement is so important.
This agreement is not the first time a government agency has reached out to the FDA in an effort to strengthen medical device cybersecurity. As previously reported on the KnobbeMedical blog, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General recommended earlier this year that the FDA include cybersecurity review as a greater part of the premarket review process for medical devices (e.g., through the inclusion of a Refuse-To-Accept checklists). This new FDA-DHS agreement is another example of continuing attempts to address ongoing medical device cybersecurity risks.
Best Practices, LLC recently released a study that provides insights into the amount of resources pharmaceutical and medical device companies allocate to ensure their products meet quality and regulatory standards. The study includes aggregate and anonymized data from 31 large medical companies, including Fisher & Paykel Healthcare, ResMed, Smith & Nephew, and Medtronic, among others. The majority of the surveyed companies operate primarily in the medical device field, but the data also includes results from diagnostic and pharmaceutical companies.
According to Best Practices, the study benchmarks the amount resources spent on quality assurance systems, regulatory affairs, and post-market surveillance of products. One exemplary finding was that, for the average company, the resources expended on the combined quality and regulatory systems amounted to nearly 8% of all company FTEs (full-time employee equivalence). The report further observes that more resources should be spent on the quality assurance system as company revenues increase to maintain consistent quality practices during expansion of operations.
Other sections of the report include data and analysis regarding the particulars of quality assurance systems including the number of CAPAs, NCEs, field actions, change requests, and FDA warning letters reported by individual companies. The study also includes data on the volume and duration of complaints received through post-market surveillance and benchmarks the amount of employee time spent addressing theses complaints.
The complete study is available for purchase through Best Practices, LLC.
The Food and Drug Administration (FDA) recently unveiled the Quality in 510(k) (“Quik”) Review pilot program, aimed at reducing the time it takes to review moderate-risk medical devices by one-third. The pilot, dubbed as “a Turbo Tax for information submitted in 510(k)s,” by FDA Commissioner Scott Gottlieb, will allow device manufacturers to submit premarket notifications electronically using “eSubmitter” software, as long as the device is classified under one of the specific product codes included in the pilot program and is not a combination product. In addition to lower risk devices, the pilot program includes some higher risk Class II devices, such as surgical lasers, certain endoscopic equipment, and certain imaging devices (e.g., MRI and stationary X-rays).
The FDA’s stated goal is to review 510(k) applications for devices that meet the eligibility requirements within 60 days, rather than the typical 90 days for traditional applications.
FDA Commissioner Scott Gottlieb also commented:
“As technology evolves, patients have the opportunity to access more innovative medical devices that can help improve their health. To advance that progress, the FDA must also modernize its own review and submission process to make sure that our programs continue to be efficient, consistent and scientifically rigorous.”
Since its first release in 2015, the Apple Watch has continued to evolve and incorporate more health- and fitness-tracking capabilities. The latest version of Apple’s Watch—Series 4—features a larger display screen, thinner case, a new interface, and, according to Apple “revolutionary health capabilities.” These health capabilities include electrocardiogram (ECG) functionality, which has been granted approval by the U.S. Food and Drug Administration. Also incorporated into the latest version of the Watch, according to Apple, are a new accelerometer and gyroscope that allow for fall detection.
Jeff Williams, Apple’s chief operating officer, stated:
The completely redesigned Apple Watch Series 4 continues to be an indispensable communication and fitness companion, and now with the addition of groundbreaking features, like fall detection and the first-ever ECG app offered directly to consumers, it also becomes an intelligent guardian for your health.
Apple notes that its Series 4 Watch allows wearers to place their finger on a dial for 30 seconds and receive a heart rhythm classification, which can identify if the wearers’ heartbeat is following a normal or irregular pattern. Irregular heart beat patterns, often referred to as Atrial fibrillation, increase the risk of heart complications. Recordings of such heart rhythm information are stored in a Health app and can be shared with physicians via a PDF file.
Some commentators believe the fall detection capabilities of Apple’s Series 4 Watch may prove significantly valuable, especially for elderly wearers. The Series 4 Watch is said to incorporate a new accelerometer and gyroscope which measure up to 32 g-forces and utilizes “custom algorithms to identify when hard falls occur.” The Watch also analyzes trajectory of the wearer’s wrist and the impact of accelerations, and sends an alert to the wearer after a fall event. Such alert can be dismissed or used by the wearer to make an emergency call to a healthcare provider. According to Apple, if the Watch senses a lack of movement for one minute after the alert notification, an automatic emergency call is made and a message is sent to emergency contacts along with location data.
The FDA recently announced its approval of GW Pharmaceutical’s Epidiolex drug, described as the first ever plant-derived cannabinoid medicine in the United States. The announcement notes that Epidiolex contains a highly purified form of cannabidiol (CBD), one of many cannabinoids derived from cannabis plants. CBD, however, lacks the psychoactive properties of its more famous cousin, tetrahydrocannabinol (THC). The FDA approved the use of Epidiolex for the treatment of seizures associated with several rare forms of epilepsy in patients 2 years and older.
According to public databases, GW Pharmaceuticals is the listed assignee of seven issued patents for methods of treating various epileptic and other medical conditions using CBD, as well published filings in Europe, Canada, Japan, and the United Kingdom.
Although CBD is an active ingredient of an FDA approved drug, CBD is still considered a Schedule 1 controlled substance under the federal Controlled Substances Act and cannot yet be placed for sale on the market. As a part of its approval of Epidiolex, the FDA has sent a recommendation to the Drug Enforcement Agency to reschedule CBD to a less-controlled schedule. The DEA must act on this recommendation within 90 days of the original approval, although the DEA is not under any obligation to reschedule marijuana or any of its components, including CBD. Nevertheless, observers have noted that the FDA’s approval of a CBD-based drug is at odds with the requirement that a Schedule 1 substance have “no currently accepted medical use in treatment.”
In a press release issued the same day as the approval of Epidiolex, the FDA Commissioner Scott Gottlieb, M.D. stressed that the approval was not a recognition of cannabis or any of its components as medicines. The press release notes that approval of Epidiolex was based on controlled clinical trials evaluating a highly purified form of CBD for treatment of specific conditions, manufacturing under consistent quality controls, and the creation of a reliable dosage form. Nevertheless, the Commissioner encouraged continued clinical research into cannabis related drugs and noted programs and guidances intended to facilitate and expedite development and review of drugs to address unmet medical needs.
On September 12, 2018, Apple released its new Apple Watch Series 4 with a new ECG app that can take an electrocardiogram (ECG). Apple’s new Apple Watch Series 4 has been granted De Novo classification by the FDA, which allows Apple to provide its Series 4 Apple Watches as an over-the-counter ECG-monitoring device.
Jeff Williams, Apple’s chief operating officer, noted Apple’s continued desire to make Apple Watch a more useful healthcare device for the public:
“The completely redesigned Apple Watch Series 4 continues to be an indispensable communication and fitness companion, and now with the addition of groundbreaking features, like fall protection and first-ever ECG app offered directly to consumers, it also becomes an intelligent guardian for your health.”
According to Apple, Apple Watch Series 4 is designed to intermittently analyze heart rhythms in the background and look for any irregular heart rhythm, such as atrial fibrillation (AFib). If a user’s heart rate exceeds or falls below a specified threshold, Apple Watch Series 4 can generate an alert. Electrical impulses are analyzed to generate ECG waveform and to determine AFib classification, which are automatically stored in Apple Watch’s Health app.
AliveCor received FDA clearance for its KardiaBand application for use with the Apple Watch last November. KardiaBand’s press release indicates that it includes a wearable band and a monitoring system integrated to Apple Watch.
However, according to The Verge, there are some important caveats to the FDA’s grant of de novo classification. First, both the ECG app and the irregular rhythm notification feature are not intended for people under the age of 22. Second, the irregular rhythm notification feature is not intended for people who have previously been diagnosed with atrial fibrillation. Moreover, the FDA does not intend to replace existing diagnostic methods and treatments for atrial fibrillation with Apple Watch. The FDA clearly states that “the feature is not intended to replace traditional methods of diagnosis or treatment.”
The FDA has announced new goals to help modernize its procedures and respond to new technologies. In a blog post by FDA Commissioner Scott Gottlieb, M.D., the agency expressed new priorities to help modernize clinical trials for medical devices and develop standards for new technologies like artificial intelligence.
According to Gottlieb, clinical trials “are becoming more costly and complex to administer” while “new technologies and sources of data and analysis make better approaches possible.” In order to take advantage of these better approaches, Gottlieb pointed to the FDA’s Breakthrough Devices Draft Guidance, which proposes streamlined procedures to develop flexible clinical trial designs for important medical devices. This will allow the FDA to “evaluate . . . innovative devices more efficiently.” Six breakthrough devices have already been cleared using this program.
Additionally, Gottlieb discussed the FDA’s new goal of enabling the use of “real-world evidence” to support decisions to approve devices. According to Gottlieb, “[r]eal world evidence can help answer questions that are relevant to broader patient populations or treatment settings where information may not be captured through traditional clinical trials.” The FDA is helping to design several proof-of-concept trials that utilize real-world evidence.
Finally, Gottlieb discussed the FDA’s role in dealing with new and emerging technologies. In particular, Gottlieb discussed artificial intelligence, which “holds enormous promise for the future of medicine.” Medical artificial intelligence models are currently in development and the FDA recently approved an AI algorithm for detection and treatment of distal radius fractures. According to Gottlieb, the FDA is exploring ways to handle and evaluate the kinds of data that are relevant to AI performance and safety, hoping to “enable a transparent benchmarking system for AI algorithm’s performance.”
Gottlieb concludes that the FDA has “undertaken a comprehensive effort to make sure that our organization and policies are as modern as the technologies we’re being asked to evaluate, and that we’re able to efficiently advance safe, effective new innovations.”
According to the press release, the BrainsWay Deep TMS system was previously cleared for treatment-resistant major depressive disorder in 2013, and this month’s de novo clearance is the second indication granted for the device, and marks the first clearance of a non-invasive device for treatment of OCD. The BrainsWay press release further notes that the Deep TMS system’s H7-coil targets the anterior cingulate cortex, which is known to play a role in the pathophysiology of OCD. BrainsWay stated that Deep TMS treatment, which uses changing magnetic fields to stimulate nerve cells in the brain, is non-invasive and has been shown to be safe and well-tolerated by patients.
BrainsWay plans to offer its OCD treatment both in new installations and as an upgrade to its existing systems. Addressing the broad future applicability of the Deep TMS system, BrainsWay president and CEO Yaacov Michlin said:
This clearance further establishes Deep TMS as a platform technology that will provide treatments for additional psychiatric indications, subject to successful completion of our currently ongoing multi center studies and regulatory approvals.
The United States Food and Drug Administration recently announced approval for Teva Pharmaceuticals to market generic epinephrine autoinjectors. According to the press release, Teva’s autoinjectors are the first generic versions of Mylan’s EpiPen® and EpiPen Jr ® to receive FDA approval.
Food Allergy & Research reports that as many as 15 million people in the U.S. have food allergies, which results in about 200,000 needing emergency medical care per year. Commenting on the approval, U.S. FDA Commissioner Scott Gottlieb stated:
This approval means patients living with severe allergies who require constant access to life-saving epinephrine should have a lower-cost option, as well as another approved product to help protect against potential drug shortages.
Analyst reports indicate wholesalers are not expecting to receive the generic epinephrine autoinjectors from Teva for several months. A Teva spokesperson commented that the company “is applying its full resources to this important launch in the coming months and is eager to being supplying the market.” Currently, Mylan’s EpiPen® 0.3 mg autoinjector 2-pack sells for about $697 at HealthWarehouse.com. Teva has not yet indicated the price of its generic autoinjector.
In a recent report, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General (OIG) recommended that the U.S. Food & Drug Administration (FDA) include cybersecurity review as a greater part of the premarket review process for medical devices. In particular, the report suggests including cybersecurity documentation as a criterion in the FDA’s Refuse-To-Accept (RTA) checklist, using presubmission meetings to address cybersecurity questions, and including cybersecurity as an element of the FDA’s Smart template.
The FDA has been ramping up its cybersecurity review lately to deal with increased cybersecurity concerns. For example, a ransomware attack caused an Indiana hospital to shut down its system. Other cyberattacks may have gone undetected.
Currently, the FDA reviews documentation that manufacturers submit regarding cybersecurity as part of the premarket submissions. The FDA uses this information to consider known cybersecurity risks and threats when reviewing submissions that deal with networked medical devices. The FDA may request additional information from applicants when submissions require clarification or when cybersecurity documentation is lacking. In view of these requests, the FDA regularly approves manufacturers on cybersecurity issues when sufficient documentation is provided.
For example, in one review of a glucose monitoring system, an FDA reviewer did not find “any information on how the manufacturer included cybersecurity in the device’s design,” according to the report. “The FDA reviewer explained that the device relied heavily on users to protect against cybersecurity threats by using antivirus software and enabling firewalls. The FDA reviewer requested that the manufacturer update its hazard analysis to address the missing information. The manufacturer did so, and FDA found the update to be acceptable.”
Because of examples like this, the report suggests using cybersecurity documentation as an element in the FDA’s RTA checklist. The RTA checklist is a screen against incomplete applications. Were cybersecurity part of these checklists, failure by a manufacturer to provide adequate cybersecurity documentation could prevent the FDA to accept the submission for substantive review.
The report also suggests that the FDA use presubmission meetings to address cybersecurity-related questions. These meetings serve as a way for manufacturers to ask the FDA specific questions, such as whether the submission satisfies the FDA’s standards. During these meetings, the FDA can include cybersecurity as part of the discussion, which may reduce the amount of time for the FDA review.
Finally, the report recommended that cybersecurity be a stand-alone element in the FDA’s Smart template. A dedicated section on cybersecurity could allow FDA reviewers to explain the results of their review regarding cybersecurity in a standard format.
The FDA has agreed with these recommendations and has begun taking steps to implement them, such as by including cybersecurity in the Smart template. The FDA also said that it “intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.” The FDA is also currently considering new rules that may require submission of software as part of a premarket submission.