Showing all posts written by Jordan Cox
FDA to Strengthen Cybersecurity Oversight
In a recent report, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General (OIG) recommended that the U.S. Food & Drug Administration (FDA) include cybersecurity review as a greater part of the premarket review process for medical devices. In particular, the report suggests including cybersecurity documentation as a criterion in the FDA’s Refuse-To-Accept (RTA) checklist, using presubmission meetings to address cybersecurity questions, and including cybersecurity as an element of the FDA’s Smart template.
The FDA has been ramping up its cybersecurity review lately to deal with increased cybersecurity concerns. For example, a ransomware attack caused an Indiana hospital to shut down its system. Other cyberattacks may have gone undetected.
Currently, the FDA reviews documentation that manufacturers submit regarding cybersecurity as part of the premarket submissions. The FDA uses this information to consider known cybersecurity risks and threats when reviewing submissions that deal with networked medical devices. The FDA may request additional information from applicants when submissions require clarification or when cybersecurity documentation is lacking. In view of these requests, the FDA regularly approves manufacturers on cybersecurity issues when sufficient documentation is provided.
For example, in one review of a glucose monitoring system, an FDA reviewer did not find “any information on how the manufacturer included cybersecurity in the device’s design,” according to the report. “The FDA reviewer explained that the device relied heavily on users to protect against cybersecurity threats by using antivirus software and enabling firewalls. The FDA reviewer requested that the manufacturer update its hazard analysis to address the missing information. The manufacturer did so, and FDA found the update to be acceptable.”
Because of examples like this, the report suggests using cybersecurity documentation as an element in the FDA’s RTA checklist. The RTA checklist is a screen against incomplete applications. Were cybersecurity part of these checklists, failure by a manufacturer to provide adequate cybersecurity documentation could prevent the FDA to accept the submission for substantive review.
The report also suggests that the FDA use presubmission meetings to address cybersecurity-related questions. These meetings serve as a way for manufacturers to ask the FDA specific questions, such as whether the submission satisfies the FDA’s standards. During these meetings, the FDA can include cybersecurity as part of the discussion, which may reduce the amount of time for the FDA review.
Finally, the report recommended that cybersecurity be a stand-alone element in the FDA’s Smart template. A dedicated section on cybersecurity could allow FDA reviewers to explain the results of their review regarding cybersecurity in a standard format.
The FDA has agreed with these recommendations and has begun taking steps to implement them, such as by including cybersecurity in the Smart template. The FDA also said that it “intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.” The FDA is also currently considering new rules that may require submission of software as part of a premarket submission.
FDA Unveils Update to Software Precertification Program
The U.S. Food and Drug Administration (FDA) recently updated its software Precertification Program. A working program was originally rolled out in April 2018, but the program was updated in response to requested public input. The FDA expects to roll out a finalized version of the program by December 2018 and to have a pilot test available in 2019.
With the precertification program, the FDA hopes to streamline the certification of “mobile apps” and other software that is used to “treat, diagnose, cure, mitigate, or prevent disease or other conditions,” or so-called software as a medical device (SaMD), according to the updated program description. While software in a medical device (SiMD) is not currently part of the program, the FDA hopes to include SiMD and software that is an accessory to hardware in the future. The program will allow certain organizations that can demonstrate a “culture of quality and organizational excellence” to streamline their oversight of SaMD.
The update clarifies that not all software is subject to regulatory review even if it has some connection to the medical industry. In particular, the update notes that non-device software is exempt, such as software that is intended for (1) for administrative support, (2) for maintaining or encouraging a healthy lifestyle, (3) to serve as electronic patient records, (4) for transferring, storing, converting formats, or for displaying data, or (5) to provide certain limited clinical decision support.
According to the update, organizations “of all sizes” can qualify. The FDA makes clear that startups and smaller companies can apply and receive precertification. Two levels of precertification exist. Level 1 precertification allows an organization to develop and market “lower risk” software without review while also streamlining review of higher risk software. This level would be awarded to an organization that demonstrates excellence in product development but may have a “limited track record” in “developing, delivering, and maintaining” products in the healthcare market. Level 2 precertification allows “lower and moderate risk” software to be developed and marketed without review and allowing streamlined review of other software. This level is awarded to those organizations with a track record in demonstrating high quality software products.
In determining what amount of review is required for “lower risk” and “moderate risk” SaMD, the FDA looks at (1) the risk category of the product, (2) the level of precertification of the organization, and (3) the extent of the changes the software relative to an existing device. Under either level of precertification, “minor changes” require no review by the FDA.
The FDA is looking to update additional aspects of the precertification program, including how it relates to substantially equivalent device review. The FDA is currently requesting comments on the program.
Healthcare Industry May Not Be Prepared For Internet of Things
A recent survey conducted by ZingBox, a Silicon Valley internet security startup, found that more than 90% of healthcare IT networks have Internet of Things (IoT) devices. The survey further found that more than 70% of IT departments believe that current security systems for laptops and servers can also protect connected medical devices.
According to Xu Zou, ZingBox CEO, “Typically you will see 10 to 15 IoT devices per bed in a hospital.” He defines a healthcare IoT device as anything that is portable and connected to the Internet.
This has caused serious problems with medical and other organizations. For example, on May 12, 2017 a ransomware cryptoworm called WannaCry attacked on devices on every continent. An estimated 200,000 computers in 150 countries were infected. The attack included hospitals in England and Scotland and affected up to 70,000 devices, including MRI scanners, blood-storage refrigerators, and theater equipment. Some ambulances were diverted and some non-critical emergencies were turned away.
A more recent global attack occurred on June 27, 2017. Petya (also known as NotPetya), a ransomware cryptovirus, affected largely Ukrainian and Russian hospitals but also hit locations in France, Germany, Italy, Poland, the United Kingdom, and the United States.
In ransomware attacks, malware prevents a user from accessing certain computer records (e.g., patient records). These records are not released until a specified amount is paid to an anonymous recipient. Generally, these types of attacks rely on cryptocurrencies, such as BitCoin. Cryptocurrencies function like paper money, so the transaction is anonymous and difficult to trace.
“Health care has been late to respond to the need for protected information, and the information is worth more,” said Michael Ebert, a partner with KPMG who advised companies on cybersecurity. “It’s amazing how far behind we are, and we know we have to do something.”
Ransomware attacks not only show the vulnerability of hospitals (and healthcare companies generally), but they present a threat to human life. For example, experts have suggested that up to 500,000 children’s medical records are on sale and could be used to compromise the care given to a child.
Ransomware attacks are on the rise. A 2017 Verizon Data Breach analysis found that ransomware attacks rose from the 22nd most common type of malware attack to the 5th most common between 2014 and 2017. “[H]olding files for ransom is fast, low risk and easily monetizable,” wrote the authors. The report noted that 72% of all health care malware attacks in 2016 were ransomware.
Investments into IoT technology is also rising. So far it is at nearly $25 billion and is expected to rise dramatically. Accordingly, the spread of the technology can be expected to increase. Examples within the medical device community include blood pressure and heart rate monitors.
Most of those surveyed by ZingBox may be optimistic about the state of their security. However, the healthcare industry is likely to be more vulnerable in the future as the IoT becomes more ubiquitous.
MedPlast Completes Acquisition of Vention Medical
MedPlast, Inc. recently announced that it has completed its acquisition of Vention Medical‘s device manufacturing services arm. The press release states that the acquisition “broadens MedPlast’s manufacturing capabilities and bolsters its position as a leading services provider to the worlds’ largest original equipment manufacturers.”
According to its website, Tempe, Arizona-based MedPlast is a global provider of plastic processing and manufacturing for medical devices. The company services thermoplastic and elastomeric materials and plastic processing. Vention Medical describes itself as a medical device design, engineering, and manufacturing company. The company specializes in molded components and finished device assembly and packaging of interventional and minimally invasive surgical products.
Harold Faig, CEO of MedPlast sees significant potential in the acquisition. He explains that:
This acquisition is a first and important step in our strategic plan to expand our offering to customers [and o]ur goal is to build on our core manufacturing and engineering capabilities to provide our customers with a comprehensive portfolio of end-to-end product solutions.
The president of Vention Medical’s device manufacturing service arm, Bill Flaherty, shares Mr. Faig’s enthusiasm
We are excited to come together with MedPlast. We serve many of the same customers who will benefit from our combined offerings and shared commitment to providing the highest quality standards and facilities in the industry.
The acquisition was initially announced in late February, 2017. According to the press release, the acquisition:
[W]ill extend MedPlast’s global footprint to 22 manufacturing facilities located in key markets through North and Central America, Asia and Europe. Once complete, the acquisition will more than double MedPlast’s size.
MedPlast’s current acquisition may foreshadow the strategic direction of the company. Kevin Swan, a partner at Water Street Healthcare Partners, a Chicago-based private equity firm backing MedPlast recently stated that “[t]his is the first of what we expect will be more strategic acquisitions to build MedPlast into a market leader.” Indeed, before the acquisition, MedPlast was ranked by Plastic News as the 27th largest injection molder in North America, by revenue, in a $40 billion market for medical device services. At the time, the company had an estimated $275 million in annual sales and 800 employees at 7 manufacturing locations. The company now operates 11 manufacturing facilities.

Cuba an Untapped Market for Medical Device Exports
The United States is the world’s largest medical device exporter, according to reports accounting for $45 billion of over $140 billion in global exports in 2014. This is not surprising since it also produced the largest share of medical devices in the same year, contributing to nearly a fifth of the $340 billion global industry. Yet, the United States and other large markets are largely saturated with annual growth rates of only 3 to 5 percent.
For these reasons, Cuba displays a potential high-growth opportunity for American medical device manufacturers, according to a recent report in the Cuba Journal. According to the report, Cuba’s expenditures on healthcare in 2014 were nearly 10 percent of its GDP. Yet, Cuba’s domestic production of medical devices is limited largely to low margin goods such as surgical dressings, optical lenses, and dental supplies. Thus, Cuba is greatly dependent on medical device imports, including both low-end goods such as syringes and catheters as well as high-end goods like imaging equipment and orthopedic devices.
However, the share of imports to Cuba from the United States is dwarfed by other countries. According to the report, Europe makes up over 40 percent of Cuban imports while China and Japan combine for nearly 30% of the country’s imports, as of 2014. The United States, on the other hand, provides less than 1 percent of Cuba’s medical devices. Even Mexico exports twice the share of Cuban medical devices the United States does.
Meanwhile, similarly sized markets received far greater attention from U.S. manufacturers. For most of the period from 2005-2014, U.S. exports to regional countries with a per capita GDP comparable to Cuba’s, such as the Dominican Republic and Colombia, have been more than 200 times greater than that of Cuba, according to the report
Fortunately, medical device exports to Cuba from the United States are on the rise. In 2015, U.S. exports to Cuba jumped by more than 600 percent compared to 2014 even though exports to Cuba dropped overall by 40 percent in the same period.
Notwithstanding the above, few companies have taken advantage of the Cuban market. This may be due in part to unfamiliarity with the law as well as delays and difficulties in complying with it. However, the U.S. Office of Foreign Assets Control has relaxed some of the barriers, and an exception for medicines and medical devices to the general policy of denial for exports already exists. This, combined with a greater awareness of the trade opportunities in Cuba and the greater openness between the United States and Cuba, have made Cuba a potentially attractive destination for U.S. medical devices. But, at present, the Cuban market remains largely untapped.
Bills Introduced to Streamline FDA Review of Medical Devices
U.S. Senators Cory Gardner (R-CO) and Joe Donnelly (D-IN) recently introduced the Rare Device Innovation Act and the FDA Regulatory Efficiency Act. The bills, if passed, would streamline the U.S. Food and Drug Administration (FDA) approval process for a number of medical devices. A press release from Senator Gardner states that “this legislation allows the FDA to spend more time reviewing new breakthrough technologies and expedite them to the market for patients who need them.”
According to the press release, the Rare Device Innovation Act makes it easier for medical devices to qualify for expedited approval. In order to qualify for the expedited approval process under the current Humanitarian Use Device (HUD) program, medical devices must treat diseases that exist in fewer than 4,000 patient cases, annually, in the U.S. The Rare Device Innovation Act proposes to increase that number to 8,000, which according to the press release will “create[] an incentive for manufacturers to develop medical devices for rare diseases to help people with rare conditions gain access to technologies they would not otherwise.” Devices covering diseases like ALS, cerebral palsy, Hodgkin’s lymphoma, mesothelioma, and tuberculosis would qualify under the bill, according to Senator Gardner’s press release.
As outlined in the release (and as a major departure from present FDA practice), the FDA Regulatory Efficiency Act seeks to allow accredited third-parties to perform initial reviews of 510(k) medical devices. Medical devices that qualify under 510(k) are low-risk medical devices that are substantially similar to those already approved by the FDA. Examples of qualifying devices include powered wheelchairs, shunts, and CT scanners.
Regarding the proposed FDA Regulatory Efficienty Act, Senator Donnelly’s press release states: “The legislation would still hold companies accountable for their quality systems, while also helping to alleviate the overwhelmed FDA.”
The proposed third-party 510(k) review appears to have some degree of industry support. In fact, AdvaMed (the “Advanced Medical Technology Association”) recently commended Senators Donnelly and Gardner on introduction of the FDA Regulatory Efficiency Act. JC Scott, senior executive vice president, government affairs, for the Advanced Medical Technology Association stated:
This legislation would create a voluntary program under which medical technology companies could have their quality system certified by an FDA-authorized third party. This certification would allow companies to self-certify certain low-risk changes to currently marketed devices. These changes would be limited to minor alterations to an existing product or manufacturing process currently covered by 30-day notices for PMAs [pre-market approval applications] and ‘special 510(k)s’ for 510(k) products . . . . This new program will helps ensure that companies are accountable for this minor changes while lessening the burden on FDA, allowing the agency to focus on higher-priority activities . . . . We look forward to working with members of Congress, FDA and other key stakeholders to move this important legislation forward.