Yesterday, the FDA released draft guidance on the management of cybersecurity in medical devices submitted to the agency for premarket review. Noting that cybersecurity threats to the healthcare sector have increased in number and severity, the FDA offered new recommendations for device design, labeling, and documentation that medical device manufacturers will need to consider during premarket submission processes.

The guidance comes shortly after the FDA’s launch of its Medical Device Cybersecurity Playbook, which provides a framework for healthcare delivery organizations to use in preparing for and responding to cybersecurity threats against patient medical devices.

Given rapid changes in technology and increasing innovation in the digital health market, the guidance intends to decrease the risk of cyberattacks that could render medical devices inoperable and potentially harm patients. Comments on the draft guidance are due on March 18, 2019. Continue Reading FDA Issues New Guidance for the Management of Cybersecurity in Medical Devices

The FDA is focusing on safety and effectiveness of interconnected medical devices with the issuance of final guidance on medical device interoperability, released last week. As the FDA notes, medical devices are becoming increasingly connected to one another and to other technologies, and it is critical to address their ability to exchange and use information safely and effectively.

For device manufacturers, this guidance provides clarity on how the FDA is thinking about interoperability and patient safety in the premarket submission process and provides considerations for manufacturers in the development and design of interoperability medical devices. It demonstrates the FDA’s focus on the safety and effectiveness of devices as implemented in an interconnected environment and the expectations of FDA on manufactures to anticipate and design for anticipated uses and reasonably foreseeable misuses. Manufactures should consider this guidance in the design, development, and on-going monitoring of connected medical devices.

This guidance may be helpful for other audiences as well:

  • Care providers that frequently interact with medical devices in the course of patient care
  • Hospital IT teams who make device purchasing decisions
  • Vendors of health technologies that frequently exchange data with medical devices

Continue Reading Interoperability by Design: FDA Issues New Final Guidance for Connected Medical Devices

In a final guidance document released July 29th, the U.S. Food and Drug Administration (“FDA”) officially confirmed that it does not intend to review or require regulatory compliance for fitness trackers and certain health apps, collectively termed “general wellness products.”  This guidance, which is largely unchanged from the draft guidance issued in January 2015, coincides with FDA’s narrowing oversight of mobile medical apps and related tools.

According to the guidance, general wellness products are:

  1. Products that are intended for “general wellness use” (e.g., weight management, physical activity trackers, and stress management tools); and
  2. Products that present a low risk to the safety of users and others persons.

The primary distinction between a general wellness product and a medical device, which FDA does regulate, is that the intended use of a general wellness product is either to maintain or encourage a general state of health or healthy activity or to support a healthy lifestyle to help reduce the risk or impact of certain chronic conditions where there is a well-known connection. The guidance further explained that although general wellness products may claim to help manage or reduce the risk of certain chronic diseases, they may not claim to treat or diagnose a specific disease or condition.  Products that make these claims are considered medical devices and are subject to FDA regulation.

As mentioned above, this guidance is in line with FDA’s recent policy to exercise enforcement discretion when dealing with products that may help consumers manage or prevent ill health and pose a minimal risk of harm.  The policy attempts to strike a balance between ensuring consumer safety while supporting the rapid pace of innovation that is directed at consumer health.  This guidance along with earlier guidance can help mobile medical app, fitness trackers, wellness tools, and health information technology developers determine how to market their products in light of existing law and should be considered in the early stages of product development and business strategy.

For more information, please contact the authors of this post or your regular Crowell & Moring contact.

Last week, the HHS Office of Civil Rights (OCR) announced a settlement that has far-reaching implications on the importance of complying with the HIPAA Security Rule where medical devices create and maintain electronic protected health information (ePHI).  See Data Law Insights for a post authored by Jodi Daniel, Elliot Golding, and Stephanie Willis for more details about this settlement and another one against an insurance holding company announced less than a week later.

On October 2, 2014, the FDA released a set of comprehensive guidelines governing the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The guidelines are intended to provide direction for manufacturers of medical devices on how to appropriately safeguard devices from a potential security breach; particularly in light of the sensitive medical information such devices may store or transmit. The FDA passed down recommendations from identifying vulnerabilities at the manufacturing stage to protecting against unauthorized access, as well as suggestions on outfitting devices with appropriate incident response mechanisms. The guidelines placed significant emphasis on maintaining device functionality despite increased security, which may present a unique challenge to manufacturers.

Please read the full alert analyzing the guidelines here.