Kate Klaus, Esq. Courtney Young, Esq. January 16, 2018 Ripped from the Headlines: Medmarc’s Risk Management Team Discusses Lessons Learned from Life Sciences in the News and What to Watch for in 2019
Agenda Opioid Update Digital Health Pre -Certification Program Medical Device Cybersecurity OTC Monograph Reform Lighting Round 1
Opioids
What’s going on? 3
Status Opioid “epidemic” has been at center of national attention for several years, and 2018 saw an increase in lawsuits against opioid manufacturers and distributors Suits coming from state and county governments alleging that these companies are liable for the cost to the public of treating opioid victims Allegations include knowingly misleading public and physicians about addiction risks Georgia became latest government to file suit, filing on Jan. 3 4
What does this mean for life sciences companies? Litigation Ancillary products may become a target • Pain pumps, drug delivery systems Insurance coverage Coverage for businesses with opioid exposure is going to be more difficult to obtain, exclusions being added to policies Suits by government entities These types of suits may be new trend, not be unique to opioids 5
Digital Health Pre-Certification Program
Pre-Cert: What is it? 21 st Century Cures Act Digital Health Innovation Action Plan • Software Pre-Certification Program Streamlines the regulatory oversight of software-based medical devices Focus initial evaluation on the developer 7
Pre-Cert: Who is it for? Manufacturers with a robust culture of quality and organizational excellence Commitment to monitoring real-world performance of their products in the U.S. - Will Durant, frequently market misattributed to Aristotle 8
Pre-Cert: How does it work? Key components: Excellence Appraisal Review Determination Streamlined Review Real-World Performance 9
Pre-Cert: When will it launch? Pilot program in progress More than 100 companies applied to participate, but only nine selected Transparent development process Link for submitting comments on FDA website Interactive user sessions with pilot participants open to the public via webinar 10
Cybersecurity
What’s going on? 12
Status Medical device cybersecurity has been and continues to be a focus of FDA, the industry, and the plaintiff’s bar FDA released new guidance on October 18, 2018 The U.S. Department of Health and Human Services released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” on December 28, 2018 13
FDA’s New Guidance New Guidance released October 18, 2018 “Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system. We’ve been implementing this guidance since it was finalized in 2014. Now, because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices. This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats.” – FDA Commissioner Scott Gottlieb 14
Guidance: Content of Premarket Submissions for Management of Cybersecurity Last cybersecurity guidance finalized in October of 2014 Recommends that premarket submissions include a “cybersecurity bill of materials” detailing the software and hardware components that are vulnerable to cyberattacks Device makers must include documentation demonstrating how they have mitigated cybersecurity risks Provides design recommendations based on NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” 15
Guidance: Content of Premarket Submissions for Management of Cybersecurity, cont’d According to the FDA, the security risk management report for a trustworthy device would include: A system-level threat model A specific list of all cybersecurity risks that were considered in the device’s design A list and justification of all cybersecurity controls established in the device, including risk mitigations A description of the testing done to ensure the adequacy of cybersecurity risk controls (including performance testing, vulnerability scanning, penetration testing, etc.) A traceability matrix linking cybersecurity controls to the risks outlined in a security risk and hazard analysis A software bill of materials that is cross-referenced with the National Vulnerability Database or a similar known database, including criteria for addressing known vulnerabilities or a rationale for not addressing known vulnerabilities. 16
DHS and FDA MOA In October, the FDA and the National Protection and Programs Directorate (NPPD) of DHS entered into an agreement that formalizes a long-standing relationship between the agencies and implements a new framework for increased collaboration, information-sharing, and coordination to address cybersecurity in medical devices. Key Provisions: NPPD can assist FDA as an independent third party in the evaluation and assessment of the impact of medical device vulnerabilities NPPD will coordinate with FDA on the content of alerts and advisories related to medical device cybersecurity and these will be published by DHS Takeaway: FDA stepping up its enforcement actions related to cybersecurity 17
What does this mean for life sciences companies? New information should be submitted with 510(k) submissions Keep an eye on emerging and developing industry standards These standards can form the basis of plaintiffs’ negligence cases in the event of a data breach, bodily injury, or property damage arising out of a cyber vulnerability 18
The Intersection of Cybersecurity & Products Liability You failed to warn me that a Your product does not cyber vulnerability could effectively warn against result in bodily injury/ hazards of which you property damage. knew or should have Warning Defect known. Something went wrong You failed to implement the in the manufacturing appropriate security patch. process, which rendered the device Manufacturing Defect less safe. You failed to effectively design the product to protect There is a reasonably against cyber vulnerabilities safer alternative design and/or be interoperable that you failed to use. without risk to other systems, networks, or components. Design Defect 19
HHS’ New Health Industry Cybersecurity Practices The document identified 5 Released at the end of threats for healthcare providers: last year, HHS’ document E-mail phishing attacks is a “call to action” for Ransomware attacks the healthcare industry Loss or theft of equipment or with the goal of moving data beyond the historical Insider, accidental or focus on privacy and intentional data loss security and put new Attacks against connected medical devices that may emphasis on patient affect patient safety safety 20
HHS’ Identification of Medical Devices as a Threat 21
OTC Monograph Reform
Bringing OTCs to Market Either: • A new active moiety, Private submission dosage form, use, etc., or to FDA by drug • Prescription to OTC switch sponsor NDA Monograph Three-phase process: Public rulemaking 1. Advisory panel review 2. FDA publishes Tentative Final process Monograph (TFM) in the Federal Register for public comment 3. Final Monograph published 23
OTC Monograph System Set of conditions that are self- limiting and self-diagnosable Identifies permitted actives and concentrations Sets out required label statements No pre-approval required – if it complies with the monograph, it can be sold 24
OTC Monograph System Required label format Nearly every aspect dictated by regulations – fonts, font size, bolding, line widths, bullet use 25
Monograph System Relic Introduced in 1972 and never completed Rulemaking moves at a glacial pace, hindering FDA’s responsiveness to safety issues Significant barrier to innovation, as monographs are limited in large part to actives available in 1972 26
Over-the-Counter Monograph Safety, Innovation, and Reform Act User fees Improved staffing and dedicated funding for OTC work Streamlined regulatory pathway Review of innovations Quick response to emerging issues Exclusivity for innovators IT infrastructure 27
Reform Status Passed the House in the 115 th Congress, but was not taken up by the Senate before the session ended Passed again by the House (116 th ) on January 8 th , with broad bipartisan support (401 – 17) Sent to the Senate, where it again awaits further action 28
Lightning Round
Virtual Trials CROs increasingly undertaking “virtual trials” in which participants are remove May ease clinical trial costs where available 30
Impact of Government Shutdown on FDA Operations 31
Recommend
More recommend
