Digital Health: FDA’s Shuren Predicts ‘Critical Regulatory Hurdles’ If Congress Doesn’t Update Reg Frameworks

The director of the US Food and Drug Administration’s Center for Devices and Radiological Health (CDRH) is warning of “critical regulatory hurdles” if Congress doesn’t soon update reg frameworks for digital health products.

Speaking on 4 May at AFDO/RAPS MedCon Conference 2022, Jeff Shuren said today’s frameworks don’t cut the mustard and that lawmakers need to act.

“We can’t move to really more modern regulatory frameworks without changes in federal law. And we know that for these kinds of technologies – software as a medical device – the regulatory frameworks of today were designed yesterday, when Congress was not thinking of software-based devices,” he said, adding that current frameworks aren’t “fit for purpose for modern-day software-based technologies.”

“No great surprise – this space is going to continue to evolve. Risk, threats and solutions continue to evolve, too.” – Jeff Shuren

And Shuren wasn’t overly optimistic that legislation aimed at digital health would come before Congress anytime in the near future.

“Right now, that kind of change – we haven’t seen that come up yet for Congress. We don’t know if that’s going to happen during this legislative session,” he said. “But we do know, if this isn’t fixed, there are going to be critical regulatory hurdles in the digital health space in the years to come.

“So I really do want to flag that. I’ve identified it before, but we really are finding this is becoming increasingly critical.”

Shuren: Congress Needs To Act On Cybersecurity Too

The CDRH director also called out during his keynote MedCon speech that the agency has noticed an increase in the number of cybersecurity threats and incidents.

“We’ve already put out 11 safety communications over the past few years, and we’re just seeing more and more challenges,” Shuren said. He noted that Congress needs to act in this area too so the FDA can have “new authorities” to be “well positioned to address” cybersecurity issues.

“The reality is, to make things happen, we need a change in the law, and right now there’s a legislative proposal, the PATCH Act, that deals with many of these issues,” he said.

Sens. Bill Cassidy, R-LA, and Jackie Rosen, D-NV, introduced the Protecting and Transforming Cyber Health Care (PATCH) Act in March, while companion legislation has been introduced in the House by Reps. Michael Burgess, R-TX, and Angie Craig, D-MN.

The PATCH Act would take a number of steps to curb ransomware attacks, including implementing cybersecurity requirements as part of the PMA process, and requiring manufacturers to develop plans to monitor, identify and address postmarket cybersecurity vulnerabilities.  (Also see "Senators Question User Fee Hike In Committee Hearing" - Medtech Insight, 5 Apr, 2022.)

“The agency also has a budget proposal before Congress right now, too, to give us the capabilities we need to be working with developers in order to identify and address cybersecurity vulnerabilities,” Shuren said.

Released in March, the FDA’s budget request for fiscal year 2023 asks for $5m to “begin development of a comprehensive cybersecurity program for medical devices … to improve the safety and security of medical devices, help address risks with legacy devices and rapidly address new … cybersecurity vulnerabilities.”  (Also see "FDA’s FY 2023 Proposed Budget Asks For Millions To Curb Device Shortages, Bolster Cybersecurity, And More" - Medtech Insight, 28 Mar, 2022.)

Also from that $5m the agency would hire six full-time employees to “increase its internal capabilities through the recruitment and development of cyber experts to support the review of medical devices and assure that they are highly resistant to security breaches before being marketed.”

“You know, no great surprise – this space is going to continue to evolve,” Shuren said. “Risk, threats and solutions continue to evolve, too.”