US Regulatory Roundup, June 2022: Digital Health; Draft QMSR Stakeholder Comments; Medtech Cybersecurity

Head Of FDA’s Digital Health Center: Congress Should Act On Reg Frameworks

Every day that the US Congress fails to give the Food and Drug Administration the authority to develop new regulatory frameworks for digital health products is another day that could stifle industry innovation and competition, says the acting director of the agency’s Digital Health Center of Excellence.

In a wide-ranging interview with Medtech Insight that was the most-read story in June, Brendan O’Leary said lawmakers have a “long track record of passing legislation that supports medical device innovation and benefits public health,” including the FDA’s de novo program that launched in 1997.

De novo “provided a voluntary alternative pathway for novel products,” O’Leary said. “I believe it’s resulted in somewhere north of 300 new device classifications, and it begs the question: How many of those might never have made it to patients if Congress hadn’t taken the action to establish that alternative approach? That’s just one example where when the framework that we had wasn’t producing the public health results that it needed to, Congress took important steps to provide an alternative. And just like we would miss out on some really important innovations if we didn’t have de novo, I think we have to consider the very real possibility that there’s another piece of the puzzle that is still missing.”

Having that puzzle piece – contemporary regulatory frameworks for digital health – could “enable some really important advancements,” he said.

The director of the FDA’s device center, Jeff Shuren, warned in May of “critical regulatory hurdles” if Congress doesn’t soon update digital health frameworks.

“We can’t move to really more modern regulatory frameworks without changes in federal law. And we know that for these kinds of technologies – software as a medical device – the regulatory frameworks of today were designed yesterday, when Congress was not thinking of software-based devices,” Shuren said at the time, adding that current frameworks aren’t “fit for purpose for modern-day software-based technologies.”

More Stakeholder Comments On FDA’s Proposed QMSR Rule

What will the FDA do when ISO 13485 – the international quality systems standard the agency used to help develop its proposed Quality Management System Regulation (QMSR) – needs to be updated? After all, Philips pointed out in comments to the agency on the draft rule that the standard could be opened up every five years for revision.

In our No. 2 story from June, Morgan Lewis partner Dennis Gucciardo said Philips’ inquiry is “obviously a huge question for everyone, considering FDA doesn't nearly move as fast as ISO,” the International Organization for Standardization.

“I think FDA’s presumption is that there will be new revisions to the standard, but they will not be so dramatic such that it's going to cause for the solution that this is supposedly addressing, which is that ISO 13485 and the QSR are not structured similarly,” he said.

The QSR is the agency’s current Quality System Regulation, which will be replaced by the QMSR when it’s finalized. The draft QMSR is the result of a years-long harmonization effort by the FDA to combine the QSR with ISO 13485:2016.

“Now, obviously, if ISO changes its structure or does make significant changes, we’re back in the same problem, which is an entity is going to have to follow 13485:2016 and then something else that's out in the world,” Gucciardo told Medtech Insight. “I suspect that FDA is going to say, ‘When the next revisions happen, we’ll review them and make any updates we have to,’ but realistically, how fast will that happen? I mean, look how long it took to get this draft QMSR out.”

Gucciardo is one of four medtech experts who read stakeholder comments on the draft QMSR so Medtech Insight readers didn’t have to. Click here to read part one of the expert takes from Gucciardo, Smith & Nephew’s Vincent Cafiso, MEDIcept Inc.’s Kim Trautman, and King & Spalding’s Steve Niedelman.

“It is not unreasonable to prepare for deliberate targeting of medical devices posed by unregulated third-party servicing entities.” – Jamie Wolszon

And in our No. 4 story from last month, Gucciardo said the FDA could find itself in a pickle if it grants industry more than a year to transition from the QSR to the QMSR. That’s because it could “signal that the QMSR isn’t as harmonized as the agency claims.”

In its proposed rule the FDA says one year is enough time for transition. But in comments to the agency, medtech lobbying group AdvaMed and the American Society for Quality say industry should be given three years for compliance. So does Cook Medical. Meanwhile, Philips told the FDA it wants two years.

“I think the hard part on that is, if FDA needs to make the case that ISO 13485 and the QSR are substantially similar, then why should they give companies a number of years to implement this rulemaking if they are, arguably, substantially similar?” Gucciardo said. “These are going to be interesting comments for FDA to respond to because the answer may cut against the agency’s argument that [the standard and the QSR] are substantially similar, if the compliance timeline is something drastic” – e.g, two or three years.

Meanwhile, AdvaMed told the FDA in comments that third-party servicers and refurbishers should be included under the umbrella of the proposed QMSR. The group’s VP for technology & regulatory affairs, Jamie Wolszon, said in our No. 10 story from June that AdvaMed is concerned that third-party entities could fall prey to hackers because of the “current geopolitical environment that is fraught with cybersecurity threats to our especially vulnerable health care sector.”

Wolszon went on: “Given the current unregulated status of third-party servicing, the sheer number of third-party service entities, and the important role medical devices play in the nation’s medical infrastructure, it is not unreasonable to prepare for deliberate targeting of medical devices posed by unregulated third-party servicing entities.”

Beyond cybersecurity, the medical device industry has long complained about poor work performed by non-manufacturer servicing businesses – and loudly groused that they’re not regulated. Despite repeated assertions by OEMs over the years that the FDA should impose quality and reporting requirements on third-party servicers, a 2018 report from the agency said “available evidence” didn’t justify writing new rules.

In comments of their own to the FDA, the general counsel for the Association of Medical Device Service Organizations, J. Mason Weeda, urged the agency to continue treating third-party entities as it does currently under the QSR. Weeda references the FDA’s 2018 report in AMDSO’s letter, pointing out that the agency “made the evidence-based determination that the device repair and servicing industry does not require active regulation.”

Cybersecurity Expert Says Regulators Need To Play Offense

Our No. 3 story from last month was an interview with cybersecurity expert Scott Trevino, who told Medtech Insight that a major challenge US regulators must confront in securing medical devices and hospitals is playing offense, not defense, against hackers who are becoming increasingly brazen and sophisticated in their ability to shut down systems and steal valuable data.

One offensive move by the FDA was its April guidance on device cybersecurity, which replaced the agency’s 2018 document on the topic. In Trevino’s view, the updated guidance better addresses emerging and dynamic cybersecurity threats.

He said the guidance is “encouraging and a step in the right direction,” and puts the government in a better position to get ahead of hackers, which is crucial considering how quickly technology is evolving and that attacks are not only increasing in frequency, but doing so at a speed that’s often faster than that of regulators.

“With cybersecurity it’s always been a catch-up kind of approach,” Trevino said.

Other Top Stories

These four articles rounded out our Top 10 list in June:

• No. 4 story: The new Resilient Supply Chain Program from the FDA aims to reduce future product shortages by applying lessons learned during the COVID-19 pandemic.

• No. 5 story: The FDA issued a final guidance on electromagnetic compatibility for devices, providing detailed recommendations to manufacturers submitting premarket applications.

• No. 8 story: A new study from the FDA will look at how the potential cancer risk tied to textured breast implants, as well as other factors, play into how patients decide what type of implants to get.

• No. 9 story: In this Compliance Corner feature, an FDA compliance officer reminds medtech companies that changes they make to devices or how they’re made should be closely evaluated to make sure finished products aren’t adversely impacted.

The 10 most popular US regulation and policy stories in June, as determined by reader interest, are listed in the table below.