Medical devices and the data they generate are in the spotlight of late, and this is essentially great news for those of us whose lives are entwined with these systems!
On June 20, FDA released a new draft guidance document outlining their current thinking on how they plan to enforce regulations re: Medical Device Data Systems (MDDS), as part of their medical device innovation initiative.
This guidance proposes the agency use their "enforcement discretion" to "down-classify"* many medical device data systems, including a variety of software applications used to view, track and analyze health data generated by medical devices -- which is big win for us D-advocates who've been pushing for more open policies that could free up device companies and third-party developers to create more useful software for us to access our device data and better manage our care!
(*Down classification means these items are considered lower-risk to patients, and therefore require less strict regulation. See illustration below)
The agency wants and needs to hear from the diabetes community about the draft guidance, and we need your support! While the direction of the draft guidance is distinctly positive, there are many points that still need to be clarified.
I've been working with the #WeAreNotWaiting team of patient/caregiver advocates including Anna McCollister-Slipp, Bennet Dunlap and Howard Look of Tidepool to help lead a discussion between the D-patient community and the FDA in the coming weeks.
We would LOVE your input and participation. We are making progress, but we need broad community support to push these efforts through.
In particular, some of the agency's interpretation of terms is unclear. We're working on a set of questions to submit to FDA that you can view and comment on here: ow.ly/zvbsp
We've already submitted an email with a number of questions directly to Bakul Patel, senior policy advisor in FDA's Center for Devices and Radiological Health (and the one who wrote their recent blog post on the MDDS guidance), and are aiming to set up a call with him today.
- We love that the FDA is embracing the notion of "data display" as regulated separately from the devices that generate the data.
- We love that the FDA is removing the diabetes exclusion from MDDS (diabetes was formerly in its own separate category, which complicated regulatory issues).
- We love that the FDA will no longer enforce strict regulatory controls on MDDS software, medical image storage devices or medical image communications devices ("due to the low risk they pose to patients and the importance they play in advancing digital health").
Questions & Recommendations
The guidance suggests the agency WILL regulate any apps or software used for "active patient monitoring." Here, we encourage the FDA to:
- First, clearly define its use of the term "active patient monitoring" (which could mean a number of things).
- At a minimum, the agency should better explain the perceived risks so that a plan can be put in place to mitigate them.
- Consider removing this stipulation; unrestricted real-time monitoring of CGM data allows parents to know that their kids are safe!
- We encourage the FDA to make a clearer distinction between GENERATION of data and DISPLAY of data.
- How exactly are they differentiating between simply viewing data on a device display vs. using data for personal treatment decisions? And does the treatment recommendation/decision have to be explicit (i.e. take this amount of insulin) or does this apply to any data that could be used to inform a patient's self-care?
- They should explain their mention of "software that enables third party entities/developers to extract/obtain medical device information" -- by this, do they mean information about the device itself, such as UDIs (unique device IDs), serial numbers, etc., or device-generated data about patient health status, dosing, etc.?
- We encourage the FDA to focus on data validity and authenticity systems.
- We encourage the FDA to encourage device makers to put digital signatures on the data, enabling downstream data validity checks and data provenance (ownership of data and usage stats).
A reminder of how FDA classifies medical devices, FYI:
If you're interested in helping influence this stuff (and we hope you are)...
Here's how to comment on the docket:
* Go to this link to submit your input: MDDS Guidance comment form on Regulations.gov
* Comments are due by August 25, 2014 at 11:59pm EDT
Cyber-Security in the News
Although not the focus of this new FDA guidance (which is aimed at the impact of these systems on patient therapy), we wanted to touch on the issue of security of these devices: how vulnerable are they to being hacked? We bring this up in particular because the topic's being revisited by the media lately, prompted by the one-year anniversary of Barnaby Jack's death -- the famous hacker who died of an apparent drug overdose last summer.
The Verge reports: "Jack was an ingenious programmer from New Zealand best known for making an ATM spit out bills and figuring out how to wirelessly hack into medical devices, including a pacemaker and an insulin pump. He was scheduled to give a talk on the latter last year at the security conference Black Hat, where hackers present their exploits in order to make the public aware of cybersecurity vulnerabilities. His talk was one of the most anticipated at the convention, but he died six days before he was supposed to give it, on July 25th of last year."
Marking that recent anniversary, a number of news stories revisited how non-malicious hackers -- often referred to as White Hat Hacks -- have influenced the medical device scene. This Bloomberg story, for example, reported that Jack's efforts "pushed the manufacturers" such as Medtronic to hire security teams and coordinate with the U.S. Department of Homeland Security to "implement anti-hacking changes to its insulin pumps and other products."
And who can forget fellow type 1 Jay Radcliffe, a D-device hacker himself who brought this all to light by publicizing what he describes as "security flaws" with Medtronic and Animas insulin pumps? He subsequently started working with the FDA to address those and related device issues.
In a call just two days before the anniversary of Jack's death, Medtronic actually reached out to a group of Diabetes Advocates to discuss their take on this issue and proactively reassure the D-Community in advance of any news coverage that might make this cyber-security issue seem more concerning than they believe it is.
Medtronic's VP of regulatory affairs Mark O'Donnell said the company's been actively monitoring Adverse Event Reports (MDRs) that are filed with the company and with FDA, and they've not seen any reports of "insulin pump hacking" instances at all -- and definitely no reports of injury to patients.
But would they make such complaints public anyway, if some should surface?
Carolyn Schmitz, who leads Medtronic's cybersecurity efforts, says company policy is to not disclose details of any real or potential vulnerabilities to the public, to avoid increasing attention from hackers who may want to exploit those vulnerabilities. Instead, they take any negative findings into consideration for R&D purposes, in making devices more robust. And any changes made go through the FDA. She also noted that the company has worked directly with White Hats -- aka "security researchers" -- to test and examine products for potential security risks.
"We take it very seriously, and we've contacted different regulators and researchers to help respond to the risk, industry-wide and with our own pump," O'Donnell said, adding: "We don't see it as a significant issue... and we continue to believe the risk is very low."
Sure, this is just one pump company -- but the world market leader at that. We have to assume other insulin pump and med device companies are working hard to secure their devices and data repositories as well (see also: according to the manufacturers, it's not a big deal, despite what the dramatic headlines may imply).