Significant Digital Health and Cybersecurity Regulatory Developments, 2022

Stephanie Philbin, Steven Tjoe & Lauren Farruggia*

Throughout 2022, the U.S. Food and Drug Administration (FDA or the agency) continued to refine its frameworks for oversight of the digital health and broader device industry with important regulatory updates impacting device software and cybersecurity. The Food and Drug Omnibus Reform Act of 2022 (FDORA), included as part of the Consolidated Appropriations Act of 2023, also meaningfully impacted FDA’s authority with respect to device cybersecurity.

I. Clinical Decision Support

On September 28, 2022, FDA published three final guidance documents impacting the digital health industry: Clinical Decision Support Software (the CDS Guidance);[1] Policy for Device Software Functions and Mobile Medical Applications;[2] and Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices.[3]

Of the three final guidances, the CDS Guidance is perhaps the most impactful. FDA clarified key concepts for determining whether clinical decision support (CDS) software is a medical device and meaningfully modified the agency’s September 2019 draft guidance of the same name.[4] Specifically, the CDS Guidance provided FDA’s interpretation of the four criteria established by the 21st Century Cures Act for determining whether a decision support software function is excluded from the definition of a device (i.e., is considered Non-Device CDS).[5] Most significantly:

(1) FDA elaborated on its interpretation of what it considers to be “medical images, signals, and patterns” under Criterion 1. From the agency’s perspective:

(a) “Medical images” include not only images generated by use of “medical imaging systems (e.g., computed tomography (CT), x-ray, ultrasound, and magnetic resonance imaging (MRI)) to view any part(s) of the body or images acquired for a medical purpose (e.g., pathology, dermatology),” but also images that were not “originally acquired for a medical purpose but are being processed or analyzed for a medical purpose.”

(b) “Signals” include those that typically require use of either an in vitro diagnostic device (IVD) or a “signal acquisition system that measures a parameter from within, attached to, or external to the body for a medical purpose.”

(c) “Patterns” mean “multiple, sequential, or repeated measurements of a signal or from a signal acquisition system.”[6]

(2) The agency clarified that “medical information” under Criterion 2 is intended to be the type of information that normally is, and generally can be, communicated between health care providers (HCPs) in a clinical conversation or between HCPs and patients in the context of a clinical decision, meaning that the relevance of the information to the clinical decision being made is well understood and accepted.[7] Notably, FDA introduced the concept of “sampling frequency” as a consideration when determining whether information is considered “medical information” under Criterion 2 or a signal/pattern under Criterion 1.[8] FDA explained that a “single, discrete test or measurement result that is clinically meaningful” is medical information under Criterion 2, while “a more continuous sampling of the same information” is a pattern/signal under Criterion 1.[9]

(3) FDA significantly expanded its interpretation of Criterion 3 by introducing the concepts of software automation bias and time-critical decision-making in determining whether a software function is intended for the purpose of supporting or providing recommendations to an HCP.[10]

(4) The agency provided an updated and more granular explanation of its expectations for certain disclosures to enable HCPs to independently review the basis of a software’s recommendations consistent with Criterion 4 by introducing specific software and labeling recommendations related to: identification of the product’s intended use, the intended HCP user, the intended patient population, the required input medical information, and a plain language description of the underlying algorithm development and validation that forms the basis for the CDS implementation.[11]

FDA also provided numerous, specific examples of Non-Device CDS and software functions that are a device, including some examples that have potentially far-reaching implications. Industry response to the CDS Guidance has largely been critical. As 2023 progresses, industry will eagerly anticipate additional clarification from the agency.

II. Pre-Cert Pilot Program

On September 28, 2022, FDA announced that its Pre-Cert Pilot Program was completed and released its report entitled, “The Software Precertification (Pre-Cert) Pilot Program: Tailored Total Product Lifecycle Approaches and Key Findings” (the Pre-Cert Report). FDA launched the Pre-Cert Pilot Program in 2017 to encourage the development of innovative technologies and explore methods of ensuring regulatory oversight of medical device software.[12] Ultimately, the Pre-Cert Report revealed that, throughout the Pre-Cert Pilot Program, the agency “encountered challenges with implementing the proposed approach under [its] current statutory authorities.”[13] Further, FDA acknowledged that limiting participation to nine pilot participants, and only permitting formal implementation of approaches via the de novo classification process, did not result in many devices becoming available for consideration under the Pre-Cert Pilot Program.[14] The agency emphasized the need for new legislative authority targeted at device software to supplement the agency’s existing regulatory pathways, although that legislative authority remains to be seen.[15] Nevertheless, FDA assured industry that the Center for Devices and Radiological Health’s (CDRH) Digital Health Center for Excellence will continue to explore the tools available under its current authority to improve its oversight of medical device software.[16]

III.   Cybersecurity

In December 2022, President Biden signed into law FDORA, which amends the Federal Food, Drug, and Cosmetic Act (FDCA) to ensure the protection of device cybersecurity.[17] The new FDCA provisions contemplate a category of devices called “cyber devices,” which include software validated, installed, or authorized by a sponsor as the device itself or as part of a device, that has the ability to connect to the internet, and that contains technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.[18]

FDORA requires applicants submitting premarket submissions ninety days after the date of enactment of FDORA for devices meeting the definition of “cyber device” to include in their application a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits as well as a software bill of materials, including commercial, open-source, and off-the-shelf software components; to design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address certain vulnerabilities; and to comply with any other applicable regulations that the agency may promulgate.[19]

FDORA also authorizes the agency to identify devices or categories of devices that are exempt from cybersecurity requirements, and adds noncompliance with these cybersecurity provisions to the prohibited acts enumerated under 21 U.S.C. § 331.[20] Finally, FDORA requires FDA to update its 2014 final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” (Final Premarket Cybersecurity Guidance) within two years of enactment.[21]

Prior to FDORA’s passage, the agency itself took steps to prioritize device cybersecurity. On April 8, 2022, FDA published its draft guidance entitled, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Draft Guidance for Industry and Food and Drug Administration Staff” (the Cybersecurity Draft Guidance).[22] The Cybersecurity Draft Guidance reflects the agency’s latest attempt at replacing its Final Premarket Cybersecurity Guidance in response to a rapidly evolving technological landscape and emerging threats.

The Cybersecurity Draft Guidance reaffirms FDA’s position that cybersecurity is a fundamental part of device safety. The agency introduces the Secure Product Development Framework (SPDF) as one option for manufacturers to ensure compliance with the Quality System Regulation.[23] The SPDF is intended to reduce the number and severity of vulnerabilities and reduce the likelihood that a device will be exploited and includes recommended processes such as security risk management (including threat modeling and assessment of third-party software components), security architecture, and cybersecurity testing.[24]

FDA also outlines in the Cybersecurity Draft Guidance a framework for ensuring cybersecurity transparency. The agency suggests certain labeling recommendations for devices with cybersecurity risks, including the inclusion of any risks transferred to the user and consideration of such risks as tasks to be assessed during usability testing.[25] FDA also recommends that manufacturers develop vulnerability management plans and to submit such plans as part of the manufacturer’s premarket submissions, including identification of responsible personnel; sources, methods, and frequency for monitoring for and identifying vulnerabilities; periodic security testing; identifying a timeline to develop and release patches; update processes; patching capability; a description of coordinated vulnerability disclosure process; and a description of how the manufacturer intends to communicate updates to customers.[26]

In addition, on October 7, 2022, FDA released a new video, “Tips for Clinicians – Keeping Your Patients’ Connected Medical Devices Safe” to help clinicians discuss cybersecurity of connected medical devices with patients.[27] On November 15, 2022, the agency updated the “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” in collaboration with MITRE, which is intended to educate health care organizations to prepare for cybersecurity incidents before they occur.[28]

It is not yet clear how FDA will revise the Cybersecurity Draft Guidance in light of the new FDCA sections establishing requirements for cyber devices and FDORA’s requirement for FDA to update its Final Premarket Cybersecurity Guidance. However, the Cybersecurity Draft Guidance is on the agency’s A-List of prioritized guidance documents that CDRH intends to publish in fiscal year 2023, so industry should expect to have an answer relatively soon.

 

*    Stephanie Philbin and Steven Tjoe are partners and Lauren Farruggia is a senior associate at Goodwin Procter LLP and members of the firm’s Life Sciences Regulatory & Compliance practice.

[1]   U.S. Food & Drug Admin., Clinical Decision Support Software, Guidance for Industry and Food and Drug Administration Staff (Sept. 28, 2022), https://www.fda.gov/media/109618/download [hereinafter CDS Guidance].

[2]   U.S. Food & Drug Admin., Policy for Device Software Functions and Mobile Medical Applications, Guidance for Industry and Food and Drug Administration Staff (Sept. 28, 2022), https://www.fda.gov/media/80958/download.

[3]   U.S. Food & Drug Admin., Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices, Guidance for Industry and Food and Drug Administration Staff (Sept. 28, 2022), https://www.fda.gov/media/88572/download.

[4]   Clinical Decision Support Software, Draft Guidance for Industry and Food and Drug Administration Staff; Availability, 84 Fed. Reg. 51,167 (Sept. 27, 2019).

[5]   A software function must meet all of the following four criteria to be considered Non-Device CDS:

(1) Not intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device (IVD) or a pattern or signal from a signal acquisition system (Criterion 1);

(2) Intended for the purpose of displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines) (Criterion 2);

(3) Intended for the purpose of supporting or providing recommendations to a health care professional (HCP) about prevention, diagnosis, or treatment of a disease or condition (Criterion 3); and

(4) Intended for the purpose of enabling such HCP to independently review the basis for the recommendations that such software presents so that it is not the intent that the HCP rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient (Criterion 4).

CDS Guidance, supra note 1, at 6.

[6]   Id. at 8.

[7]   Id. at 9.

[8]   Id.

[9]   Id. at 10.

[10]  Id. at 11.

[11]  Id.

[12]  U.S. Food & Drug Admin., The Software Precertification (Pre-Cert) Pilot Program: Tailored Total Product Lifecycle Approaches and Key Findings 5 (Sept. 2022), https://www.fda.gov/media/161815/download.

[13]  Id. at 3.

[14]  Id. at 4.

[15]  Id. at 14.

[16]  Id. at 5.

[17]  Pub. L. No. 117-328 (2022) (FDORA).

[18]  FDORA § 3305(a).

[19]  Id.

[20]  FDORA § 3305(b).

[21]  FDORA § 3305(e); U.S. Food & Drug Admin., Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff (Oct. 2, 2014), https://www.fda.gov/media/86174/download.

[22]  U.S. Food & Drug Admin., Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff (Apr. 8, 2022), https://www.fda.gov/media/119933/download.

[23]  Id. at 9.

[24]  Id. at 13–28.

[25]  Id. at 29.

[26]  Id. at 31.

[27]  Cybersecurity, U.S. Food & Drug Admin. (content current as of May 1, 2023), https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.

[28]  MITRE, Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, Version 2.0 (Nov. 2022), https://www.mitre.org/sites/default/files/2022-11/pr-2022-3034-medical-device-cybersecurity-regional-preparedness-response-playbook.pdf.