Author: William Hyman

FDA Guidance on Software Changes

On October 25, 2017 the FDA released its guidance on "Deciding When to Submit a 510(k) for a Software Change to an Existing Device". A draft of this guidance was released in August 2016 and I commented on that draft here. The scope of what was changed is not easy to discern, especially since the draft is no longer directly available and the URL for the final guidance is the same as that for the previous draft. No doubt there are many people who have a copy of the draft and the Wayback Machine might also be explored. But such...

Read More

Even More Proposed Medical Device Connectivity Legislation

The FDA, medical devices, and cybersecurity are popular subject matter for proposed Federal legislation, even though most bills in this arena never clear committee. One wonders sometimes if those introducing such bills really care about them being enacted, or are they just an exercise in publicity and perhaps self-aggrandizement. On October 5, 2017 H.R. 3985: Internet of Medical Things Resilience Partnership Act of 2017 was introduced by Dave Trott of Michigan and Susan Brooks of Indiana.  In addition to possible self-aggrandizement, in the present case the bill also celebrates National Cybersecurity Month. If you haven't celebrated this yet, you better hurry....

Read More

FDA to Address Cybersecurity at Workshop

Cybersecurity continues to be a hot topic in healthcare with several areas of concern. These include the theft of personal health information from a provider's database, using ransom wear to extract payment from providers without actually stealing information, and compromising the performance of medical devices that are connected to the network, employ wireless functions or are otherwise hackable in either real or imagined scenarios. One might note that these latter concerns may not be in proportion to the actual risk, ie they attract a great deal of attention and gnashing of teeth but in a rationale hierarchy of actual...

Read More

Sussing Out SaMD

Software as a Medical Device (SaMD) is terminology under the aegis of a work group of the International Medical Device Regulators Forum (IMDRF) of which the FDA is a member. SaMD is distinct from software in a medical device although "in" these days may have a looser meaning closer to is a part of.  The notion that "stand alone" software, operating on a general purpose computer could be or is a medical device was at one time debated by some but this has been resolved by various regulatory bodies who declared that the discussion was now over and that software is...

Read More

When Does Regulated Software Need a New 510(k)?

A ubiquitous characteristic of software is that it often undergoes numerous changes after it is first released for general use. These changes may be to fix things that were never right in the first place, or to provide new features and/or greater security. If the software is a “medical device”, or part of a medical device, or connects medical devices, then changes may come under the FDA's regulatory processes. New Draft Guidance from FDA A recurring question for software that is a medical device and which is actively regulated is when do changes to that software require a new 510(k)...

Read More

Advice from the FDA on Medical Device Data Sharing

Among the many forms of data flow that might occur from a medical device is direct to the patient. This received some notoriety when a patient wanted to access the output directly from their own implanted device. They had to do battle with the device manufacturer who claimed among other things that the FDA would not allow them to make the data available. It turns out that the "FDA won't let us" is a well known, if not necessarily correct, excuse in a different arena, that of medical device service and repair. The FDA has added some clarification in...

Read More

Connectivity and Hackability

It is somewhat ironic that Hospira and Cerner announced a new collaboration on Hospira’s infusion pumps and Cerner’s EHR given that Hospira has recently had more than its share of attention with respect to asserted LifeCare and Symbiq pump cybersecurity vulnerabilities. This attention included a notice from the Department of Homeland Security as well as from the FDA (here and here). I found it of interest that despite the widespread hype around these notices there has been no recall of these pumps for the related issues. Instead advice was given to transition away from their use, mitigate the risks by some technical...

Read More

Some Funky Cybersecurity Math

Assessing the magnitude and significance of cyber threats has at least two important purposes. One is to determine the extent of measures that have been or should be taken to respond to or counter the threat. This is part of the rational deployment of resources across the multiple risks that we face, whether cyber or otherwise. In this regard it is simply not possible or necessary to respond to all risks with equal vigor. A second purpose can be to communicate threat significance to or among interested parties. For such communication there is a tendency to reduce complex, multifaceted...

Read More

The FDA October Workshop on Cybersecurity

If it were possible to be unaware of the general problem  of cybersecurity, the recent Sony hack with its public disclosures of  "private" e- conversations and then terroristic blackmail, following the earlier release of celebrity cloud photos, ought to have provided notice that what is electronically stored is likely to be available to those determined to have it. Moreover we know that cybersecurity can in principle also impact the function and availability  of connected systems (Sony again) and/or the information they contain. We also need to be concerned about the malicious alteration of information or disruption of device performance....

Read More

DHHS OIG Work Plan Targets Networked Devices

The Office of the Inspector General (OIG) of the U.S Department of Health and Human Services has released a report (pdf) outlining its 2015 work plan. Among a host of subjects is "Information Technology Security, Protected Health Information, and Data Accuracy" with the subsection "Controls over networked medical devices at hospitals". The focus here is on the security of  patient electronic health information which is to be protected under law. Other risks associated with device networking are not addressed. The relevant subsection (page 22) is relatively brief: We will examine whether CMS oversight of hospitals’ security controls over networked...

Read More

Recent Tweets