Author: William Hyman

Will Pre-Cert Increase the Advantage of Big Companies?

There is much debate about the relative advantages of big vs small companies on the development side of the device/product equation. The classic view is that big has the resources and experience, but perhaps is over constrained and undermotivated. Small has entrepreneurial zeal and fewer rules. I once heard that zeal turned into advice to job candidates that you shouldn’t express interest in any hobbies during your interview because they didn’t want people with distractions.  Small may also have no income, but that is a separate matter. However, design/product development is only part of the challenge in medical devices....

Read More

FDA Busy With Software

Since connectivity runs on software, and some medically related software is a medical device, and medical devices are regulated by the FDA, those involved in connectology must pay at least some attention to what the FDA is saying about the subject of medical software that is not an inherent part of some other medical device.  In this regard the FDA speaks in multiple ways, ranging from regulations, to final guidance documents (fGD), to draft guidance documents (dDG), to more casual public comments. Recently (since October 1st) the FDA has been busy in the software space by releasing several new...

Read More

FDA Guidance on Software Changes

On October 25, 2017 the FDA released its guidance on "Deciding When to Submit a 510(k) for a Software Change to an Existing Device". A draft of this guidance was released in August 2016 and I commented on that draft here. The scope of what was changed is not easy to discern, especially since the draft is no longer directly available and the URL for the final guidance is the same as that for the previous draft. No doubt there are many people who have a copy of the draft and the Wayback Machine might also be explored. But such...

Read More

Even More Proposed Medical Device Connectivity Legislation

The FDA, medical devices, and cybersecurity are popular subject matter for proposed Federal legislation, even though most bills in this arena never clear committee. One wonders sometimes if those introducing such bills really care about them being enacted, or are they just an exercise in publicity and perhaps self-aggrandizement. On October 5, 2017 H.R. 3985: Internet of Medical Things Resilience Partnership Act of 2017 was introduced by Dave Trott of Michigan and Susan Brooks of Indiana.  In addition to possible self-aggrandizement, in the present case the bill also celebrates National Cybersecurity Month. If you haven't celebrated this yet, you better hurry....

Read More

FDA to Address Cybersecurity at Workshop

Cybersecurity continues to be a hot topic in healthcare with several areas of concern. These include the theft of personal health information from a provider's database, using ransom wear to extract payment from providers without actually stealing information, and compromising the performance of medical devices that are connected to the network, employ wireless functions or are otherwise hackable in either real or imagined scenarios. One might note that these latter concerns may not be in proportion to the actual risk, ie they attract a great deal of attention and gnashing of teeth but in a rationale hierarchy of actual...

Read More

Sussing Out SaMD

Software as a Medical Device (SaMD) is terminology under the aegis of a work group of the International Medical Device Regulators Forum (IMDRF) of which the FDA is a member. SaMD is distinct from software in a medical device although "in" these days may have a looser meaning closer to is a part of.  The notion that "stand alone" software, operating on a general purpose computer could be or is a medical device was at one time debated by some but this has been resolved by various regulatory bodies who declared that the discussion was now over and that software is...

Read More

When Does Regulated Software Need a New 510(k)?

A ubiquitous characteristic of software is that it often undergoes numerous changes after it is first released for general use. These changes may be to fix things that were never right in the first place, or to provide new features and/or greater security. If the software is a “medical device”, or part of a medical device, or connects medical devices, then changes may come under the FDA's regulatory processes. New Draft Guidance from FDA A recurring question for software that is a medical device and which is actively regulated is when do changes to that software require a new 510(k)...

Read More

Advice from the FDA on Medical Device Data Sharing

Among the many forms of data flow that might occur from a medical device is direct to the patient. This received some notoriety when a patient wanted to access the output directly from their own implanted device. They had to do battle with the device manufacturer who claimed among other things that the FDA would not allow them to make the data available. It turns out that the "FDA won't let us" is a well known, if not necessarily correct, excuse in a different arena, that of medical device service and repair. The FDA has added some clarification in...

Read More

Connectivity and Hackability

It is somewhat ironic that Hospira and Cerner announced a new collaboration on Hospira’s infusion pumps and Cerner’s EHR given that Hospira has recently had more than its share of attention with respect to asserted LifeCare and Symbiq pump cybersecurity vulnerabilities. This attention included a notice from the Department of Homeland Security as well as from the FDA (here and here). I found it of interest that despite the widespread hype around these notices there has been no recall of these pumps for the related issues. Instead advice was given to transition away from their use, mitigate the risks by some technical...

Read More

Some Funky Cybersecurity Math

Assessing the magnitude and significance of cyber threats has at least two important purposes. One is to determine the extent of measures that have been or should be taken to respond to or counter the threat. This is part of the rational deployment of resources across the multiple risks that we face, whether cyber or otherwise. In this regard it is simply not possible or necessary to respond to all risks with equal vigor. A second purpose can be to communicate threat significance to or among interested parties. For such communication there is a tendency to reduce complex, multifaceted...

Read More

Recent Tweets