410 likes | 423 Views
January 16, 2018. Kate Klaus, Esq. Courtney Young, Esq. Ripped from the Headlines: Medmarc’s Risk Management Team Discusses Lessons Learned from Life Sciences in the News and What to Watch for in 2019. Agenda. Opioid Update Digital Health Pre-Certification Program
E N D
January 16, 2018 Kate Klaus, Esq. Courtney Young, Esq. Ripped from the Headlines: Medmarc’s Risk Management Team Discusses Lessons Learned from Life Sciences in the News and What to Watch for in 2019
Agenda • Opioid Update • Digital Health Pre-Certification Program • Medical Device Cybersecurity • OTC Monograph Reform • Lighting Round
Status • Opioid “epidemic” has been at center of national attention for several years, and 2018 saw an increase in lawsuits against opioid manufacturers and distributors • Suits coming from state and county governments alleging that these companies are liable for the cost to the public of treating opioid victims • Allegations include knowingly misleading public and physicians about addiction risks • Georgia became latest government to file suit, filing on Jan. 3
What does this mean for life sciences companies? • Litigation • Ancillary products may become a target • Pain pumps, drug delivery systems • Insurance coverage • Coverage for businesses with opioid exposure is going to be more difficult to obtain, exclusions being added to policies • Suits by government entities • These types of suits may be new trend, not be unique to opioids
Digital Health Pre-Certification Program
Pre-Cert: What is it? • 21st Century Cures Act • Digital Health Innovation Action Plan • Software Pre-Certification Program • Streamlines the regulatory oversight of software-based medical devices • Focus initial evaluation on the developer
Pre-Cert: Who is it for? • Manufacturers with a robust culture of quality and organizational excellence • Commitment to monitoring real-world performance of their products in the U.S. market - Will Durant, frequently misattributed to Aristotle
Pre-Cert: How does it work? • Key components: • Excellence Appraisal • Review Determination • Streamlined Review • Real-World Performance
Pre-Cert: When will it launch? • Pilot program in progress • More than 100 companies applied to participate, but only nine selected • Transparent development process • Link for submitting comments on FDA website • Interactive user sessions with pilot participants open to the public via webinar
Status • Medical device cybersecurity has been and continues to be a focus of FDA, the industry, and the plaintiff’s bar • FDA released new guidance on October 18, 2018 • The U.S. Department of Health and Human Services released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” on December 28, 2018
FDA’s New Guidance • New Guidance released October 18, 2018 • “Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system. We’ve been implementing this guidance since it was finalized in 2014. Now, because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices. This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats.” – FDA Commissioner Scott Gottlieb
Guidance: Content of Premarket Submissions for Management of Cybersecurity • Last cybersecurity guidance finalized in October of 2014 • Recommends that premarket submissions include a “cybersecurity bill of materials” detailing the software and hardware components that are vulnerable to cyberattacks • Device makers must include documentation demonstrating how they have mitigated cybersecurity risks • Provides design recommendations based on NIST’s “Framework for Improving Critical Infrastructure Cybersecurity”
Guidance: Content of Premarket Submissions for Management of Cybersecurity, cont’d • According to the FDA, the security risk management report for a trustworthy device would include: • A system-level threat model • A specific list of all cybersecurity risks that were considered in the device’s design • A list and justification of all cybersecurity controls established in the device, including risk mitigations • A description of the testing done to ensure the adequacy of cybersecurity risk controls (including performance testing, vulnerability scanning, penetration testing, etc.) • A traceability matrix linking cybersecurity controls to the risks outlined in a security risk and hazard analysis • A software bill of materials that is cross-referenced with the National Vulnerability Database or a similar known database, including criteria for addressing known vulnerabilities or a rationale for not addressing known vulnerabilities.
DHS and FDA MOA • In October, the FDA and the National Protection and Programs Directorate (NPPD) of DHS entered into an agreement that formalizes a long-standing relationship between the agencies and implements a new framework for increased collaboration, information-sharing, and coordination to address cybersecurity in medical devices. • Key Provisions: • NPPD can assist FDA as an independent third party in the evaluation and assessment of the impact of medical device vulnerabilities • NPPD will coordinate with FDA on the content of alerts and advisories related to medical device cybersecurity and these will be published by DHS • Takeaway: • FDA stepping up its enforcement actions related to cybersecurity
What does this mean for life sciences companies? New information should be submitted with 510(k) submissions Keep an eye on emerging and developing industry standards These standards can form the basis of plaintiffs’ negligence cases in the event of a data breach, bodily injury, or property damage arising out of a cyber vulnerability
The Intersection of Cybersecurity & Products Liability You failed to warn me that a cyber vulnerability could result in bodily injury/ property damage. Your product does not effectively warn against hazards of which you knew or should have known. Warning Defect Something went wrong in the manufacturing process, which rendered the device less safe. You failed to implement the appropriate security patch. You failed to effectively design the product to protect against cyber vulnerabilities and/or be interoperable without risk to other systems, networks, or components. Manufacturing Defect There is a reasonably safer alternative design that you failed to use. Design Defect
HHS’ New Health Industry Cybersecurity Practices The document identified 5 threats for healthcare providers: • E-mail phishing attacks • Ransomware attacks • Loss or theft of equipment or data • Insider, accidental or intentional data loss • Attacks against connected medical devices that may affect patient safety Released at the end of last year, HHS’ document is a “call to action” for the healthcare industry with the goal of moving beyond the historical focus on privacy and security and put new emphasis on patient safety
Bringing OTCs to Market Private submission to FDA by drug sponsor • Either: • A new active moiety, dosage form, use, etc., or • Prescription to OTC switch NDA Three-phase process: Advisory panel review FDA publishes Tentative Final Monograph (TFM) in the Federal Register for public comment Final Monograph published Monograph Public rulemaking process
OTC Monograph System • Set of conditions that are self-limiting and self-diagnosable • Identifies permitted actives and concentrations • Sets out required label statements • No pre-approval required – if it complies with the monograph, it can be sold
OTC Monograph System • Required label format • Nearly every aspect dictated by regulations – fonts, font size, bolding, line widths, bullet use
Monograph System Relic • Introduced in 1972 and never completed • Rulemaking moves at a glacial pace, hindering FDA’s responsiveness to safety issues • Significant barrier to innovation, as monographs are limited in large part to actives available in 1972
Over-the-Counter Monograph Safety, Innovation, and Reform Act • User fees • Improved staffing and dedicated funding for OTC work • Streamlined regulatory pathway • Review of innovations • Quick response to emerging issues • Exclusivity for innovators • IT infrastructure
Reform Status • Passed the House in the 115th Congress, but was not taken up by the Senate before the session ended • Passed again by the House (116th) on January 8th, with broad bipartisan support (401 – 17) • Sent to the Senate, where it again awaits further action
Virtual Trials • CROs increasingly undertaking “virtual trials” in which participants are remove • May ease clinical trial costs where available
Third-Party Litigation Funding • Does it make litigation more likely? • Courts to consider the issue have largely allowed plaintiffs’ funding sources to remain undisclosed as irrelevant to the case. https://www.nytimes.com/2018/04/14/business/vaginal-mesh-surgery-lawsuits-financing.html
HIPAA Enforcement Looks to Be Ramping Up • Medical devices with software components and medical software makers should take note and ensure appropriate data protection measures are in place.
Brexit • If there’s no deal, the UK’s participation in the European regulatory network would cease. • Drugs - The MHRA would take on the functions currently undertaken by the EU for medicines on the UK market. • Medical Devices – UK will recognize medical devices approved for the EU market and CE-marked.
Thank you! Risk Management Department703.652.1362 RiskManagement@medmarc.com Courtney Young, Esq.703.652.1385 CourtneyYoung@medmarc.com Kate Klaus, Esq.703.652.1330KathrynKlaus@medmarc.com
All statements and opinions in this publication are for informational and educational purposes only. None of the information presented should be considered as offering legal advice or legal opinion. We are not liable for any errors, inaccuracies or omissions. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by Medmarc Insurance Group, the terms and conditions of the actual policy will apply. Disclaimer