Kate Klaus, Esq. Courtney Young, Esq. January 16, 2018 Ripped from - - PowerPoint PPT Presentation
Kate Klaus, Esq. Courtney Young, Esq. January 16, 2018 Ripped from the Headlines: Medmarcs Risk Management Team Discusses Lessons Learned from Life Sciences in the News and What to Watch for in 2019 Agenda Opioid Update Digital Health
January 16, 2018
Kate Klaus, Esq. Courtney Young, Esq. Ripped from the Headlines: Medmarc’s Risk Management Team Discusses Lessons Learned from Life Sciences in the News and What to Watch for in 2019
1
Agenda Opioid Update Digital Health Pre
Program Medical Device Cybersecurity OTC Monograph Reform Lighting Round
3
What’s going on?
4
Status
Opioid “epidemic” has been at center of national attention for several years, and 2018 saw an increase in lawsuits against
Suits coming from state and county governments alleging that these companies are liable for the cost to the public of treating opioid victims Allegations include knowingly misleading public and physicians about addiction risks
Georgia became latest government to file suit, filing on Jan. 3
5
What does this mean for life sciences companies? Litigation
Ancillary products may become a target
Insurance coverage
Coverage for businesses with opioid exposure is going to be more difficult to obtain, exclusions being added to policies
Suits by government entities
These types of suits may be new trend, not be unique to opioids
7
Pre-Cert: What is it? 21st Century Cures Act
Digital Health Innovation Action Plan
Streamlines the regulatory
medical devices
Focus initial evaluation on the developer
8
Pre-Cert: Who is it for? Manufacturers with a robust culture of quality and organizational excellence Commitment to monitoring real-world performance of their products in the U.S. market
misattributed to Aristotle
9
Pre-Cert: How does it work? Key components:
Excellence Appraisal Review Determination Streamlined Review Real-World Performance
10
Pre-Cert: When will it launch? Pilot program in progress
More than 100 companies applied to participate, but only nine selected
Transparent development process
Link for submitting comments on FDA website Interactive user sessions with pilot participants open to the public via webinar
12
What’s going on?
13
Status
Medical device cybersecurity has been and continues to be a focus of FDA, the industry, and the plaintiff’s bar FDA released new guidance on October 18, 2018 The U.S. Department of Health and Human Services released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” on December 28, 2018
14
FDA’s New Guidance New Guidance released October 18, 2018
“Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system. We’ve been implementing this guidance since it was finalized in 2014. Now, because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices. This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats.” – FDA Commissioner Scott Gottlieb
15
Guidance: Content of Premarket Submissions for Management of Cybersecurity
Last cybersecurity guidance finalized in October of 2014 Recommends that premarket submissions include a “cybersecurity bill of materials” detailing the software and hardware components that are vulnerable to cyberattacks
Device makers must include documentation demonstrating how they have mitigated cybersecurity risks
Provides design recommendations based on NIST’s “Framework for Improving Critical Infrastructure Cybersecurity”
16
Guidance: Content of Premarket Submissions for Management of Cybersecurity, cont’d
According to the FDA, the security risk management report for a trustworthy device would include:
A system-level threat model A specific list of all cybersecurity risks that were considered in the device’s design A list and justification of all cybersecurity controls established in the device, including risk mitigations A description of the testing done to ensure the adequacy of cybersecurity risk controls (including performance testing, vulnerability scanning, penetration testing, etc.) A traceability matrix linking cybersecurity controls to the risks outlined in a security risk and hazard analysis A software bill of materials that is cross-referenced with the National Vulnerability Database or a similar known database, including criteria for addressing known vulnerabilities or a rationale for not addressing known vulnerabilities.
17
DHS and FDA MOA
In October, the FDA and the National Protection and Programs Directorate (NPPD) of DHS entered into an agreement that formalizes a long-standing relationship between the agencies and implements a new framework for increased collaboration, information-sharing, and coordination to address cybersecurity in medical devices.
Key Provisions:
NPPD can assist FDA as an independent third party in the evaluation and assessment of the impact of medical device vulnerabilities NPPD will coordinate with FDA on the content of alerts and advisories related to medical device cybersecurity and these will be published by DHS
Takeaway:
FDA stepping up its enforcement actions related to cybersecurity
18
What does this mean for life sciences companies? New information should be submitted with 510(k) submissions Keep an eye on emerging and developing industry standards These standards can form the basis of plaintiffs’ negligence cases in the event of a data breach, bodily injury, or property damage arising out of a cyber vulnerability
19
The Intersection of Cybersecurity & Products Liability
Manufacturing Defect Design Defect Warning Defect
Your product does not effectively warn against hazards of which you knew or should have known. Something went wrong in the manufacturing process, which rendered the device less safe. There is a reasonably safer alternative design that you failed to use. You failed to effectively design the product to protect against cyber vulnerabilities and/or be interoperable without risk to other systems, networks, or components. You failed to warn me that a cyber vulnerability could result in bodily injury/ property damage. You failed to implement the appropriate security patch.
20
HHS’ New Health Industry Cybersecurity Practices Released at the end of last year, HHS’ document is a “call to action” for the healthcare industry with the goal of moving beyond the historical focus on privacy and security and put new emphasis on patient safety
The document identified 5 threats for healthcare providers: E-mail phishing attacks Ransomware attacks Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety
21
HHS’ Identification of Medical Devices as a Threat
23
Public rulemaking process
Either:
dosage form, use, etc., or
Three-phase process:
Monograph (TFM) in the Federal Register for public comment
NDA Monograph
Bringing OTCs to Market
Private submission to FDA by drug sponsor
24
OTC Monograph System Set of conditions that are self- limiting and self-diagnosable Identifies permitted actives and concentrations Sets out required label statements No pre-approval required – if it complies with the monograph, it can be sold
25
OTC Monograph System Required label format Nearly every aspect dictated by regulations – fonts, font size, bolding, line widths, bullet use
26
Monograph System Relic Introduced in 1972 and never completed Rulemaking moves at a glacial pace, hindering FDA’s responsiveness to safety issues Significant barrier to innovation, as monographs are limited in large part to actives available in 1972
27
Over-the-Counter Monograph Safety, Innovation, and Reform Act User fees
Improved staffing and dedicated funding for OTC work
Streamlined regulatory pathway
Review of innovations Quick response to emerging issues
Exclusivity for innovators IT infrastructure
28
Reform Status Passed the House in the 115th Congress, but was not taken up by the Senate before the session ended Passed again by the House (116 th)
bipartisan support (401 – 17) Sent to the Senate, where it again awaits further action
30
Virtual Trials CROs increasingly undertaking “virtual trials” in which participants are remove May ease clinical trial costs where available
31
Impact of Government Shutdown on FDA Operations
32
Third-Party Litigation Funding Does it make litigation more likely? Courts to consider the issue have largely allowed plaintiffs’ funding sources to remain undisclosed as irrelevant to the case.
https://www.nytimes.com/2018/04/14/business/vaginal-mesh-surgery-lawsuits-financing.html
33
Banner Year for Drug Approvals
34
HIPAA Enforcement Looks to Be Ramping Up Medical devices with software components and medical software makers should take note and ensure appropriate data protection measures are in place.
35
The 510(k) Pathway and the Battle for Public Opinion
36
The 510(k) Pathway and the Battle for Public Opinion
37
The 510(k) Pathway and the Battle for Public Opinion
38
Brexit
If there’s no deal, the UK’s participation in the European regulatory network would cease. Drugs - The MHRA would take on the functions currently undertaken by the EU for medicines
Medical Devices – UK will recognize medical devices approved for the EU market and CE- marked.
39
Courtney Young, Esq. 703.652.1385
CourtneyYoung@medmarc.com
Kate Klaus, Esq. 703.652.1330
KathrynKlaus@medmarc.com
Risk Management Department 703.652.1362
RiskManagement@medmarc.com
40
Disclaimer All statements and opinions in this publication are for informational and educational purposes only. None of the information presented should be considered as
for any errors, inaccuracies or omissions. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by Medmarc Insurance Group, the terms and conditions of the actual policy will apply.