Ready or Not, Here Comes Medical Device Cybersecurity Legislation and New bill would give CMS coverage for breakthrough devices
Late last year, President Joe Biden signed a $1.7 trillion omnibus appropriations bill into law, which included authorization for FDA to confirm that medical devices meet specific cybersecurity standards before hitting the market. The law also requires medical device manufacturers to maintain adequate post-market surveillance from a cybersecurity standpoint, and addresses both device hardware design as well as device software, according to a report published by PwC.
Key dates to know:
- March 29: Amendments to the Food, Drug, and Cosmetic Act take effect. Applications submitted before this date are not subject to the new medical device cybersecurity requirements.
- June 27: Based on submitted plans, FDA is expected to report on how companies are improving their medical device cybersecurity within 180 days of enactment.
- December 29: The Government Accountability Office has to provide a report identifying cybersecurity challenges in the sector within one year of enactment.
- Dec. 29, 2024: FDA has to provide updated medical device cybersecurity guidance for manufacturers within two years of enactment.
FDA published a much-anticipated cybersecurity final guidance that allows it to issue refuse to accept (RTA) decisions to medical device sponsors if the agency is concerned their product doesn’t meet its cybersecurity requirements. It also published an FAQ for sponsors to get more information on when the agency plans to issue RTAs. The guidance was mandated by the 2023 Consolidated Appropriations Act, also known as the Omnibus budget bill. “For premarket submissions submitted for cyber devices that are submitted before October 1, 2023, the FDA generally intends not to issue ‘refuse to accept’ (RTA) decisions based solely on information required by section 524B of the [Food, Drug and Cosmetics] Act,” said FDA. “Instead, the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” Sponsors of such devices should submit a plan to monitor, identify and address cybersecurity vulnerabilities and exploits according to FDA. The agency asks sponsors to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems.” Sponsors are also asked to submit a software bill of materials (SBOM) in their product application which could include commercial, open-source, and off-the-shelf software components.
FDA CDRH published a draft guidance, “Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions.” Per the FDA’s announcement, the draft guidance proposes a science-based approach to ensuring that AI/ML-enabled devices can be safely, effectively, and rapidly modified, updated, and improved in response to new data. Predetermined Change Control Plan could enable both changes that are implemented manually and changes that are implemented automatically by the software. The plan would include a detailed description of the specific, planned device modifications; a description of the methodology that would be used to develop, validate, and implement those modifications—including describing how necessary information about these modifications will be clearly communicated to users; and an assessment of the benefits and risks of the planned modifications.
FDA asserts that it is on track to release a final rule this December that harmonizes the agency’s decades-old Quality System Regulation (QSR) with international standard ISO 13485:2016. The FDA released its draft Quality Management System Regulation (QMSR) in February 2022; the agency had been busy combining the QSR with ISO 13485 since early 2018. The QMSR, when finalized, should be shorter in length than the QSR because the current regulation’s requirements are already “substantively similar” to what’s found in ISO 13485:2016. The finalization of the QMSR “moves ISO 14971 beyond just a recognized consensus standard in the FDA database to an enforceable element of the regulation. If you look at [the MDSAP] audit checklist, its foundational element is ISO 13485:2016. So even if you’ve never received an ISO 13485 [certification], but you went with an MDSAP audit certification instead, that would do two things within the US,” Henry said. “First, you now have a mechanism for replacing routine inspections from the FDA with a notified body, which has some advantages. [And second,] through that notified body audit, against the MDSAP criteria, you have effectively met the ISO 13485 criteria as well. And when the proposed [QMSR] rule becomes final, you will already be ahead of the game.”
Building on current product recognition routes from the EU, the recommendations advise officials to “rapidly explore building a UK product regulation equivalence route for the approvals of medical devices to include other trusted jurisdictions such as the US for a greater proportion of products.”
As the group notes, the UK Medicines and Healthcare products Regulatory Agency (MHRA) has already announced plans to expand recognition for medicines and create a new recognition framework by the end of the year. The group is advising the government to “aim to align changes to the Medical Devices Legislation to the Medicines legislative timeline if possible.”
FDA recognizes that it will take time for device manufacturers, device distributors, healthcare facilities, healthcare providers, patients, consumers, and FDA to adjust from policies adopted and operations implemented during the COVID-19 public health emergency (PHE) to “normal operations.” To provide a clear policy for all stakeholders and FDA staff, the Agency is issuing this guidance to describe FDA’s general recommendations for a phased transition process with respect to devices that fall within certain enforcement policies issued during the COVID-19 PHE declared by the Secretary of Health and Human Services (the Secretary) under the Public Health Service Act (PHS Act), including recommendations regarding submitting a marketing submission, as applicable, and taking other actions with respect to these devices. This guidance applies to devices that fall within enforcement policies in guidances included in List 1 of this guidance. The phased transition process outlined in this guidance will begin on the “implementation date” which is the day the PHE expires or 45 days after the finalization of this guidance, whichever comes later.
FDA plans to hold at least one public meeting and release several guidances on digital health technologies (DHT) to be used in drug clinical trials by the end of the year. One chronic frustration for the medical products development industry is seemingly inconsistent digital device policies between FDA centers. FDA tends to require device quality systems on DHTs used in clinical trials when it isn’t warranted. A wide range of such technologies are used in trials, from administrative study support software to remote patient care and monitoring products. While DHTs are safe in the context of clinical studies and meet good clinical practice requirements, many of them would not comply with the agency’s regulatory requirements, such as those for design controls. Right now, it’s unclear how FDA plans to apply design controls to products that may be used in clinical trials. FDA has already put out a couple of draft guidances related to DHTs including a December 2021 guidance on using DHTs to remotely gather data from clinical trials and an updated March 2023 guidance on use of electronic systems, records, and signatures in clinical trials. The agency says it plans to publish two more draft guidances by the end of the year including one on decentralized clinical trials and another on prescription drug use-related software.
The bipartisan bill introduced in the House would require the Center for Medicare and Medicaid Services (CMS) to cover any medical devices that are FDA-approved through the breakthrough device pathway. Specifically of interest to innovators in digital health, the bill specifies that coverage will include devices that don’t have a specific benefit category. Coverage would be temporary, lasting for four years while CMS evaluates for a permanent coverage determination. The new bill is called the “Ensuring Patient Access to Critical Breakthrough Products Act” and it viewed as an updated version of the MCIT rule that was reversed in 2021.
(MedTech Dive 3/27/23)
A company called Applied VR announced the addition of a new HCPCS Level II code (E1905), which will be used to bill its immersive virtual reality product. The code, with description Virtual reality cognitive behavioral therapy device (cbt), including pre-programmed therapy software, has been designated as a part of the Durable Medical Equipment benefit category. CMS stated “The medical software and the device on which it is housed are so integral to each other that we consider them to be one whole device, not software and a separate device.”
(PR NewsWire 3/21/23)
The Medicare Administrative Contractors (MACs) met in February to discuss the need to publish a local coverage determination for remote physiological and remote therapeutic monitoring. A 30-day public comment period included discussion of the benefits of remote monitoring and the use of third-party vendor monitoring services. This increased scrutiny is to be expected since use of remote monitoring has increased rapidly since the introduction of these reimbursement codes.
(JD Supra 3/22/23)
1/3 of physicians surveyed by the American Medical Association (AMA) blamed prior authorization for barriers to care that resulted in serious adverse events for patients. 86% of those surveyed believed that prior authorization led to higher overall utilization of healthcare, not to a reduction of costs. AMA president Jack Resneck Jr. called the authorization control system “byzantine” and “rife for opportunities for reform”. Prior Authorization was enacted by insurers to reduce the use of unneeded and expensive procedures and medical devices, but the administrative burden caused by these requirements weighs heavily on healthcare providers in addition to causing delays in patient care.
(MedPage Today 3/13/23)
The Simbex Regulatory and Reimbursement Recap is a monthly briefing for news in the regulatory and healthcare reimbursement space relevant to Simbex areas of expertise. The briefing is curated by Amaris Ajamil, PhD, RAC, Simbex Director, Quality and Regulatory, and Angela Smalley, PhD, Simbex Senior Product Consultant. A story’s inclusion does not imply endorsement by Simbex.