Nullum Gratuitum Grandium (There Is no Free Lunch)
Recently I had the privilege and pleasure of participating in the FDA’s webinar, “Remanufacturing of Medical Devices Draft Guidance and Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices Discussion Paper.”
Bottom line is that there are big problems; and the challenge is how to accurately identifying where those problems come from. According to the FDA’s Center for Devices and Radiological Health (CDRH), a majority of the comments, complaints, and adverse event reports received by the FDA that referred to inadequate “servicing” causing or contributing to adverse events or deaths actually related to “remanufacturing.”
What’s the difference? That is a key question and much of the FDA presentation was focused on clarifying definitions. It’s not as simple as “repair and replace.” The nuances are many and they are all important ranging from reprocessing, servicing, reconditioning and rebuilding, to remanufacturing and repairing.
Importantly, the FDA made it clear from the outset that their current draft guidance (still open for public comment) is not intended to adopt significant policy changes, but to clarify the agency’s current thinking on applicable definitions and “clarify, not change” various regulatory requirements.
Translation – regulation of medical device remanufacturing and servicing is going to become more risk-based, robust and regular – and this will be particularly true when it comes to on-site inspections. This isn’t surprising since the best way to keep people honest is to keep them guessing as to when and where an inspection might happen.
The FDA also offered a strongly worded account of the urgency of medical device cybersecurity. Per CDRH, “Cybersecurity is a shared responsibility among all stakeholders. As the agency made clear in a recent white paper, “… effective cybersecurity is a shared stakeholder responsibility and … device manufacturers should incorporate the concept of threats, vulnerabilities, and exploits into their risk management, design controls, maintenance, surveillance, and response processes. A manufacturer’s effective integration of cybersecurity controls into devices, such as through the inclusion of security controls for privileged access and improved data protection using encryption, may have important implications for the ability to perform effective servicing of a device.” The webinar message was loud and clear: The FDA expects OEMs and relevant third parties to appropriately secure the medical devices they to assure the devices’ safety, effectiveness – and cybersecurity security.
Cybersecurity becomes more important as a medical device ages so prevention of cyber-risks is a key challenge (and opportunity) relative to product life cycle management. Importantly, the FDA stressed the need for privileged access – calling into question the role of potential third-party cyber-rehabilitation.
The important take-away from the FDA presentation is that there is going to be more FDA oversight and enforcement on medical device remediation requiring more responsibility and accountability on the part of medical device owners, manufacturers, and non-OEM (Original Equipment Manufacturers) third parties who oversee, operate and address issues ranging from regular servicing, repairing, and remanufacturing to cybersecurity. When it comes to FDA-regulated medical devices, “Right to Repair," doesn’t mean “cheap and easy.” The FDA has made that very clear. Anyone who thinks otherwise isn’t paying attention – or doesn’t want to.
Nullum gratuitum grandium.
Peter J. Pitts, a former FDA Associate Commissioner, is President of the Center for Medicine in the Public Interest and a Visiting Professor at the University of Paris School of Medicine.
