Welcome to the second installment of Arnold & Porter’s
Virtual and Digital Health Digest. This edition primarily covers
November highlights across the virtual and digital health space.
This digest focuses on key virtual and digital health and
telehealthrelated developments in the United States, United Kingdom
and European Union in the healthcare, regulatory, privacy, and
corporate transactions space.
US News
FDA REGULATORY UPDATE
FDA Updates Medical Device Cybersecurity
Playbook for Healthcare Organizations. On November 15,
2022, FDA, in collaboration with MITRE, released an update to the
Medical Device Cybersecurity Regional Incident Preparedness and
Response Playbook (Cybersecurity Playbook). First published in
2018, the Cybersecurity Playbook outlines a stakeholder-derived,
open source and customizable framework for healthcare delivery
organizations (HDOs) and other stakeholders to prepare for and
respond to medical device cybersecurity incidents, namely attempted
or successful unauthorized access, use, disclosure, modification,
or destruction of information or interference with systems
operations in medical devices. FDA asked MITRE to update the
Cybersecurity Playbook due to the recent growth in ransomware
attacks, the increasing connectivity of medical devices and
emerging healthcare technologies. The healthcare and public health
sector has continued to experience growing numbers of cyber
incidents, with 82 percent of healthcare systems reporting a cyber
incident between mid-2020 through 2021 (34 percent of which
involved ransomware). As updated, the Cybersecurity Playbook
includes more explicit alignment with the Hospital Incident Command
System for managing complex incidents, considerations for the
widespread impacts and extended downtimes that are common during
cyber incidents, and an appendix of resources.
The high-level structure of the recommendations in the
Cybersecurity Playbook follow the incident response lifecycle from
the National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-61r2, Computer Security Incident Handling
Guide. This lifecycle has four phases: (1) preparation phase; (2)
detection and analysis phase; (3) containment, eradication and
recovery; and (4) post-incident activity. Preparation phase
recommendations include ones relating to medical device
procurement, medical device asset inventory, hazard vulnerability
analysis, medical device cybersecurity support to the hospital
incident management team, incident response communication plan, and
user awareness training and cybersecurity exercises. Detection and
analysis phase recommendations include ones relating to incident
detection and validation, incident categorization and
prioritization, incident reporting, incident analysis, and incident
documentation. Under containment, eradication and recovery, the
Cybersecurity Playbook discusses considerations for selecting the
appropriate containment strategy and recommends that HDOs plan for
a potentially lengthy recovery period of weeks or even months
because resolving incidents is not always straightforward. During
the post-incident phase, the Cybersecurity Playbook suggests
examining what went well and what did not with regards to the
HDO’s response to the incident and using that information to
improve the response plan for future incidents.
In conjunction with the updated Cybersecurity Playbook, FDA and
MITRE also released a Quick Start Companion Guide (Quick Start
Guide”. The QuickStart Guide as a shorter version of the
playbook that discusses preparedness and response activities
healthcare organizations might want to start with as they are
developing their medical device incident response program. The
Quick Start Guide consists of tables that distill the high-level
tasks presented in the corresponding section of the Cybersecurity
Playbook.
FTC, FDA, Other Agencies Create Mobile
Health App Interactive Tool. On December 7 2022, the
FTC released a mobile health app interactive tool (Mobile Health
App Navigator) to help app developers navigate the various US
federal laws and regulations that may apply to such apps.
Representing a cross-agency effort, the Mobile Health App Navigator
was produced in cooperation with the US Department of Health and
Human Services (HHS), the FDA, the Office of the National
Coordinator for Health Information Technology (ONC), and the office
for Civil Rights (OCR) within HHS. The Mobile Health App Navigator
is intended “for anyone developing a mobile app that will
access, collect, share, use, or maintain information related to an
individual consumer’s health, such as information related to
diagnosis, treatment, fitness, wellness, or addiction.”
However, the FTC cautions that the Mobile Health App Navigator is
provided for informational purposes only and use of the tool
“can[not] guarantee compliance with applicable federal
requirements.” Instead, the Mobile Health App Navigator is
meant to provide app developers with a snapshot of potential
compliance obligations and point them to educational materials and
best practices for delivering safe, accurate services while
safeguarding the privacy and security of consumer information.
The interactive tool provides an overview of various federal
laws and regulations that may apply to a mobile health app, such as
the following:
- Health Insurance Portability and Accountability Act (HIPAA)
Rules - Federal Food, Drug and Cosmetic Act (FDCA) and FDA
Regulations - 21st Century Cures Act and ONC Information Blocking
Regulations - FTC Act (e.g., Sections 5 and 12)
- FTC’s Health Breach Notification Rule
- Children’s Online Privacy Protection Act
The Mobile Health App Navigator uses a series of questions to
help guide app developers through an analysis of whether all or
certain of the above laws and regulations could apply to a proposed
mobile health app. Examples of questions covered in the interactive
tool include ones about the app’s functionality, whether the
app is intended for use by consumers, the type of information the
app collects, shares or uses, whether the app is being offered by
or on behalf of a HIPAA-covered entity, whether the app connects
with wearables or other devices, whether the app accesses
information in or sends information to personal health records or
provides services to an entity that maintains health records for
consumers, and whether the app is intended for children or uses
child-oriented activities or design.
Questions relating specifically to whether a proposed app is
potentially regulated as a medical device by the FDA are covered in
questions 7-10 of the Mobile Health App Navigator. These include
questions intended to assess whether an app is intended to
diagnose, prevent or treat a disease or condition, whether the app
could potentially fall under one of the 21st Century Cures Act
statutory exemptions from the device definition for certain low
risk software functions, or whether the app, even if not
statutorily exempt, could potentially be subject to enforcement
discretion under FDA policies for certain low risk device software
functions. For an overview on the latest FDA digital health
guidances, including the agency’s recently issued final
guidance on clinical decision support tools, please refer to the November 2022 issue of Arnold &
Porter’s Virtual and Digital Health Digest.
FDA Releases List of Augmented Reality and
Virtual Reality Medical Devices. On December 7, 2022,
FDA released a list of medical devices authorized for marketing
that incorporate augmented reality (AR) and virtual reality (VR).
This move follows FDA previously releasing a list of artificial
intelligence (AI)/machine learning (ML)-enabled devices authorized
for marketing by the agency and signals continued FDA efforts for
greater transparency about advancements in the digital health
space. Additional information about FDA’s list of AI/ML-enabled
devices can be found in the November 2022 issue of Arnold &
Porter’s Virtual and Digital Health Digest.
In conjunction with release of the AR/VR devices list, FDA
provided background information on AR/VR technologies. FDA defines
AR as “a real-world augmented experience with overlaying or
mixing simulated digital imagery with the real world as seen
through a camera or display, such as a smartphone or head-mounted
or heads-up display,” and defines VR as “a virtual world
immersive experience that may require a headset to completely
replace a user’s surrounding view with a simulated, immersive
and interactive virtual environment.” FDA highlights a few
examples of AR and VR applications already being used to treat
patients, including a VR system that is used to treat
post-traumatic stress disorder in army veterans and an AR system
that overlays medical images onto a patient during an operation to
help guide the surgeon’s techniques. FDA identifies a number of
treatment domains where AR and VR are used to treat patients,
including pediatric diagnostics and treatments, pain management,
neurological disorders, surgery planning, telemedicine, virtual
care, and ophthalmic diagnostics. While acknowledging potential
benefits of AR/VR devices, FDA also identifies potential risks,
such as cybersickness, head and neck strain, cybersecurity risks,
privacy risks, and distraction in the operating room.
FDA’s initial list of AR/VR devices authorized for marketing
contains 39 devices that the agency identified by searching
FDA’s publicly facing information. The vast majority of the
devices on the list appears to have been cleared for marketing
through FDA’s premarket notification (510(k)) process, while a
few appear to have been authorized through the de novo
classification process for novel devices. FDA explains that the
list is not intended to be exhaustive or comprehensive, but rather
that it is a list of devices that incorporate AR and VR based on
information provided in the summary descriptions of their marketing
authorization documents. FDA plans to update the AR/VR devices list
on a periodic basis.
FDA Publishes Digital Health Regulatory
Science Opportunities Spotlight. FDA’s Digital
Health Center of Excellence (DHCoE) recently issued a publication
entitled “Spotlight: Digital Health Regulatory Science
Opportunities” (Digital Health Spotlight). The Digital Health
Spotlight describes areas of research that stakeholders, both
internal and external to the FDA, identified as important and is
intended to advance digital health regulatory science by
encouraging discussions and stakeholder collaborations throughout
the healthcare ecosystem and beyond. The Digital Health Spotlight
identifies three main categories of research: Advancing Patient
Engagement, Leveraging Connectivity and Improving Healthcare
Through Software. Under Advancing Patient Engagement, the Digital
Health Spotlight highlights patient-generated health data (PGHD)
and the development of medical extended reality devices as
important areas of research. PGHD, including biometric data,
symptoms and patient-reported outcomes, can be used in patient
monitoring, diagnosis and prognosis, shared decision-making, and
assessment of patient safety. FDA notes PGHD data can be used not
only to improve the quality of clinical care, but also to evaluate
innovative medical products and treatment paradigms, especially
decentralized clinical investigations. The Digital Health Spotlight
identifies several PGHD-related research areas, such as maintenance
and management of large volumes of PGHD, standardization of PGHD
from different sources, performance specifications for use when
considering interchangeability of wearables (e.g., “bring your
own wearable” approaches to clinical investigations), and
reliable metrics to compare standard disease outcomes as measured
by digital health technologies.
Under Leveraging Connectivity, the Digital Health Spotlight
focuses on cybersecurity, wireless connectivity and
interoperability as important areas of research. FDA explains that
it is actively engaged in both internal and external efforts to
help mature cybersecurity, interoperability and wireless
connectivity efforts. A few examples of cybersecurity-related
research areas discussed in the Spotlight include cybersecurity
considerations for cloud domains, cybersecurity considerations for
AI and ML technologies, and cybersecurity standards development.
And under Improving Healthcare Through Software, the Digital Health
Spotlight emphasizes the importance of research involving advanced
manufacturing technologies, AI and ML, and digital imaging.
Examples of AI/ML-related research areas include transparency of
AL/ML-enabled devices, AL/ML algorithm training for clinical
datasets, robustness and resilience of algorithms to withstand
changes in patients, data and sources, and real-world performance
monitoring for AI/ML software.
In issuing the Digital Health Spotlight, FDA explained that the
spotlight on research areas is for informational purposes only, and
that it is not meant to indicate that the identified topics are
areas for regulation. Further, the Digital Health Spotlight is not
intended to propose or implement policy changes regarding
regulation of any of the digital health topic areas described
within.
FDA Report Highlights Potential Use of
Modeling & Simulation in Digital Health Product
Reviews. In November 2022, FDA released a report
entitled “Successes and Opportunities in Modeling &
Simulation for FDA.” The report explores how modeling and
simulation (M&S) tools are used throughout FDA and presents a
selection of M&S case studies from across FDA centers. M&S
tools are used, for example, for premarket product review,
postmarket product assessment, policy development, and policy
implementation. The report also identifies opportunities for FDA to
better harness M&S in upcoming years by embracing computational
advances and new (and big) data streams to develop improved public
health solutions. As relates specifically to digital health, one of
the M&S opportunities highlighted in the report is to provide
evidence supporting safety or effectiveness of medical imaging
devices and computer-aided diagnostic software. Specifically,
leveraging radiation transport simulations to generate evidence
that can assist in the regulatory process for medical imaging
devices and computer-aided diagnostic software. Noting that
industry already invests heavily in developing tools that can
simulate radiological devices for internal R&D, the report
states that there is an opportunity to use these tools in the
regulatory process, especially for submissions which do not
normally require clinical data (e.g., some 510(k) devices). Another
opportunity discussed in the report is establishment of Good
Simulation Practice to foster harmonization across the FDA, and
where appropriate, with international regulatory bodies. The report
explains that it is critical to develop a common set of
expectations or guidelines for model verification, validation,
credibility assessment and maintenance between industry and
regulators, as well as between regulatory scientists/modelers and
reviewers within the FDA, and states further publication and/or
usage of relevant guidance documents will promote better alignment
on best practices and expectations between stakeholders (e.g.,
International Council on Harmonization items Q13 and M7, and the
International Medical Device Regulators Forum on Software as a
Medical Device).
Please click here to continue reading.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Read the full article here