On December 7, 2017, the US Food and Drug Administration (FDA) announced several digital health policy documents designed to “encourage innovation” and “bring efficiency and modernization” to the agency’s regulation of digital health products. The three documents include two draft and one final guidance which address, in part, the important changes made by Section 3060

In a recent article published in Intellectual Property & Technology Law Journal, and expanding on our previous post, we discuss the legal and regulatory implications of applying artificial intelligence (AI) to the EU and US healthcare and life sciences sectors.

AI software, particularly when it involves machine learning, is being increasingly used within

The U.S. Food and Drug Administration (FDA) issued a Warning Letter on April 12, 2017 requiring an explanation of how St. Jude Medical plans to correct and prevent cybersecurity concerns identified for St. Jude Medical’s Fortify, Unify, Assura (including Quadra) implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, and the Merlin@home monitor.

The Warning Letter

We previously described some of the ways in which life sciences companies are exploring the potential of IBM’s supercomputer, ‘Watson®’, to assist with product development and disease treatment.  Such uses raise important questions about how Watson and other software are treated under medical device regulations.  These questions are particularly important as tech companies

Published in Privacy & Cybersecurity Law Report’s April 2017 issue.

In the closing days of last year, the FDA issued its final guidance on postmarket medical device cybersecurity. This guidance is a corollary to the previously issued final guidance on premarket cybersecurity issues, and the pre and post market pieces should be read, and fit,

The 21st Century Cures Act (Cures Act) was signed into law on December 13, 2016, following a multi-year, bipartisan, and bicameral legislative effort to accelerate the pace of the discovery, development, and delivery of new treatments and cures. The Cures Act packages a wide range of medical innovation measures − including increased research and Food

The Food and Drug Administration (FDA) recently introduced a new webpage for reporting allegations of regulatory violations by medical device manufacturers or marketers. The new webpage, launched on October 21, 2016, enables any person—including current or former employees, competitors, or even plaintiffs’ attorneys—to submit a report to FDA regarding a broad variety of potential violations. 

Last month, the US Food and Drug Administration’s (FDA) Center for Device and Radiological Health (CDRH) issued a Draft Guidance for industry entitled Software as a Medical Device (SaMD): Clinical Evaluation (Draft Guidance).  The Draft Guidance was developed by the International Medical Device Regulators Forum (IMDRF), of which FDA is a member, and demonstrates FDA’s

In early August 2016, the US Food and Drug Administration’s (FDA or Agency) Center for Device and Radiological Health (CDRH) issued a Draft Guidance for industry entitled Deciding When to Submit a 510(k) for a Software Change to an Existing Device (Draft Guidance). When finalized, the guidance will assist industry and CDRH in determining when a software (including firmware) change to a 510(k)-cleared or a pre-amendments device subject to 510(k) (existing devices) may require a manufacturer to submit and obtain FDA clearance of a new premarket notification (510(k)).

Comments on the Draft Guidance are due to CDRH by November 7, 2016 (Docket No. FDA-2011-D-0453). In addition, CDRH held a webinar on August 25, 2016 to discuss the Draft Guidance.

FDA also announced a second draft guidance to industry on Deciding When to Submit a 510(k) for a Change to an Existing Device, which would supersede FDA’s 1997 guidance of the same name when finalized. This new draft guidance addresses non-software modifications.


Continue Reading

On August 25, 2016, investment firm Muddy Waters Capital issued a report claiming that St. Jude Medical’s implantable cardiac devices are susceptible to cybersecurity attacks, allegedly putting more than 260,000 individuals in the U.S. at risk.  St. Jude strongly rejected the report and disputed the alleged security risks of its devices.

The report claims that MedSec Holdings Ltd., a cybersecurity firm, was able to demonstrate two types of cyberattacks on St. Jude’s implantable cardiac devices. The first type of attack — a “crash” attack — enables a hacker to remotely disable cardiac devices, and in some cases, cause the cardiac device to pace at a dangerous rate.  The second type of attack — a battery drain attack — remotely runs cardiac device batteries down to 3% of capacity within a 24-hour period.  However, the report concludes that patients’ personal health information appears to be safe as the report states that patient data is encrypted.

The report argues that the cybersecurity risks of the devices are due to security deficiencies in accessories to the implantable devices including devices located in physician offices that display data from the implanted devices, the network that manages and transmits data, and the at-home device which communicates with the implanted device via radio frequency within a 50 foot range.  Some of the alleged deficiencies require attackers having access to device accessory hardware or being within 50 feet of the target(s).


Continue Reading