The Food & Drug Administration has been deliberating over some obscure but important issues surrounding medical devices – specifically, whether certain maintenance and repair actions are "servicing" or "remanufacturing," which has important implications both for the safety of the devices and for regulatory requirements.
First, some definitions.
Medical devices range from ordinary tongue depressors to complex programmable pacemakers, closed-loop artificial pancreases, and in vitro diagnostics, such as blood glucose meters. Certain radiation-emitting electronic products that have a medical use or make medical claims are also considered medical devices; they include diagnostic ultrasound products, X-ray machines and medical lasers.
A remanufacturer of medical devices is anyone who "processes, conditions, renovates, repackages, restores, or does any other act to a finished device that significantly changes the finished device's performance or safety specifications, or intended use."
Servicing is "the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM)."
The FDA recently held a public meeting to discuss its ongoing efforts to develop guidance concerning the remanufacturing of medical devices, as well as to execute a plan to improve devices' cybersecurity.
This is an important first step for the agency, because it demonstrates that regulators intend to strengthen their oversight of the servicing of medical devices by third-party entities (that is, other than the original equipment manufacturer, or OEM), that are currently subject to virtually no oversight. Allowing these self-described servicers to continue operating in the regulatory equivalent of the Wild West poses a threat to the cybersecurity of networked devices in the health care space – from EKG monitors to MRI machines – and to the millions of patients around the country who rely on them annually.
There have been a number of important developments around this issue since I wrote about this last year that lend new urgency to why the FDA must get its act together.
First, new evidence shows the importance of device cybersecurity. Cyberattacks on hospitals have increased, with sometimes dire consequences. In Germany, a patient in need of critical care died after a ransomware attack caused her to be turned away from a hospital. In the United States, Universal Health Services, which operates about 400 facilities, was the victim of a cyberattack that resulted in an outage of medical information technology over several days. And last October, the Department of Health and Human Services (HHS), the Cybersecurity & Infrastructure Agency, and the FBI jointly warned of increased and imminent ransomware attacks on hospitals.
Although those threats have become a reality, none of the regulatory agencies is ensuring that health care providers maintain good digital hygiene. For example, a recent report from the HHS Office of the Inspector General reveals just how little oversight the Medicare program exercises over medical device cybersecurity. As the report says, the Center for Medicare & Medicaid Services' "survey protocol does not include requirements for networked device cybersecurity, and the AOs [accrediting organizations] do not use their discretion to require hospitals to have such cybersecurity plans."
So, if regulators aren't keeping tabs on whether providers are following proper protocols, is anyone? Shouldn't cybersecurity be a shared responsibility among government, health care organizations, and device manufacturers?
The device manufacturers are doing their part, as they are tightly regulated by the FDA and are required to make sure their products are as secure as possible – and they must continue to publish software updates as new threats emerge. But the most robust cyber-defenses in the world are useless in the face of negligence or missteps by the end-users (i.e., health care providers).
This brings me to the second development. The so-called "right-to-repair" movement has shifted from being primarily focused on consumer electronics to include more sophisticated medical technologies like MRI machines – as if there weren't a huge difference between the two – and continues to gain momentum. Numerous bills have been introduced in state legislatures this year that would force medical device manufacturers to turn over and make public their intellectual property in the form of service manuals, passwords, and training materials.
Putting aside the fact that coercing the transfer of intellectual property stifles innovation, and the fact that the medical device service market is highly competitive – the FDA estimates that there are 16,000 to 21,000 entities servicing equipment – allowing unregulated third-party device servicing companies unfettered access to service materials poses a serious cybersecurity risk.
Without following the FDA-mandated quality-management and reporting processes that servicers working for OEMs are held to, unregulated third-party servicers may unwittingly open a hospital window to a cyberattack. Worse yet, without committing to report medical device errors, third-party servicer-mediated cyberattacks might go undetected longer than if the FDA were surveilling for them. And although the third-party servicing industry may claim their technicians are held to similarly high standards and go through a rigorous training and certification process, there is no way to independently verify that, inasmuch as they don't register with the FDA.
There needs to be a balance between the right to control one's intellectual property and the right to freely provide services in the marketplace, but we must ensure that the devices doctors use have been serviced properly and safely and cannot easily be comprised by cybersecurity threats. Holding third-party device servicing to the same standards as those who work for Original Equipment Manufacturers would be a good start.
Henry I. Miller, a physician and molecular biologist, was the founding director of the FDA's Office of Biotechnology. He is currently a member of the Federalist Society's Working Group on FDA and Healthcare.