BY K. Richard Douglas
The FDA regulates more than 190,000 medical devices manufactured by more than 18,000 companies. Those devices can be found in more than 21,000 health care facilities around the world. Every business day, on average, the FDA approves marketing authorization to 12 new or modified devices.
The process of reviewing and approving new medical devices is crucial to global health care. As new technological advances are discovered and developed into cutting-edge medical devices, they must be brought to market quickly and efficiently, maintaining a high safety profile and hardened against cyberattacks.
In early spring 2022, the FDA submitted its $8.4 billion budget request to Congress for fiscal year 2023. All government agencies rely on the Congress to allocate and approve funding for those agencies to continue operations.
The agency specifically mentioned an effort to “advance medical product safety” as part of the justification for the $356 million that exceeds the fiscal year 2022 budget.
The FDA has fees to review submissions. These fees are negotiated between the medical technology industry and the FDA. Once negotiated, Congress must pass into law, and the president must sign, an agreement that lasts five years.
While the FDA commits to certain metrics in the submission and approval process, the increasing standards come with a price – higher fees.
In its MDUFA performance goals and procedures, beginning in 2023, the FDA has stated: “Total Time to Decision for premarket approval applications (PMAs) and premarket notification (510(k)) submissions, provided that the total funding of the device review program adheres to the assumptions underlying this agreement.”
Also, in its Fiscal Year 2023 Budget Summary Fact Sheet, the FDA states in part: “The budget also proposes new authorities which would require medical device manufacturers to address cybersecurity issues.”
The agency needs to maintain a set of regulatory standards to maintain the safety of medical devices and support a process that is familiar to the manufacturers of medical devices.
The FDA needs funding in order to review and approve medical devices and drugs. In the Office of Device Evaluations, there are a substantial number of employees required to take on this task. This funding comes by way of the fees charged.
The fifth Medical Device User Fee Amendments (MDUFA) recently passed on September 30, 2022. This made it MDUFA V. The series of agreements date back to 2002.
Some of the metrics that were made a part of MDUFA V require the FDA to add staff to meet the demands of both greater levels of submissions as well as the challenges of reviewing devices for cybersecurity.
Surprisingly, the approval by Congress was “clean” without riders or rider bills; a rarity in Washington. It was also a bi-partisan effort.
Industry trade groups were pleased with the FDAs commitment to bring new devices to market in a more expedited manner and further prioritizing patient safety.
“MITA looks forward to working with the FDA to implement MDUFA V, including the Agency’s targeted Total Product Lifecycle Advisor Program (TAP) pilot project designed to facilitate early interaction between FDA and industry on novel innovative products,” says Peter Weems, director of Policy and Strategy at the Medical Imaging & Technology Alliance (MITA).
He says that “with increased User Fee funds, new performance goals and heightened oversight, we believe the agreement encourages the timely authorization and delivery of safe and effective medical innovations that improve patient care, especially as the Agency continues to confront the effects of the pandemic.”
“As signed into law, the final agreement excluded certain policies that have been at the center of longstanding discussions between industry, FDA and Congress. MITA looks forward to working with Congress and the Agency to continue to advance policies that enhance patient safety, including policies that clarify the regulation of remanufacturing activities and promote shared cybersecurity responsibility among all health care stakeholders,” Weems says.
The FDA’s Center for Devices and Radiological Health (CDRH) launched the TAP pilot effective January 1, 2023. The program was one of the agreements made between medical device sponsors and the agency. For the initial soft launch, FDA intends to enroll up to 15 devices in the Office of Health Technology 2 (OHT2): Office of Cardiovascular Devices, according to the FDA.
The goals of the program include a more fluid and involved process for both manufacturers and the agency, identifying risks early in the process and improving the efficiency of the premarket review process.
Changes and Commitments
Every five years, the FDA has a new set of requirements in order to receive the funding needed to accomplish its mission. In the passage of MDUFA V, not only does the agency need to add staff, but it also has committed to speed up the 510 (k) and premarket process.
The faster turn-around time will help device manufacturers, although some fees will jump substantially. The hope that there would be language as a part of MDUFA V to hold device manufacturers’ feet to the fire as it relates to cybersecurity fell short. While the FDA remains committed to a focus on cybersecurity, there is other legislation pending that also addresses this critical component.
The submission fees usually go up under MDUFA V. Prices are adjusted for inflation and with inflation at historic highs, it was a certainty that there would be a more substantial increase. The increase was 55.90 percent. De Novo Classification Requests increased by 17.79 percent.
The standard fee for 510(k) submissions for fiscal year 2023 is $19,870. If the firm applying has small-business status, the small business fee is $4,967. The De Novo classification standard request fee is $132,464. The small business De Novo fee is $33,116. All establishments pay the annual establishment registration fee of $6,493. The FDA requires cybersecurity documentation for medical devices.
“MDUFA V represents a substantial investment in the future of the agency’s medical device program and would provide for important improvements, including new hiring targets, greater engagement with developers of innovative technologies based on lessons learned from the pandemic, broadened international harmonization efforts and expanded opportunities to ensure patient perspectives are an integral part of medical device development,” says an FDA spokesperson.
Another industry trade group with an interest in MDUFA V expressed its support for passage of funding.
“The law preserves everything that works well in the current system, adding support of specific needs to fulfill the critical mission of device review, and reflects lessons learned about shifting workloads and priorities in device development and review during a global pandemic,” said Scott Whitaker, the president and CEO of the Advanced Medical Technology Association (AdvaMed) in an op-ed article.
Whitaker went on to say, “Industry user fees will help fund more FDA employees to evaluate new medical devices for patient use, with first-ever additional funding if the agency meets clearly defined process targets. Adding to the FDA’s workforce will help the agency manage a constantly increasing device review workload, as innovations soar from the smallest start-ups to the largest companies.”
Strengthening Cybersecurity in New Devices
When a health care user purchases a piece of medical equipment, it often arrives with “off-the-shelf” vulnerabilities. The device isn’t always hardened against cyberthreats by the medical device manufacturers. Not only does this pose a real danger to patients, but there is no recourse for holding the device maker responsible.
Rep. Michael Burgess (M.D.) (R-TX-26) is the sponsor of H.R.7084, known as the “Protecting and Transforming Cyber Health Care” (PATCH) Act of 2022. According to Congress’ bill-tracking website: “This bill requires premarket applications for cyber devices (i.e., medical devices that include software or connect to the Internet) to include information relating to cybersecurity, including plans to monitor for cybersecurity risks and address vulnerabilities through regular product updates.”
The bill was introduced in the House in March of 2022. Its purpose is to ensure cybersecurity throughout the life cycle of a device. The Act compels the manufacturer to take several specific steps to monitor postmarket vulnerabilities and exploits.
Although the bill has remained in the House Energy and Commerce Subcommittee on Health since March, it lays out requirements that address cybersecurity by going on to state:
“Any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness, including at a minimum the cybersecurity requirements under subsection (b). The Secretary may establish exemptions to the requirements under this subsection.”
The improvement that the PATCH Act would create is that it would put teeth in the requirement that manufacturers meet certain base requirements and that there are penalties for not complying. Under current rules, the requirement for certain cybersecurity measures is implied, but are often viewed as simply “guidance” and not necessity.
“Even if there is not a ‘patch’ or ‘update’ yet available for a known vulnerability or critical update – medical device manufacturers are not required to alert providers in a timely manner, which is essential to patient safety, as well as building and maintaining a strong, robust medical device safety net. The FDA is seeking greater authority to regulate medical devices from Congress – which the PATCH Act would do – and is something CHIME strongly supports,” says Mari Savickis, vice president of public policy at the College of Healthcare Information Management Executives (CHIME).
She says that even if there is not a “patch” or “update” yet available for a known vulnerability or critical update – medical device manufacturers are not required to alert providers in a timely manner, which is essential to patient safety, as well as building and maintaining a strong, robust medical device safety net. The FDA is seeking greater authority to regulate medical devices from Congress – which the PATCH Act would do – and is something CHIME strongly supports.
FDA specifically requested additional authority from Congress in the budget submission for FY23 which mimics some of what is in the PATCH Act, according to Savickis.
The agency is onboard with fortifying the ability of new medical devices, brought to market, to be resistant to cyberattack.
“FDA is requesting additional funding from Congress to develop a more comprehensive cybersecurity program for medical devices which will help to identify and mitigate vulnerabilities that could compromise medical devices. This may be accomplished by developing policies, engaging with stakeholders to inform FDA policies across the total product life cycle of the device, and monitoring for emerging technologies,” says an FDA spokesperson.
The agency’s spokesperson also said that “even without additional funding, FDA remains committed to addressing potential cybersecurity risks. For example, to aid industry, FDA continues to: 1) train reviewers across the Offices of Health Technology on cybersecurity to improve review consistency and 2) move quickly to finalize the medical device cybersecurity premarket guidance (FY23 A-list) so it can be implemented across all premarket review staff. For its health care organization stakeholders, FDA is providing educational resources so they can learn more about medical device cybersecurity and how to prepare for and respond to medical device cybersecurity incidents (including ransomware).”
Congress Trying to Define Remanufacturing
A related bill that will be watched by many in the ISO and biomed communities is the “Clarifying Remanufacturing to Protect Patient Safety Act of 2022.”
According to the House of Representative’s website, the summary of H.R. 7253, which was introduced in the House on March 28, 2022, is:
“This bill specifies that entities that remanufacture medical devices in a manner that could change the performance or safety specifications or the intended use of the device must register with the Food and Drug Administration as producers of medical devices and comply with related requirements.”
Different groups within the medical device community take different positions on the bill. The Medical Imaging & Technology Alliance (MITA) strongly supports it. The Alliance for Quality Medical Device Servicing opposes the bill.
The bill was referred to the House Energy and Commerce Subcommittee on Health where it has sat since March 2022. For now, further legislation that impacts medical devices from the planning stage through the maintenance and repair stages will return to center stage.
The head of the FDAs Center for Devices and Radiological Health (CDRH), Jeff Shuren, has stated that 2023 will be a “big transition year” post-pandemic, allowing the agency to return to more normal conditions.
This will be a time period for the pace of the most sophisticated medical devices to come to market in the most expeditious and efficient manner.
