Welcome to the second installment of Arnold & Porter's Virtual and Digital Health Digest. This edition primarily covers November highlights across the virtual and digital health space. This digest focuses on key virtual and digital health and telehealthrelated developments in the United States, United Kingdom and European Union in the healthcare, regulatory, privacy, and corporate transactions space.
US News
FDA REGULATORY UPDATE
FDA Updates Medical Device Cybersecurity Playbook for Healthcare Organizations. On November 15, 2022, FDA, in collaboration with MITRE, released an update to the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (Cybersecurity Playbook). First published in 2018, the Cybersecurity Playbook outlines a stakeholder-derived, open source and customizable framework for healthcare delivery organizations (HDOs) and other stakeholders to prepare for and respond to medical device cybersecurity incidents, namely attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in medical devices. FDA asked MITRE to update the Cybersecurity Playbook due to the recent growth in ransomware attacks, the increasing connectivity of medical devices and emerging healthcare technologies. The healthcare and public health sector has continued to experience growing numbers of cyber incidents, with 82 percent of healthcare systems reporting a cyber incident between mid-2020 through 2021 (34 percent of which involved ransomware). As updated, the Cybersecurity Playbook includes more explicit alignment with the Hospital Incident Command System for managing complex incidents, considerations for the widespread impacts and extended downtimes that are common during cyber incidents, and an appendix of resources.
The high-level structure of the recommendations in the Cybersecurity Playbook follow the incident response lifecycle from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61r2, Computer Security Incident Handling Guide. This lifecycle has four phases: (1) preparation phase; (2) detection and analysis phase; (3) containment, eradication and recovery; and (4) post-incident activity. Preparation phase recommendations include ones relating to medical device procurement, medical device asset inventory, hazard vulnerability analysis, medical device cybersecurity support to the hospital incident management team, incident response communication plan, and user awareness training and cybersecurity exercises. Detection and analysis phase recommendations include ones relating to incident detection and validation, incident categorization and prioritization, incident reporting, incident analysis, and incident documentation. Under containment, eradication and recovery, the Cybersecurity Playbook discusses considerations for selecting the appropriate containment strategy and recommends that HDOs plan for a potentially lengthy recovery period of weeks or even months because resolving incidents is not always straightforward. During the post-incident phase, the Cybersecurity Playbook suggests examining what went well and what did not with regards to the HDO's response to the incident and using that information to improve the response plan for future incidents.
In conjunction with the updated Cybersecurity Playbook, FDA and MITRE also released a Quick Start Companion Guide (Quick Start Guide". The QuickStart Guide as a shorter version of the playbook that discusses preparedness and response activities healthcare organizations might want to start with as they are developing their medical device incident response program. The Quick Start Guide consists of tables that distill the high-level tasks presented in the corresponding section of the Cybersecurity Playbook.
FTC, FDA, Other Agencies Create Mobile Health App Interactive Tool. On December 7 2022, the FTC released a mobile health app interactive tool (Mobile Health App Navigator) to help app developers navigate the various US federal laws and regulations that may apply to such apps. Representing a cross-agency effort, the Mobile Health App Navigator was produced in cooperation with the US Department of Health and Human Services (HHS), the FDA, the Office of the National Coordinator for Health Information Technology (ONC), and the office for Civil Rights (OCR) within HHS. The Mobile Health App Navigator is intended "for anyone developing a mobile app that will access, collect, share, use, or maintain information related to an individual consumer's health, such as information related to diagnosis, treatment, fitness, wellness, or addiction." However, the FTC cautions that the Mobile Health App Navigator is provided for informational purposes only and use of the tool "can[not] guarantee compliance with applicable federal requirements." Instead, the Mobile Health App Navigator is meant to provide app developers with a snapshot of potential compliance obligations and point them to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.
The interactive tool provides an overview of various federal laws and regulations that may apply to a mobile health app, such as the following:
- Health Insurance Portability and Accountability Act (HIPAA) Rules
- Federal Food, Drug and Cosmetic Act (FDCA) and FDA Regulations
- 21st Century Cures Act and ONC Information Blocking Regulations
- FTC Act (e.g., Sections 5 and 12)
- FTC's Health Breach Notification Rule
- Children's Online Privacy Protection Act
The Mobile Health App Navigator uses a series of questions to help guide app developers through an analysis of whether all or certain of the above laws and regulations could apply to a proposed mobile health app. Examples of questions covered in the interactive tool include ones about the app's functionality, whether the app is intended for use by consumers, the type of information the app collects, shares or uses, whether the app is being offered by or on behalf of a HIPAA-covered entity, whether the app connects with wearables or other devices, whether the app accesses information in or sends information to personal health records or provides services to an entity that maintains health records for consumers, and whether the app is intended for children or uses child-oriented activities or design.
Questions relating specifically to whether a proposed app is potentially regulated as a medical device by the FDA are covered in questions 7-10 of the Mobile Health App Navigator. These include questions intended to assess whether an app is intended to diagnose, prevent or treat a disease or condition, whether the app could potentially fall under one of the 21st Century Cures Act statutory exemptions from the device definition for certain low risk software functions, or whether the app, even if not statutorily exempt, could potentially be subject to enforcement discretion under FDA policies for certain low risk device software functions. For an overview on the latest FDA digital health guidances, including the agency's recently issued final guidance on clinical decision support tools, please refer to the November 2022 issue of Arnold & Porter's Virtual and Digital Health Digest.
FDA Releases List of Augmented Reality and Virtual Reality Medical Devices. On December 7, 2022, FDA released a list of medical devices authorized for marketing that incorporate augmented reality (AR) and virtual reality (VR). This move follows FDA previously releasing a list of artificial intelligence (AI)/machine learning (ML)-enabled devices authorized for marketing by the agency and signals continued FDA efforts for greater transparency about advancements in the digital health space. Additional information about FDA's list of AI/ML-enabled devices can be found in the November 2022 issue of Arnold & Porter's Virtual and Digital Health Digest.
In conjunction with release of the AR/VR devices list, FDA provided background information on AR/VR technologies. FDA defines AR as "a real-world augmented experience with overlaying or mixing simulated digital imagery with the real world as seen through a camera or display, such as a smartphone or head-mounted or heads-up display," and defines VR as "a virtual world immersive experience that may require a headset to completely replace a user's surrounding view with a simulated, immersive and interactive virtual environment." FDA highlights a few examples of AR and VR applications already being used to treat patients, including a VR system that is used to treat post-traumatic stress disorder in army veterans and an AR system that overlays medical images onto a patient during an operation to help guide the surgeon's techniques. FDA identifies a number of treatment domains where AR and VR are used to treat patients, including pediatric diagnostics and treatments, pain management, neurological disorders, surgery planning, telemedicine, virtual care, and ophthalmic diagnostics. While acknowledging potential benefits of AR/VR devices, FDA also identifies potential risks, such as cybersickness, head and neck strain, cybersecurity risks, privacy risks, and distraction in the operating room.
FDA's initial list of AR/VR devices authorized for marketing contains 39 devices that the agency identified by searching FDA's publicly facing information. The vast majority of the devices on the list appears to have been cleared for marketing through FDA's premarket notification (510(k)) process, while a few appear to have been authorized through the de novo classification process for novel devices. FDA explains that the list is not intended to be exhaustive or comprehensive, but rather that it is a list of devices that incorporate AR and VR based on information provided in the summary descriptions of their marketing authorization documents. FDA plans to update the AR/VR devices list on a periodic basis.
FDA Publishes Digital Health Regulatory Science Opportunities Spotlight. FDA's Digital Health Center of Excellence (DHCoE) recently issued a publication entitled "Spotlight: Digital Health Regulatory Science Opportunities" (Digital Health Spotlight). The Digital Health Spotlight describes areas of research that stakeholders, both internal and external to the FDA, identified as important and is intended to advance digital health regulatory science by encouraging discussions and stakeholder collaborations throughout the healthcare ecosystem and beyond. The Digital Health Spotlight identifies three main categories of research: Advancing Patient Engagement, Leveraging Connectivity and Improving Healthcare Through Software. Under Advancing Patient Engagement, the Digital Health Spotlight highlights patient-generated health data (PGHD) and the development of medical extended reality devices as important areas of research. PGHD, including biometric data, symptoms and patient-reported outcomes, can be used in patient monitoring, diagnosis and prognosis, shared decision-making, and assessment of patient safety. FDA notes PGHD data can be used not only to improve the quality of clinical care, but also to evaluate innovative medical products and treatment paradigms, especially decentralized clinical investigations. The Digital Health Spotlight identifies several PGHD-related research areas, such as maintenance and management of large volumes of PGHD, standardization of PGHD from different sources, performance specifications for use when considering interchangeability of wearables (e.g., "bring your own wearable" approaches to clinical investigations), and reliable metrics to compare standard disease outcomes as measured by digital health technologies.
Under Leveraging Connectivity, the Digital Health Spotlight focuses on cybersecurity, wireless connectivity and interoperability as important areas of research. FDA explains that it is actively engaged in both internal and external efforts to help mature cybersecurity, interoperability and wireless connectivity efforts. A few examples of cybersecurity-related research areas discussed in the Spotlight include cybersecurity considerations for cloud domains, cybersecurity considerations for AI and ML technologies, and cybersecurity standards development. And under Improving Healthcare Through Software, the Digital Health Spotlight emphasizes the importance of research involving advanced manufacturing technologies, AI and ML, and digital imaging. Examples of AI/ML-related research areas include transparency of AL/ML-enabled devices, AL/ML algorithm training for clinical datasets, robustness and resilience of algorithms to withstand changes in patients, data and sources, and real-world performance monitoring for AI/ML software.
In issuing the Digital Health Spotlight, FDA explained that the spotlight on research areas is for informational purposes only, and that it is not meant to indicate that the identified topics are areas for regulation. Further, the Digital Health Spotlight is not intended to propose or implement policy changes regarding regulation of any of the digital health topic areas described within.
FDA Report Highlights Potential Use of Modeling & Simulation in Digital Health Product Reviews. In November 2022, FDA released a report entitled "Successes and Opportunities in Modeling & Simulation for FDA." The report explores how modeling and simulation (M&S) tools are used throughout FDA and presents a selection of M&S case studies from across FDA centers. M&S tools are used, for example, for premarket product review, postmarket product assessment, policy development, and policy implementation. The report also identifies opportunities for FDA to better harness M&S in upcoming years by embracing computational advances and new (and big) data streams to develop improved public health solutions. As relates specifically to digital health, one of the M&S opportunities highlighted in the report is to provide evidence supporting safety or effectiveness of medical imaging devices and computer-aided diagnostic software. Specifically, leveraging radiation transport simulations to generate evidence that can assist in the regulatory process for medical imaging devices and computer-aided diagnostic software. Noting that industry already invests heavily in developing tools that can simulate radiological devices for internal R&D, the report states that there is an opportunity to use these tools in the regulatory process, especially for submissions which do not normally require clinical data (e.g., some 510(k) devices). Another opportunity discussed in the report is establishment of Good Simulation Practice to foster harmonization across the FDA, and where appropriate, with international regulatory bodies. The report explains that it is critical to develop a common set of expectations or guidelines for model verification, validation, credibility assessment and maintenance between industry and regulators, as well as between regulatory scientists/modelers and reviewers within the FDA, and states further publication and/or usage of relevant guidance documents will promote better alignment on best practices and expectations between stakeholders (e.g., International Council on Harmonization items Q13 and M7, and the International Medical Device Regulators Forum on Software as a Medical Device).
Please click here to continue reading.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
