December 8, 2016

FDA Takes GUDID Offline: Security breach? Or Proactive Measures?

Tamar June

Tamar June, VP, Strategic Marketing, AssurX, Inc.

FDA detected a “security vulnerability” earlier this month that spooked it enough to take the highly touted Global Unique Device Identification Database (GUDID) offline until it was able to affix, electronically, a suitable security patch. The announcement came via a guidance dated August 14.

fancyFDAlogoFDA hasn’t issued any other details about what happened or didn’t happen. Is FDA reacting to something bad or being proactive to avoid something bad? Unless and until the agency steps forward with more information, we’re left to hope and trust they’ve got this under control. Chances are, the agency identified a tiny glitch and went overboard on purpose to address it.

According to FDA’s Guidance Document:

“On August 7, 2015, due to a security vulnerability in GUDID, FDA decided to take the system offline until a patch is implemented. Due to the temporary unavailability of the GUDID system, we intend to exercise enforcement discretion to extend the September 24, 2015, GUDID submission compliance date for the implantable, life-supporting and life-sustaining medical devices to October 24, 2015. For extensions granted to class III labelers that expire between August 7 and September 24, 2015, we also intend to exercise enforcement discretion to extend the expiration date of these extensions to October 24, 2015.”

On a positive note, at least for the kind of medical device companies that do everything at the last minute, the agency acknowledges that taking the system offline might have derailed some attempts to interact with the GUDID and meet compliance deadlines. So, class III device makers whose compliance extension was September 24, 2015 will now have until October 24. That’s the same extension granted to class III labelers whose extensions expire between August 7 and Sept. 25, 2015.


US Drug Shortage Hits Patients, Pharmacies Hardest

Patrick Stone

Patrick Stone, President, TradeStoneQA

The corner drug store is not currently affected by many drug shortages; instead, the pain is being inflicted on a vulnerable group of patients in hospitals today. The FDA drug shortage list is “officially” under two hundred; however, the pharma warehouse industry pegs the list a bit higher: at approximately 250 drug products. This list includes drug container closure systems like sterile intravenous bags (IV). It is important to include the component shortages because these also impede mitigation strategies in place at many of the nation’s hospital systems. Hospital compound pharmacies can formulate these admixtures even in short supply — but not without the IV bag components. The drug shortage list has fallen by almost half in the past three years but there is no quick fix here for underlying challenges.

For now, compound pharmacies may have to drastically expand and improve current facilities to fill sterile admixture demands. New supply chains for many generic drugs and IV drugs will have to go online with documented patient safe compliant manufacturing systems.

The new drug inspectorate team investigators at FDA will not be casual with their inspection approach, neither will they be in a big rush to give a clean bill of health to the facilities under inspection. Quality by design inspection approaches over the quality systems model will globally standardize regulatory expectations.

PharmaceuticalsHospitals have adopted shortage mitigation plans that include stockpiling drugs on the shortage list and requesting manufacturers to extend the expiration dates through longer stability indicating studies. The current inspection focus will be on sterile compound pharmacies and overseas generic manufacturers. The current focus on compound pharmacies will turn up many sterile compliance gaps and limited sterile bench top space to meet these sterile drug shortage mitigation plans. Hospitals may consider storing stockpiled drugs together and otherwise better networking with each other so that close expiration dated stock is sent to hospitals with instant use demand.

Simply waiting passively for supply chain improvement will be a painful endeavor. FDA may have to consider fostering domestic growth mitigation supply chain strategies for the Pharma industry. The current focus will be for FDA to bulk up international offices in the generic drug manufacturing sector of the world for increased supply.

Drugs on the shortage list include antibiotics, pain relief (CNS), cancer (chemo), epinephrine, and IV drugs and total nutrition IV components (TPN). Click here for the official current drug shortage list.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.


Cybersecurity – A Real Threat to Medical Devices

Russ King, Managing Partner, Methodsense

Russ King, President, Methodsense

The FDA just issued a Safety Communication on cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.

Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers, potentially harming the patient. While it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling this product, cybersecurity is still a real concern. Now that more and more devices are connecting remotely to healthcare networks, it will be critical for manufacturers to implement appropriate safeguards.

Cyber SecurityIn June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

As medical devices rely more heavily on networked communication, cybersecurity is going to become an even greater concern. The FDA has already become aware of the following breaches:

  • Network-connected/configured medical devices infected or disabled by malware;
  • The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
  • Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

As a medical device manufacturer, it’s important for you to remember that it is your responsibility to identify risks associated with your devices. The FDA expects you to take appropriate actions to limit opportunities for unauthorized access to the device. If you need assistance implementing safeguards for your devices, we can help you determine how to reduce product risk.


GAO Report Finds Steady Medical Device Profit Climb – Especially the Big Boys

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

A new Government Accounting Office (GAO) report designed to shed light on what impact the medical device tax will have on the industry in the future might have done a better job of taking us under the industry’s financial hood today.

The GAO, the non-partisan counting house arm of the federal government, is often called upon by lawmakers to assess the financial impact or cost of compliance for potential regulations and taxes. These folks at GAO are mostly career bureaucrats. On top of that, they’re mostly career accountants. In other words, they aren’t known for cooking the books to benefit either side.

But where a 2014 Congressional Research Service study suggested a medical device tax would not impact company profits, GAO seemed to play it more neutrally in a report made public July 30. That’s why their overall assessment of the medical device industry just might be the most interesting thing they produced. GAO defined thirty of the companies as large-sized, including 3M, Baxter, Boston Scientific and Medtronic. It defined 35 as medium-sized, including Accuray, Biolase, Luminex, and Utah Medical Products. GAO defined 37 of the medial device companies as small, including Bovie Medical, Fonar, Urologix, and Zynex.

Here’s a little of what they found:

  • Net sales and profits were up between 2005 and 2014 – but it was better to be a big device company. Of the 102 surveyed, the 30 large-sized companies garnered more than 95 percent of the total net sales gains. Overall the industry enjoyed a 43 percent increase over the period, rounding out about a 4 percent increase annually.
  • Profits usually went up, except when they didn’t. While the overall trend was north rather than south, there were three periods were overall net profit decreased: 2005-6, 2007-9 and 2011-2.
  • Device industry still doesn’t know how bad it thinks device tax will be. According to GAO, 75 of the 102 companies in the report were uncertain about the full impact on their business.

While AdvaMed and others have slammed the device tax, saying it threatens jobs and funds for medical device innovation, others, including The Washington Post, have shrugged those job claims off as more about hype than fact.


Audit Management: the Perennial EQMS Straggler

Jeff Mazik

Jeff Mazik, Vice President, Life Science Solutions, AssurX

AssurX has been in the business of configuring and implementing Enterprise Quality Management Solutions for two decades, and over that time, it has been a consistent finding that audit management tends to reside near the end the typical EQMS process implementation schedule.

Why does the management of audits always seem to take a back seat to other processes like CAPA, document control, and complaints, when it comes to implementing an enterprise quality management system?

There are quite a few factors here, but what we’ve experienced when a company begins looking at purchasing an EQMS and eventually determining a rollout schedule is this typical implementation hierarchy:

The order of these may fluctuate a bit due to an individual company’s need, but unfortunately audit management, although important during the RFP and selection process, tends to be pushed back to later in the implementation rollout plan. Some of the reasons why this is the case include statements we’ve heard such as:

“Auditors can continue to do their work on spreadsheets for the time being.”

“Doing audits in the system doesn’t provide an immediate or significant ROI”

“Implementing audits in the EQMS system is not as regulatory impactful as much as the others.”

“Outside auditors focus on other EQMS processes first.”

But there are significant advantages with moving the audit management process up earlier in the implementation project:

  1. The implementation of the audit management process does not necessarily use the same implementation team as the other processes, with the possible exception of IT and QA resources. So it is likely that a separate project team can focus on getting this process implemented and validated.
  2. The audit management process may not need to be initially tied to other EQMS systems, and those integrations can be implemented, at a later time, when the additional process(es) are ready. Even the common scenario where the initiation of a CAPA from an audit finding can be done manually until the CAPA system is up and integration has been accomplished.
  3. The audit management process is relatively simple to setup, validate, and use. Typically, AssurX has found that there is not a lot of required configuration changes from our out-of-the-box audit management solution, so the system can be implemented, validated, and in use quickly. The added benefit here is that once one process is implemented and available, this can aid in getting early buy-in for the system and increase the momentum for getting other processes within the EQMS system rolled out.
  4. Auditors themselves become early adopters of the EQMS system used at the company. This results in auditors who are more familiar with the system as a whole, which can in turn, assist their understanding when he/she conducts audits on other implemented EQMS processes that are using the same system.

auditSo when planning out your EQMS process rollout schedule, I hope you see that there are some valid reasons to move your audit management process to earlier in the overall implementation project. If you look closer, you may just find some additional reasons at your own company on why this would be advantageous to be implemented early. Just don’t simply follow crowd, and relegate audit management to the end of the project without taking a serious look at why.

A webcast is available to you for more details on the audit management process and how it can be used to complete your Enterprise Quality Management System.


Obama Veto Threat Looms Over Medical Device Tax Battle

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

With medical industry trade groups and many House and Senate members lined up on one side determined to repeal the medical device tax, the other side may have the final ace: a veto threat by President Obama.

Not so fast, say opponents of the tax. They believe they have enough votes from Democrats to override any veto. Already in the House of Representatives, a June vote fell just one shy of the 281 needed to brushback any Obama veto. It’s worth noting that 12 Republicans were absent on the day of that vote. Most, if not all, would certainly support killing the device tax. The House, at least on an initial vote, appears to be a lock for those who want the tax gone.

It’s a little trickier in the Senate, where several Democrats have joined Republicans to remove the tax from the Affordable Care Act, commonly referred to as Obamacare. The Supreme Court’s recent decision that essentially upheld the Act could give political cover to wavering Democrats to stick with Obama and preserve the tax. Another factor: Dems against the tax might vote against it the first time, but then back off from overriding a veto and doing political damage to Obama.

demrepWith the presidential primary season already lurking in the background, Dems could be reluctant to weaken the President’s “value” when it comes to campaigning for Dems in key Senate and House races — not to mention supporting Hillary Clinton or whomever ends up grabbing the presidential nomination.

In the days before air conditioning, Washington was something of a ghost town in July and August. Business on Capitol Hill essentially ground to a halt. Today, life on the Hill does slow during those months, but deals are still cut and compromises worked out.

The smart money is on some kind of showdown next month. But remember, this is Washington D.C. Sure, today’s lawmakers can crank up the a/c and remain more active than their predecessors sixty years ago, but that doesn’t make them more predictable.

D.C. is a weird place in any weather. Watch this space.


FDA’s UDI Initiative Continues to Roll Forward

Jeff Mazik

Jeff Mazik, Vice President, Life Science Solutions, AssurX

With the close of the 7th Annual UDI Conference in Baltimore late last month, FDA took another big step forward in providing an electronic library of medical device information. During the conference, FDA shared a number of milestones completed in the last eight months since the previous conference.

Linda Sigg, FDA’s Associate Director of Informatics, shared that since the last conference held in October 2014 there has been quite a lot of progress made by her UDI group as well as the Medical Device community. In these past eight months, the number of Device Identification records in the GUDID increased from 33,000 to over 75,000. The number of manufacturer/labeler accounts grew from 240 to 425 accounts and FDA’s UDI Help Desk inquiries doubled to over 8,000 with an increase in their closure rate from 91% to 95%.

This growth was primarily due to the second group of devices requiring to meet FDA compliance due dates by September 24, 2015: those devices classified as implantable, life-saving, and life-sustaining.

UDI LabelingAlso accomplished during this time frame was the launch of the “AccessGUDID” website for public searching and downloading of the “GUDID” repository, finally allowing the fruits of all this collection of data to be visible to the healthcare community, at least for devices currently required to comply.

Mrs. Sigg also announced that upcoming capabilities to watch for was an advanced searching capability within the AccessGUDID system, as well as the implementation and availability of web services for external access to the GUDID. Ostensibly, the web services function will allow labelers/manufacturers and 3rd party vendors to actively integrate and search/download information electronically from the GUDID without the use of the AccessGUDID interface.

As the manufacturers/labelers of implantable, life-saving, and life-sustaining devices get closer to their due date for labeling and GUDID submissions this year, the next group of manufacturers/labelers: Class II devices (that are not implantable, life-saving, and life-sustaining) come to the plate. Accounts and GUDID access for these manufacturers/labelers will start being processed and made available in January of 2016 so as to help this group meet their labeling and GUDID submission compliance date of September 24, 2016. Following this September milestone, the information available in the GUDID will increase substantially. Soon after this milestone, Class I and unclassified devices will have their turn to begin labeling and submitting UDI information to the FDA, in order to meet their compliance date of September 24, 2018.

Also during the conference, guidance on the direct marking of devices was released, and for those devices requiring direct marking (e.g. the device is intended to be used more than once and intended to be reprocessed before each use) there are specific compliance due dates as well. These are posted on the FDA UDI website.

If your business manufactures Class II or Class I devices, be ready to get involved soon. Start planning now, if you haven’t already done so. Don’t wait until FDA grants your company access in order to begin to plan out how you will be compliant in your labeling of your devices, including direct marking (if applicable), as well as planning how to best manage and electronically submit your device’s UDI information to the GUDID system.


Will New User Fees Fuel More FDA Inspections?

Patrick Stone

Patrick Stone, President, TradeStoneQA

For FY 2016, FDA is requesting $4.9 billion to support our essential functions and priority needs, which is $425 million above the FY 2015 enacted level.  Of the total funding, $2.7 billion is budget authority and $2.2 billion is user fees.  The FY 2016 increase consists of $148 million in budget authority and $277 million in user fees.

User fee monies come from new health care sponsors applying for FDA approval to speed up the time it takes to get an audit scheduled. The user fee monies go toward FDA operating cost and employee payroll.

This means FDA will be expected to conduct more inspections to meet the demands placed on it by collecting user fee monies – but this idea raises a number of questions:

  • Will FDA be able to increase the amount of clinical trial audits globally in order to keep up with the user fee expectations for audit scheduling?
  • fancyFDAlogoHas FDA increased training for bioresearch monitor training and have trained inspectors ready to meet this challenge? FDA’s focus has been on food and tobacco inspections the last few years. The latest’s initiatives have been focused on compound pharmacies, the drug inspectorate, and the “antimicrobial blitz for use in feed lots & human use for resistance strain reducing strategy.”
  • Will FDA also increase the amount of health care products approved for the domestic market as well?

The drug shortage list has remained at high levels for the past few years and this fast track approval change is definitely part of the mitigation effort. Most of the budget increase comes from private industry and new product developers so the government burden is around one hundred and fifty million (2.7 billion total). We can only hope FDA is able to meet the increased demand for audit increases and is not postponing regulatory oversight due to limited trained staff shortfalls.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.


FDA Warning Letters Hit Device Makers Over CAPA, MDR Failures

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

It’s been a little while since we checked the FDA’s outgoing mail tray to find out what inspectors are looking for – and often finding – during their visits in the first half of 2015

We start with a rather hefty June 12 letter to AG Industries in St. Louis, hit for a number of alleged 820-related shortcomings, including:

  • Failure to promptly review, evaluate, and investigate complaints related to a Medical Device Report (MDR) review and file an MDR with the agency for what it deemed one of perhaps several “serious complaints.” FDA found AG’s response “inadequate” because the firm labeled the incident to be not life threatening, where the agency clearly has some doubts.
  • Failure to adequately validate according to established procedures for a process those results can’t be verified by additional testing.
  • Failure to adequately establish procedures for finished medical device acceptance.

FDA says about ten percent of the nearly 210 complaints the firm has received since early 2013 are still open. Specifically, it called out a complaint that AG received in August 2013.

Note: Throughout the letter FDA says AG’s characterization of its CAPA problem as minor “appears inappropriate.”

fancyFDAlogoInsulin Management System manufacturer Insulet Corporation had a relatively easier time of it in a June 5 letter. FDA hit the firm for devices it alleges are adulterated because the methods used in, or controls of, the manufacture, packing, storage, or installation don’t meet FDA good manufacturing practice (cGMP) requirements of its Quality System regulation.

FDA fired back that the firms April 16 response was not adequate and advised the firm that “regulatory action” could be initiated without further notice unless the Massachusetts-based firm takes prompt action to correct violations FDA alleges in the warning letter.

In New Jersey, FDA called out Ultrafiler-maker Nephros for alleged failure to document evaluation of its suppliers. Like Insulet, the firm was also criticized in the May 27 letter for not including required info of complaint investigations.

Bothell, Washington-based Thorn Dental Laboratory LLC was challenged in a June 2 letter of a number of CAPA-related fronts, including:

  • An inability to produce CAPA procedures for review during the inspectors’ series of inspections in February.
  • Failure to establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit.
  • Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conformed to specific requirements such as failing to maintain adequate documentation of suppliers, contractors and consultants.
  • Failure to establish and maintain procedures for finished device acceptance.
  • Misbranding its anti-snoring/sleep apnea devices.

Our final letter in this go ‘round’s review focused on Irvine, California-based Insightra Medical, maker of catheters and hernia implants. The agency said the firm’s devices are adulterated because Insightra failed to control its facilities in terms of manufacture, packing, storage, or installation.

Insightra was hit with a number of MDR shortcomings, including failure to establish internal systems that provide for “timely transmission” of complete medical device reports.


Medical Device Makers Express Optimism About Future — But QA Worries About US Regulatory Burden

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

Crystal may be clear, but crystal balls, at least metaphorically, are certainly not. The late, great political columnist David Broder with The Washington Post used to run a column at the end of the year tallying up where he had guessed correctly – and where he’d missed the mark. Not many columnists have the guts to do that.

A survey taken earlier this year found that some 75% of more than 5,000 medical device professionals felt “very or somewhat positive” about business prospects for 2015. Those numbers are pretty much in line with the findings of the 2014 survey, conducted by our friends at The Emergo Group.

Taking a closer look at the 2015 numbers, it’s clear that domestic device makers feel better about their prospects than do counterparts in the EU – and this was before Greece really started to tank.

Casting eyes around the globe, it turns out device makers in Asia were even more optimistic than those in America. Still, confidence among Asian device makers fell to 77% in 2015, from 83% in 2014. It’s interesting to note that, even then, concerns about a slowing Chinese economy don’t reflect an increasing edginess about the state of things in the world’s most populous nation.

X-ray of hipIn the U.S., smaller companies actually felt a bit more optimistic than their big brothers and sisters. But mid-size and big shops were a little less thrilled about the future, likely due to “regulatory and pricing pressures,” Emergo notes.

The study burrowed down to quiz more than 2,000 QA/RA professionals for their thoughts on current and prospective regulatory trends. Just over one-third of American respondents said they expect the process of gaining regulatory approval will be tougher than it was a year ago. The study says about 3.5% think the regulatory process is getting easier, though I’ve personally never found or spoken to any of those people!

Not surprisingly, the QA/RA pros in the U.S. said their country was one of the toughest when it comes to regulatory approval. Even the FDA sometimes acknowledges that, as we noted in an earlier blog when FDA’s Center for Devices and Radiological Health Jeffrey Shuren noted the agency is sensitive to this and trying to make some pro-industry changes.

We’ll check back with Emergo – and Shuren – later in the year. Let’s see if we can find some of that Broder confidence where folks circle back and reassess their predictions.