Medical Device IDs and Patient SafetySystem Could Help Track Malware Problems
A proposed unique medical device identifier would help the Food and Drug Administration more easily pinpoint malware issues and other safety and security problems, says Jay Crowley, senior adviser for patient safety at the FDA's Center for Devices and Radiological Health.
"The issue that we have now is not being able to identify specific products or specific devices that are subject to problems, and trying to aggregate those reports either across manufacturers or across the device industry as a whole," he says in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below).
By being able to identify specifically which devices are problematic, the FDA would no longer need to make broad product recalls, Crowley says.
The FDA is working with the Office of the National Coordinator for Health IT, the Joint Commission and the Centers for Medicare and Medicaid Services on how device identifiers could be included in electronic health records, he says.
In the interview, Crowley also discusses:
- The three classes of medical devices that would get unique identifiers;
- The timeline for phasing in the identifiers over five years;
- The feedback the proposed rule for the ID program received during the public comment phase.
Crowley, who has held a variety of positions at the FDA over the past 25 years, has responsibility for implementing the unique device identification requirements of the 2007 FDA Amendments Act and 2012 FDA Safety and Innovation Act.
MARIANNE KOLBASUK MCGEE: Could you tell us a little about your role at FDA?
JAY CROWLEY: My title is senior adviser for patient safety. I've been working on a number of issues associated with the development of systems to improve our understanding of device safety over the years. Currently I have primary responsibility for the development and implementation of the FDA's unique device identification system, which was mandated originally in the FDA Amendments Act of 2007. Further congressional requirements came about in the more recent FDA User Fee Authorization Act and the FDA Safety and Innovation Act, which was signed into law July of this year. There are a number of pieces to it beyond the regulation, but I have responsibilities overall for the development of the system.
Device Identification System
MCGEE: Tell us how the proposed ID system and its related database could improve FDA's post-market surveillance of medical device safety?
CROWLEY: One of the primary interests the agency has in unique device identification is really to improve our post-market surveillance activities. This includes both adverse event reporting, as well as some of our efforts around device surveillance, such as the Sentinel Initiative. In contrast, what happens in the pharmaceutical space where National Drug Code, or NDC, numbers are used to identify pharmaceutical products throughout the life of those products, that information finds its way into adverse event reports or into large population-based data sets that allow various public health questions to be answered and research to then be conducted.
What we lack in the medical device space is any sort of standardized unambiguous identifier, like an NDC code.. The advantages that we hope to accrue are around very specific identification of medical devices throughout the device lifecycle. In adverse event reports, in other post-market activities, and in our Sentinel initiative, having this very granular, standardized identifier will allow us to aggregate reports to see trends, to validate signals - a whole host of activities from the FDA's post-market surveillance and a whole host of benefits that can accrue.
In addition, we see advantages in terms of some of our other post-market activities, such as device recalls. Currently it's very difficult for the healthcare system in general to find recalled products because of the lack of a standardized identifier, and then the lack of that identifier finding its way into appropriate data systems. Recalls are very, very difficult to conduct.
There's a whole host of activities and we haven't even really touched on - some of the counterfeit and diversion activities that we think can be supported by UDI. We have some import safety activities that will definitely be supported by UDI.
Having this foundational identification element, every one talking about medical devices in the same way, just as we talk about pharmaceutical products the same way we talk about retail products with the UPC code in the same way, we have metadata associated with these products, consistent, standardized and trusted data associated with these products. All of this we believe will happen with FDA's UDI system that we're putting into place now.
Identifying Malware Issues
MCGEE: Could the system help identify devices that might be having safety issues caused by malware?
CROWLEY: I believe it can. In much the same way that UDI will help identify a whole host of problems that can accrue, we believe that safety and security issues are a part of that subset of problems. The issue that we have now is not being able to identify specific products or specific devices that are subject to problems, and trying to aggregate those reports either across manufacturers or across the device industry as a whole.
What we believe is that UDI will give us that visibility that we're looking for and that foundation that we need in order to identify potential signals, and work with manufacturers and with other stakeholders to validate those signals and then work forward to resolve any potential problems and be able to resolve those problems at an appropriate level.
One of the issues we have now is not knowing specifically which products are subject of a particular problem. We end up in the medical device space with very broad recalls. We recall all products of a particular type, even though it may be just a particular version or a particular model of a product. Getting down both in terms of identification and resolution to a very granular level will support a host of activities and help improve our use of devices in the healthcare space in general.
Three Classes of Medical Devices
MCGEE: What are the three classes of medical devices that will be covered under the UDI?
CROWLEY: The FDA has a pre-market risk class, this whole structure that we have primarily for our pre-market review process. There are three classes of devices. Class III is our highest risk devices and they're typically subject to pre-market approval. These are our riskiest devices. Most of these tend to be new products coming onto the market.
We have Class II devices, which are medium-risk products, and this is a very large class. These are subject to our 510k clearance process that covers a wide range of products, from ventilators and infusion pumps to some stand-alone software, contact lenses and just a very wide range of products.
Finally we have Class I products, low-risk products that are mostly exempt from any pre-market review, and these tend to be mostly low-risk, disposable kinds of products.
Addressing Top Safety Issues
MCGEE: What are the most common or most dangerous safety issues in medical devices that the UDI might help address or identify?
CROWLEY: I think the real problem that we're trying to address here is just identifying potential problems. I've worked in the post-market office within the Center for Devices for many years, and we've struggled with identifying quickly and efficiently problems that arise with medical devices. There have been some rather spectacular issues that have been raised more recently ... the metal-on-metal hip issues that have come to light. ... These are obviously implantable devices, and one of the reasons that these recalls tend to be so big and cover so many patients is that it's taking us - us being the healthcare industry - quite a while to discern the degree of the problem and how severe it was, and what really needs to happen.
What we believe is that having UDI tied to patients' electronic health records, registries or to other data sets, such as reimbursement data sets or payer data sets, allows us access and gain insight into how these devices are really working in a much more real-time environment. That allows us to validate potential concerns or signals much more quickly.
I think there's a host of problems, everything from the kinds of issues that I've just raised in terms of the kinds of patients that these devices have been used in, to issues with clinical trials and the application of devices beyond clinical trials to manufacturing problems and counterfeit products. Having that visibility - which we lack now - into the safety and the effectiveness of these products is really what's going to allow us to identify problems much more quickly.
Then, if we can identify them more quickly, we can resolve them more quickly and we can reduce the exposure of a problematic device to patients. It may mean not necessarily taking a device off the market, but restricting its use to a particular subset of patients or improving the way that it's used either by patients or clinicians. It's really that visibility that we're looking for that will allow the healthcare system - clinicians, patients, medical device manufacturers, payers, the FDA - to really understand how devices are being used, improve our understanding of device use, improve our risk profile associated with devices and allow us to all use these devices much more safely and effectively.
Frequency of Malware Issues
MCGEE: Do you have any sense of how frequently malware might be involved with medical device issues?
CROWLEY: I know that it does occur. ... Obviously software in general, and in the medical device space specifically, is a concern, [with] our growing reliance on software and software systems. We talk about electronic health records and other clinical information systems, and our reliance on these systems highlights our need to understand how they operate and to be able to identify problems very quickly. There are software problems, both those that occur because of design issues, implementation issues or use issues, as well as malware issues. But we believe having a UDI will allow us to really identify these trends much more quickly than we're able to now and identify the devices.
Software, I think, is a prime example of .. where it can be very difficult to know which product I'm talking about. It's one thing to have a product in your hand with a label that says version one or model one. It's much more difficult when we talk about software, software systems or integrated software systems to know exactly which products I'm talking about and then having a standardized way of identifying devices. The UDI will help all of us to know which products we're actually talking about and to be able to identify and resolve problems much more quickly. I do believe that .. UDI can help those who are involved in identifying and resolving those [malware] problems to work on them much more efficiently.
Role of Healthcare Providers
MCGEE: What would the UDI system for medical devices mean for healthcare providers? For instance, would they need to record the IDs in the electronic health records of patients, and would that also make it easier for healthcare providers to notice a pattern of problems with medical devices that they might want to report to the FDA?
CROWLEY: Currently, the FDA doesn't have regulatory oversight over practices of healthcare, but we're working with many of our partners, for example, the Officer of the National Coordinator for Health IT, the Joint Commission and the Centers for Medicare and Medicaid services, on what the adoption and implementation will look like. One of our prime interests, as you mentioned, is really the documentation of device use and implementation in patients' electronic health records. We believe there's a whole host of benefits that can accrue from that, not the least of which is patients knowing exactly which device they have.
One of the big issues, for example, in some of these implant recalls is patients knowing if they have that implant or not. With subtle differences between products, it can be very difficult sometimes to know. It also has implications for revision surgery and a whole host of other activities, so we have been working with ONC on what kinds of requirements should be in place for recording the UDI. Whether that's in [HITECH Act] meaningful use Stage 3 or some other kind of requirement is yet to be seen. But we're very interested in seeing that done .. both in electronic health records as well as patients' personal health records.
For that to be available in a HIPAA-compliant, limited data set for researchers and clinicians ... we really see that as being a cornerstone. That also leads to the Sentinel Initiative that I mentioned before, which is really utilizing population-based data sets that exist already to answer public health questions.
We see that notion of device use documentation based on UDI and EHR as being very much a cornerstone of the agency's post-market surveillance plan in the future. And so we're working to really put that into effect and hope that it becomes part of the normal routine, just as pharmaceutical products are documented based on their NDCs and patients' electronic health records or other kinds of clinical documentation. We see for most devices, not all obviously, recordation using UDI as being central to our ability to conduct effective post-market surveillance in the future.
MCGEE: The public comment period for the UDI proposed rule just closed. What comments did you get?
CROWLEY: We got quite a few, and most of them are not particularly surprising. The conversations that we've had or have been having with both healthcare providers and others in the healthcare system, as well as medical device manufacturers, in general fall into two categories. One is folks wanting more clarity around how the UDI would apply to certain device types. The proposed rule is kind of a general framework. It describes generally for medical devices how the UDI should be applied. Medical devices cover a very wide range of product types. We talked about software, for example. We have lots of different kinds of devices. How UDI should be applied in all these various states is something that requires some more work. Many of the comments are looking for some clarity in the final rule, trying to understand how it would apply to their devices.
The other set of comments probably relates toward implementation, and folks either wanting some more specificity or some clarity around what exactly UDI would look like for them. This is particularly, I'd say, both from a timing and data-format perspective. We've laid out a timeline in the proposed rule which for some is reasonable, for some is too short and for some it's too long.
We have a number of comments, particularly from healthcare providers, who would like to see all of this happen much more quickly than the five-year implementation timeline that we've introduced. Many want fewer options. We've allowed for a lot of flexibility in the implementation of UDI in terms of the data structure. There are a number of different standards development organizations that can be used, as well as the symbology. We've taken [an approach] in contrast to the FDA pharmaceutical barcode rule - which required that the NDC be in a linear barcode only. The UDI allows any technology to be used as long as it meets the standards. ... There's attention here that I think we need to be cognizant of and really be careful as we move forward in understanding how this is going to work. Those are the broad-level comments that we received, and we will take all of these into consideration during the development of the final rule.
Publishing Final Rule
MCGEE: When will the final rule be published, and when will the IDs begin to get phased in for medical devices?
CROWLEY: We are required by the recent FDA Safety and Innovation Act to publish the final rule six months after the closure of the comment period. Our comment period closed November 7, which puts us into mid-May for us to publish the final rule and we work diligently to do that. ...
If we assume May of 2013 is the publication of the final rule, as I mentioned before we have a stepwise implementation based on pre-market risk class, so our Class III devices would have to meet all the requirements of UDI one year after publication of the final rule. That means that all these high-risk devices would have to meet the UDI by May of 2014; Class II devices, three years after publication of final rule; and Class I devices, our lowest risk devices, five years after publication of the final rule. That's at least with the proposed rule. That was the timeline outlined in the proposed rule. We'll have to see what the comments say and see whether that changes at all one way or another.