By Michael Aisenberg
When Massachusetts General Hospital (MGH) inaugurated its experimental remote telemedicine center at Boston’s Logan Airport under a US Departments of Commerce and Health and Human Services joint grant in 1975, it was ushering in a new era of the application of Information & Communications Technology (ICT) to medical challenges. In the MGH-Logan pilot, the effort was to reduce mortality among acutely ill passengers by eliminating the “golden Hour” of ER risk in ill or injured passengers by avoiding the notorious rush hour transit time from Logan to MGH. Tele-diagnosis on site at the airport permits immediate treatment and reduces mortality. And it spawned even more imaginative approaches to linking patients to active medical professional care, spanning gaps of distance and time.
Today, the individualization and wearability of diagnostic and therapeutic ICT-enabled devices have only enhanced the physician and patient appetites for these tools. WiFi monitoring and adjustments for pacemakers, insulin pumps, home wired diagnostic devices for glucose testing and a host of sensor-delivery tools for therapies offer unprecedented accuracy, immediacy of therapeutic adjustment and associated improvements in survivability and overall quality of life.
But with these innovative applications comes increased risks. And some of these risks may be beyond the scope of present legal and policy structures to address.
However, one area of real concern today is entirely within the scope of remediation in the near term, suggesting other possible connected medical device (CMD) improvements. The concern, a procedural one, involves the inability of injured patients to sue “connected” medical device manufacturers in their state courts for injuries or death due to claims of device failure of US Food and Drug Administration (FDA)-approved medical therapeutic technologies.
Most Internet-connected medical devices are subject to FDA review. They fall into a category of products originated in the FDA’s pharmaceutical program, but now widely extended by court rulings both within the FDA to connected medical devices. The legal principle, Federal Pre-emption of Liability applies to protect device manufacturers whose products have received FDA review and approval. These manufacturers may not be sued in state courts by individuals claiming injury due to a device failure. Instead, victims or their families must first bring administrative actions against the manufacturer at the Federal agency level. This policy is not limited to just medical devices and pharmaceuticals reviewed by the FDA, it also exists for products under the jurisdiction of other Federal agencies, such as consumer products at the US Consumer Product Safety Commission (CPSC) and telecommunications devices reviewed by the US Federal Communications Commission (FCC).
And today, victims may only seek review of the devices’ medical “safety and efficacy”. If the device fails because of a cyber security vulnerability leading to a hack, a security weakness permitting unauthorized tampering or other threat vector not reviewed by the FDA, the victim or his/her survivors may be left without a remedy if they do not complain to the FDA first.
The Federal pre-emption concern raises three related paths to improvement that also offer good models for other connected consumer devices.
First, states could pass statutes granting explicit jurisdiction to their state courts over cases involving failures of the ICT software in connected medical device products sold in their states.
Second, the FDA should be granted specific responsibility for the review of not only the medical safety and efficacy of CMD products, but their embedded ICT software as well, evaluating National Institute of Standards and Technology (NIST) SP 800-53-type security and privacy controls to assure the performance of their connectivity, appropriate limitations of device access and privacy of patient data collected and transmitted by the devices.
The inclusion of ICT-related software elements in FDA structural reviews to pre- and post- market review of safety and efficacy of ICT-enabled devices should promptly become part of the agency’s program, irrespective of actions taken by states to assure the availability of a state court remedy for injured patients.
And third, continuous monitoring of addressable wireless enabled devices should become part of device routine operating models, to assure that the wireless technological component of device operations is as free from defect or performance degradation as the therapeutic aspects of the device. The enhancement of CMD standards to assure minimum standard among commercial CMD manufacturers should promptly become an agenda item for health standards bodies addressing health care cyber standards. But similar scrutiny could also enhance the safety of unmanned vehicles by the US National Highway Traffic Safety Administration (NHTSA) and aerial devices by the FAA.
The legal and policy communities can assist in establishing best practices and contextual considerations for the creation of standards for the bourgeoning CMD product community. But, guided by medical expertise, the device vendor community must become the source of the actual effort in standards setting to assure the true “safety and efficacy” of devices relied on by health care consumers.
The MITRE Corporation