As part of Cybersecurity Awareness Month, we continue our discussion about the FDA’s efforts to help prepare various entities to address cybersecurity threats, vulnerabilities, and even attacks. In our previous post, we previewed the FDA and MITRE’s cybersecurity Regional Incident Preparedness and Response Playbook (the “playbook”) for health care delivery organizations. Here, we take a more in depth look into what that playbook has to offer.
The playbook’s focus is primarily aimed at preparing Health Care Delivery Organizations (“HDOs”), including their stay, for addressing and responding to cybersecurity threats. The playbook is not intended to address the day-to-day patch management of devices, but rather addresses threats and vulnerabilities for large-scale, multi-patient impact and patient safety concerns.
The playbook’s guidance primarily consists of four guiding steps, going in chronological order: (1) preparation, (2) detection and analysis, (3) containment eradication and recovery, and (4) post-incident activity. Below is a summary of these action steps, but you are encouraged to read the actual playbook for a more in-depth explanation and/or expansion on the summary below.
Assess and bolster cyber defensive measures and develop handling process and procedures to enable better operations when an incident arises.
1. Incorporate cybersecurity awareness into medical device procurement in order to strengthen the response to a cybersecurity incident. (E.g. Request a Software Bill of Materials to identify and address vulnerable device components.)
2. Take a medical device asset inventory. (E.g. Identify device name and description, physical location of device, device owner and manager.)
3. Perform a hazard vulnerability analysis to assess and identify potential gaps in emergency planning, including a review as anticipated cybersecurity threats and existing mitigations. (E.g. Identify potential cybersecurity risks, such as lack of staff with the ability to detect and respond to a cybersecurity incident.)
4. Prepare medical technical specialists (i.e. the response team to all hazard incidents) with cybersecurity and medical device expertise as part of the hospital incident management team.
5. Create an Emergency Operation Plan to determine how the HDO will “respond to and recover from a threat, hazard, or other incident” with a device. (E.g. Identify members and their roles and responsibilities.)
6. Create an overall Incident Response communication plan (E.g. Identity key internal and external communication roles.)
a. Specify incident-sharing expectations for all participants in the above communication plan. (E.g. What incidents can and cannot be shared?)
b. Identify cybersecurity incidents, initiate outreach to manufacturer and then to broader healthcare community.
c. Implement external incident notification and continue to stay abreast of intrusion information and/or mitigation recommendations from manufacturer(s).
d. Create a communication template for how incident notification will occur and how.
7. Implement user awareness training with all medical device users in your company and conduct preparedness and response exercises for all-hazards.
(2) DETECTION AND ANALYSIS
Identify and establish that an incident has occurred.
1. Define the priority of and appropriate level of response to incidents.
2. Implement formal and informal reporting obligations (Note: Manufacturers are required to conduct a formal notification of the incident to its customers and user community.)
3. The incident investigation and analysis can begin once initial incident parameters have been set.
4. All activities taken to address cybersecurity incidents and responses must be recorded or otherwise documented. Benefits of recording these activities include preserving evidence for potential criminal activity and learning to improve the response for the future.
(3) CONTAINMENT ERADICATION AND RECOVERY
Response to the confirmed cybersecurity incident begins. Such activities could include a strategy of “contain, clear, and deny” (i.e. halt cybersecurity incident, fix it and restore services quickly) or a “monitor and record” strategy (i.e. watch and “capture” adversary actions).
(4) POST-INCIDENT ACTIVITY
Identify what went well and what did not; such information can be leveraged to improve existing plan and future response. It is also suggested to retain a trained, digital forensics expert to fully identify the damage done.
For immediate, additional information about addressing cybersecurity breaches in medical devices, consider visiting the BSCR blog posts below addressing cybersecurity:
CYBERSECURITY. In a statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA made clear the threat of cybersecurity attacks are no longer a theoretical discussion, but are present and as such steps must be taken to proactively address future threats. Such attacks are already here in other capacities, including attacks on financial institutions, government agencies, and health care systems.
The FDA’s specific concerns revolve around attacks on patient medical devices. Cybersecurity researchers have found various vulnerabilities in patient medical devices that could result in bad actors gaining access and control over the patient’s medical device. While “FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” the “risk of such an attack persists.” As a result, in an effort to instill confidence in both patients and providers that it can effectively address any reported medical device cyber vulnerabilities, the FDA has determined that it is important to address such a threat of an attack now.
In taking such proactive steps, the FDA announced it has coordinated with the MITRE Corporation to launch a cybersecurity “playbook” for health care delivery organizations, along with the “signing of two significant memoranda of understanding.” A “sneak peek” at the playbook shows it addressing the types of readiness health care delivery organizations should consider in order to be better prepared and address cybersecurity incidents involving their respective medical devices. The memoranda, among other actions, created such groups as information sharing analysis organizations, which are groups of experts (aimed to include manufacturers who share potential vulnerabilities and threats) that gather, analyze and disseminate important information about cyber threats.
The FDA’s work in addressing cybersecurity threats dates back to 2013 with the establishment of its medical device cybersecurity program. The FDA has issued a premarket and postmarket guidance for manufacturers to consider in addressing their cybersecurity vulnerabilities and threats. While the FDA’s premarket guidance was finalized in 2014, it announced in this statement that it plans on publishing a “significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space.” One such example included providing customers with a list of cybersecurity bill of materials to ensure that device customers and users are able to respond quickly to potential cybersecurity threats.
Finally, the FDA is taking steps to bring additional resources to build its medical device cybersecurity program, starting with its Fiscal Year 2019 Budget in order to establish additional “regulatory paradigms” to proactively address vulnerabilities and threats.
Be on the lookout for a future discussion of the FDA’s collaborative “playbook” with MITRE, as well as a posting on the FDA’s “significant update” to its 2014 premarket guidance.
For immediate, additional information about addressing cybersecurity breaches in medical devices, visit our prior posts addressing cybersecurity:
“Impossibility preemption” applies to bar tort claims where it is impossible for a party to comply with both state and federal law. In the recent opinion of Raskas v. Teva Pharms. USA, Inc., No. 4:17-CV-2261 RLW, 2018 U.S. Dist. LEXIS 3507 (E.D. Mo. January 8, 2018), the Eastern District of Missouri reaffirmed application of “impossibility preemption” to generic drug manufacturers on strict liability and negligent defective design and failure to warn claims.
The allegations in the Raskas v. Teva complaint provide the story of a young man, Ralph Raskas, who, after seeking treatment for nausea and vomiting, ingested the medication prescribed by his physician - generic metoclopramide - and allegedly developed pain and restlessness in his legs. After being diagnosed with “drug-induced acute akathisia,” he complained of significant pain and eventually committed suicide after two prior attempts. His father filed a wrongful death action against Teva Pharmaceuticals, USA (Teva) and Actavis Elizabeth, LLC (Actavis) - manufacturers of the dispensed generic metoclopramide - alleging that the drug caused his son’s neurological injuries and suicide. Plaintiff asserted claims for strict liability and negligent defective design and failure to warn, negligence in identifying risks associated with the drug, as well as what he contended was a failure to update the generic medication’s labeling to conform to that of its brand name equivalent. Relying upon PLIVA, Inc. v. Mensing, 564 U.S. 608 (2011), and Mutual Pharm. Co. v. Bartlett, 570 U.S. 472 (2013), Teva and Actavis sought dismissal of all claims against them on federal preemption grounds.
The Raskas court began its analysis of the plaintiff’s claims by reviewing the approval requirements of the Food and Drug Administration (FDA) for both brand name and generic drugs. To gain approval of brand name drugs, a manufacturer must submit a new-drug application (NDA) that includes clinical investigative reports and all relevant information to allow the agency to determine whether the drug is safe for use. On the other hand, approval of a generic drug typically requires only that the generic be “bioequivalent” to the branded medication. In fact, a generic may receive FDA approval without any in vivo studies, solely based on in vitro studies that study dissolution of the proposed generic. See 21 C.F.R. §§ 320.24(b)(5) and 320.22(d)(3).
Critically for the generic drug manufacturers in Raskas, 21 C.F.R. Part 314 prohibits generic drug manufacturers from 1) making any unilateral changes to a drug’s label, and 2) deviating from the drug’s approved formulation. See 21 21 C.F.R. §§ 314.94(a)(8)(iii), 314.150(b)(10), and 314.70(b)(2)(i). These federal regulatory restrictions are the basis for the “impossibility preemption” found in Raskas.
In rejecting the plaintiff’s defective design claims, the court considered Brinkley v. Pfizer, Inc., 772 F.3d 1133 (8th Cir. 2014), in which metoclopramide design defect claims were specifically precluded due to preemption because the only way the manufacturer could avoid liability under Missouri law was by redesigning the product. If a generic drug manufacturer were required to redesign the product to comply with Missouri state law, it would be impossible to comply with federal law, which requires a generic drug’s formulation to be bioequivalent to the branded medication and the generic’s labeling to be identical to that of the brand name drug. This is the definition, and a descriptive example, of impossibility preemption, which provides that “[w]here state and federal law directly conflict, state law must give way.” Mensing, 564 U.S. at 617.
Raskas’s failure to warn claims were found to be similarly barred by impossibility preemption, because the warning labels on the generic metoclopramide manufactured by Teva and Actavis were required, under 21 C.F.R. Part 314, to be identical to those of the brand name medication Reglan®. If the failure to warn claims were allowed to proceed, generic drug manufacturers - in order to escape state tort liability - would be required to relabel their products to provide additional information or warnings, which is directly prohibited under federal regulations. The Missouri federal district court in Raskas determined it would be impossible for Teva and Actavis to comply with both state and federal law in this instance, so dismissal of the failure to warn claims against them was appropriate.
Although the plaintiff attempted to distinguish its claims from those presented in controlling legal precedent, the court ultimately concluded that impossibility preemption applied to each of the asserted negligence, strict liability, and wrongful death claims for failure to warn or defective design. The plaintiff was, however, granted leave to amend his complaint to adequately plead an alleged claim against Teva and Actavis for failure to update their labeling to conform to that of Reglan®, the brand name medication.
The Raskas opinion may be found here in its entirety.
About Drug / Device Law Blog
The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.
Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.