In May 2019, in a move rejecting the reasoning of the Third Circuit, the U.S. Supreme Court dove into two critical aspects of preemption analysis in Merck Sharp & Dohme Corp. v. Albrecht et al., No. 17-290, slip op. (U.S. May 20, 2019). The Court addressed who will decide whether preemption exists (a judge), and how to decide whether preemption exists where FDA action and state law conflict thereby destroying a plaintiff’s related state claims.
Specifically, the Court held a plaintiff’s claim that a drug manufacturer failed to warn pursuant to state law will fail when a judge applies a “clear evidence” standard and finds that the relevant federal and state laws “irreconcilably conflict.”
Petitioner drug manufacturer, Merck Sharp & Dohme Corporation, sought Supreme Court review of the Third Circuit’s decision to vacate and remand the lower court’s Order granting Merck’s Motion for Summary Judgment. The Respondents, more than 500 individuals who filed individual suits which were consolidated into a multi-district litigation (MDL), were prescribed an osteoporosis drug manufactured by Merck (Fosamax) and subsequently suffered rare thigh bone breaks (referred to in litigation as “atypical femoral fractures”). The Respondents alleged Merck breached a legal duty imposed by the state to warn of the risk of atypical femoral fractures associated with using Fosamax. Merck countered these claims with an “impossibility preemption” defense, arguing the Respondents’ state law claims should be dismissed because conflicting federal law displaces, or preempts, the state requirement. The Court fleshed out preemption standards set forth in an earlier Supreme Court case (Wyeth v. Levine) in an explicit attempt to aid lower courts when conducting preemption analyses, and remanded the case with these new understandings. While the Court remanded the case, it did opine that “there is sufficient evidence to find that Merck violated state law by failing to add a warning about atypical femoral fractures to the Fosamax label.”
Under Wyeth v. Levine, 555 U.S. 555 (2009), a state-law failure-to-warn claim is preempted where there is “clear evidence” that the FDA would not have approved a change to the label. Since Wyeth, courts have struggled to both define and apply this “clear evidence” standard. In Merck, the Court elaborated on the clear evidence standard set out in Wyeth and held that Merck would have to show two things to trigger state law preemption: (1) Merck gave the FDA an evaluation or analysis concerning the specific dangers that would have merited the additional warning, and (2) Merck presented the would-be-state-compliant warning but was prohibited from adding said warning by the FDA.
The original Fosamax label was approved by the FDA in 1995. The original label did not warn of the risk of atypical femoral fractures. While the Court points to the fact that Merck scientists knew of at least a “theoretical risk” of these fractures, Merck brought the theoretical considerations to the FDA’s attention and the FDA approved a Fosamax label without requiring mention of the risk. In 2008, Merck applied to change the Fosamax label in two ways: (1) add reference to “low-energy femoral shaft fracture” in the Adverse Reactions section of the label, and (2) provide longer discussion focused on the risk of stress fractures in the Precautions section. The FDA approved the first addition, but rejected the second on the basis that the discussion of “stress fractures” was not sufficiently related to the risk of the specific atypical femoral fracture. This is because atypical femoral fractures are low energy fractures that are the result of stress fractures, and have different pain symptoms and more severe repair remedies. At that time, the FDA did however invite Merck to resubmit its application to address label change deficiencies. Instead, Merck withdrew its application and changed the Adverse Reactions section through the “changes being effected” (CBE) process. The CBE process is provided within the FDA regulations and permits drug manufacturers to change labels without prior FDA approval where “newly acquired information … based on reasonable evidence” warrants a new or stronger warning. A warning about “atypical femoral fractures” appeared on the Fosamax label in 2011, after the FDA ordered a label change based on its own analysis.
Finally, the Court reiterates the long-standing principle that the only FDA agency actions capable of answering whether preemption exists are those taken pursuant to the FDA’s congressionally delegated authority. Where, as in Merck, the answer to preemption revolves around a question of agency disapproval, the Court unambiguously held the question of agency disapproval is a question of law for a judge to decide, not a jury. Chatter of the role of a jury, specifically regarding factual questions about the meaning and effect of an agency decision in preemption cases, was silenced by the Court’s Opinion. The Court unabashedly admits there are such factual questions within a preemption analysis, but held that those questions are “subsumed within an already tightly circumscribed legal analysis and do not warrant submission alone or together with the larger pre-emption question to a jury.” Ultimately, the Supreme Court remanded the case because the Third Circuit improperly analyzed the question of preemption as one of fact for a jury, rather than a question of law, and because the Court has now clarified how to properly apply the clear evidence standard.
What does this mean for your company?
If you, like Merck, are in the business of manufacturing drugs, you can take solace in the fact that an FDA preemption argument is in the hands of a judge. Because the Supreme Court has now held this issue is one exclusively for the Court, it may be ruled upon during motion practice with less strife related to facts “subsumed” in this kind of complex legal analysis. But this strategic advantage cuts both ways. Drug-manufacturers will now have to show that the company submitted a state law required warning to the FDA. Litigation of these issues to date has largely involved questions about what exactly the FDA rejected when disapproving label changes. The Court makes clear that the manufacturer’s proposed label change cannot be of some broader, less threatening risk – like stress fractures – when the company has knowledge of a specific, less appeasing risk – like atypical femoral fractures. This is to say, while the power that comes with an impossibility preemption defense can be a great litigation tool, the responsibility to fully inform and present the FDA with state-compliant warnings is equally great.
As part of Cybersecurity Awareness Month, we continue our discussion about the FDA’s efforts to help prepare various entities to address cybersecurity threats, vulnerabilities, and even attacks. In our previous post, we previewed the FDA and MITRE’s cybersecurity Regional Incident Preparedness and Response Playbook (the “playbook”) for health care delivery organizations. Here, we take a more in depth look into what that playbook has to offer.
The playbook’s focus is primarily aimed at preparing Health Care Delivery Organizations (“HDOs”), including their stay, for addressing and responding to cybersecurity threats. The playbook is not intended to address the day-to-day patch management of devices, but rather addresses threats and vulnerabilities for large-scale, multi-patient impact and patient safety concerns.
The playbook’s guidance primarily consists of four guiding steps, going in chronological order: (1) preparation, (2) detection and analysis, (3) containment eradication and recovery, and (4) post-incident activity. Below is a summary of these action steps, but you are encouraged to read the actual playbook for a more in-depth explanation and/or expansion on the summary below.
Assess and bolster cyber defensive measures and develop handling process and procedures to enable better operations when an incident arises.
1. Incorporate cybersecurity awareness into medical device procurement in order to strengthen the response to a cybersecurity incident. (E.g. Request a Software Bill of Materials to identify and address vulnerable device components.)
2. Take a medical device asset inventory. (E.g. Identify device name and description, physical location of device, device owner and manager.)
3. Perform a hazard vulnerability analysis to assess and identify potential gaps in emergency planning, including a review as anticipated cybersecurity threats and existing mitigations. (E.g. Identify potential cybersecurity risks, such as lack of staff with the ability to detect and respond to a cybersecurity incident.)
4. Prepare medical technical specialists (i.e. the response team to all hazard incidents) with cybersecurity and medical device expertise as part of the hospital incident management team.
5. Create an Emergency Operation Plan to determine how the HDO will “respond to and recover from a threat, hazard, or other incident” with a device. (E.g. Identify members and their roles and responsibilities.)
6. Create an overall Incident Response communication plan (E.g. Identity key internal and external communication roles.)
a. Specify incident-sharing expectations for all participants in the above communication plan. (E.g. What incidents can and cannot be shared?)
b. Identify cybersecurity incidents, initiate outreach to manufacturer and then to broader healthcare community.
c. Implement external incident notification and continue to stay abreast of intrusion information and/or mitigation recommendations from manufacturer(s).
d. Create a communication template for how incident notification will occur and how.
7. Implement user awareness training with all medical device users in your company and conduct preparedness and response exercises for all-hazards.
(2) DETECTION AND ANALYSIS
Identify and establish that an incident has occurred.
1. Define the priority of and appropriate level of response to incidents.
2. Implement formal and informal reporting obligations (Note: Manufacturers are required to conduct a formal notification of the incident to its customers and user community.)
3. The incident investigation and analysis can begin once initial incident parameters have been set.
4. All activities taken to address cybersecurity incidents and responses must be recorded or otherwise documented. Benefits of recording these activities include preserving evidence for potential criminal activity and learning to improve the response for the future.
(3) CONTAINMENT ERADICATION AND RECOVERY
Response to the confirmed cybersecurity incident begins. Such activities could include a strategy of “contain, clear, and deny” (i.e. halt cybersecurity incident, fix it and restore services quickly) or a “monitor and record” strategy (i.e. watch and “capture” adversary actions).
(4) POST-INCIDENT ACTIVITY
Identify what went well and what did not; such information can be leveraged to improve existing plan and future response. It is also suggested to retain a trained, digital forensics expert to fully identify the damage done.
For immediate, additional information about addressing cybersecurity breaches in medical devices, consider visiting the BSCR blog posts below addressing cybersecurity:
CYBERSECURITY. In a statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA made clear the threat of cybersecurity attacks are no longer a theoretical discussion, but are present and as such steps must be taken to proactively address future threats. Such attacks are already here in other capacities, including attacks on financial institutions, government agencies, and health care systems.
The FDA’s specific concerns revolve around attacks on patient medical devices. Cybersecurity researchers have found various vulnerabilities in patient medical devices that could result in bad actors gaining access and control over the patient’s medical device. While “FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” the “risk of such an attack persists.” As a result, in an effort to instill confidence in both patients and providers that it can effectively address any reported medical device cyber vulnerabilities, the FDA has determined that it is important to address such a threat of an attack now.
In taking such proactive steps, the FDA announced it has coordinated with the MITRE Corporation to launch a cybersecurity “playbook” for health care delivery organizations, along with the “signing of two significant memoranda of understanding.” A “sneak peek” at the playbook shows it addressing the types of readiness health care delivery organizations should consider in order to be better prepared and address cybersecurity incidents involving their respective medical devices. The memoranda, among other actions, created such groups as information sharing analysis organizations, which are groups of experts (aimed to include manufacturers who share potential vulnerabilities and threats) that gather, analyze and disseminate important information about cyber threats.
The FDA’s work in addressing cybersecurity threats dates back to 2013 with the establishment of its medical device cybersecurity program. The FDA has issued a premarket and postmarket guidance for manufacturers to consider in addressing their cybersecurity vulnerabilities and threats. While the FDA’s premarket guidance was finalized in 2014, it announced in this statement that it plans on publishing a “significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space.” One such example included providing customers with a list of cybersecurity bill of materials to ensure that device customers and users are able to respond quickly to potential cybersecurity threats.
Finally, the FDA is taking steps to bring additional resources to build its medical device cybersecurity program, starting with its Fiscal Year 2019 Budget in order to establish additional “regulatory paradigms” to proactively address vulnerabilities and threats.
Be on the lookout for a future discussion of the FDA’s collaborative “playbook” with MITRE, as well as a posting on the FDA’s “significant update” to its 2014 premarket guidance.
For immediate, additional information about addressing cybersecurity breaches in medical devices, visit our prior posts addressing cybersecurity:
About Drug / Device Law Blog
The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.
Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.