FDA provides guidance on addressing cybersecurity threats to medical devices

The FDA released a draft guidance to notify the industry and FDA staff about its recommendations for dealing with postmarket cybersecurity vulnerabilities for marketed medical devices. The draft guidance, which was announced in an advance release, provides specific recommendations for manufacturers but also encourages them to address cybersecurity issues throughout the entire lifecycles of their products.

Networked devices

An increasing number of medical devices are designed so that they can be networked to assist with patient care. Such networked devices, like any networked computer system, use software that can be vulnerable to cybersecurity threats, which can present a risk to the safety and effectiveness of the devices. Therefore, manufacturers should take a proactive approach to addressing cybersecurity risks in medical devices to reduce the risks to patient safety and public health.

Postmarket recommendations

The draft guidance contains the FDA’s postmarket recommendations and emphasizes that manufactures should monitor and address any cybersecurity vulnerabilities as part of their postmarket management of medical devices. In most cases, the manufacturers will be performing routine updates or patches, which would not require advance notification to the FDA or reporting under 21 C.F.R. part 806. However, for cybersecurity vulnerabilities that could compromise a device’s essential clinical performance and present a probability of serious adverse health consequences or death, the manufacturers would be required to notify the FDA (21 C.F.R. Sec. 806.10).

Proactive approach

The FDA believes that the public and private stakeholders must collaborate to use available resources and tools to assess risks and identify vulnerabilities in medical devices so as to mitigate cybersecurity threats. It recommends that manufacturers take a proactive, risk-based approach for the postmarket phases of medical devices, which includes cybersecurity information sharing, “good cyber hygiene” or routine device cyber maintenance, postmarket information assessments, vulnerability identification, and timely implementation of necessary risk mitigation actions.


The draft guidance applies to medical devices that contain software, including firmware or programmable logic. It also applies to software that is a medical device. However, the guidance does not apply to experimental or investigational medical devices.

Warning labels could deter parents from purchasing sugary drinks

A simple health warning label included on bottles of sugar-sweetened beverages may effectively dissuade parents from choosing sugary beverages for their children. A study funded by the Robert Wood Johnson Foundation’s Health Eating Research program found that parents who viewed drink labels that contained health warnings were 20 percentage points less likely to choose a sugar-sweetened beverage for their children than parents who did not view a warning label.

Label study

The study was the first to examine whether warnings on sugar-sweetened beverage labels would influence parents. The test was conducted through an online survey that showed parents five different labels, one of which displayed calorie content and four others that contained various warning labels. The study also included a control group that saw no warning labels.


The study concluded that health warning labels may be effective at reducing how healthy parents perceived sugar-sweetened beverages and whether they would boost energy and focus. The labels may also increase understanding of the increased risk of weight gain, heart disease, and diabetes the drinks pose to children. Forty percent of parents said they would choose a sugar-sweetened beverage that included a warning label, in contrast to 60 percent who did not see a warning label and said they would purchase a sugary drink.

The researchers also discovered that there were only minimal differences as to the effects of the four variations in the warning labels, but found that they all had a greater impact than the calorie version. Fifty-three percent of parents who saw the calorie label alone said that they would choose a sugar-sweetened beverage versus 40 percent of parents who viewed the health warning labels and would chose the sugary beverages. The study also found that 75 percent of parents supported the addition of health warning labels on sugar-sweetened beverages.

Medicaid directors concerned about CMS’ plans for measuring access to care

Medicaid directors are worried that CMS’ recent request for input relating to methods for measuring Medicaid enrollees’ access to care indicates that the agency intends to impose federal regulatory requirements that are out of touch with the complex issues facing state programs. In a letter to CMS, the National Association of Medicaid Directors (NAMD) detailed its members’ concerns that the request for information (RFI) signals the agency’s intention to limit the states’ ability to design payment methodologies by tying access to care with reimbursement rates.

Access measures

After the country’s economic downturn, states sought to dramatically reduce Medicaid provider payments. When CMS requested information from states relating to whether access to care would be maintained after payments were reduced, it found that in many instances the states’ processes for documenting access to care was inadequate. As a result, the agency issued a Final rule that would require states to create monitoring review plans to address whether the enrollees’ needs are being met (see States required to create access review framework for Medicaid programs, Health Law Daily, November 2, 2015).

Input requested

To determine how to meaningfully demonstrate sufficient access to care in state Medicaid programs, CMS issued an RFI that sought public input on: (1) access to care data collection and methodology; (2) access to care thresholds and goals; (3) alternative processes for access concerns; and (4) access to care measures.


NAMD expressed various concerns about the RFI and said state Medicaid agencies should have the authority to determine reimbursement rates and access thresholds because of the diversity among the states’ delivery system designs, populations, and provider networks. It added that states are already required to comply with significant reporting requirements on various aspects of their programs, and therefore CMS should use existing data sources and minimize further reporting requirements.

National standards

The organization also opposed the creation of a national core measure set and a national threshold for access to care, which, it argues, could impede ongoing delivery system and payment reform efforts and would be unlikely to generate meaningful comparisons across diverse state programs. It argued that alternative processes for access concerns are unnecessary because states already have tools in place to detect access problems. However, if additional processes are to be established, CMS should work with states to identify ways to improve the processes.


CMS should instead work with states in developing access to care measures that are necessary to fill in any data gaps. The measures must be sufficiently flexible to account for sate provider capacity variations and should incorporate telehealth initiatives and should keep pace with evolving technology.

CDC identifies biggest public health threats, makes resolutions for the new year

When the Centers for Disease Control and Prevention (CDC) looked back on the significant health challenges the public faced in 2015, it included in its list well-known health issues such as Ebola, antibiotic resistance, and prescription drug overdoses. Although the CDC notes that progress has been achieved in combating each challenge, it is also making it clear that the fight against these public health problems is far from over as it set forth its plan for tackling each over the coming year.


Over the past year, the CDC assisted in opening up emergency operation centers in Guinea, Liberia, and Sierra Leone to help with detection and response to future public health emergencies. The CDC is also providing support to nations that were affected by Ebola to allow them to transition from outbreak response mode to focusing on future outbreak prevention. It also launched an Ebola vaccine trial in Sierra Leone, through which over 7,000 individuals were vaccinated.

The CDC has established permanent offices in Liberia, Sierra Leone, and Guinea so as to provide ongoing support in the effort to eliminate new cases. The agency is also assisting the African Union to set up an African CDC, which will provide support to the entire continent in preventing outbreaks and to improve public health.

Antibiotic Resistance

It is estimated that at least 23,000 individuals died from preventable, antibiotic resistant infections in the United States in  2015. The CDC intends to continue to focus on preventing such infections and states, “We must preserve these miracle medications so we can avoid returning to the pre-antibiotic era when minor infections often led to death.”

Last summer, the National Action Plan to Combat Antibiotic Resistance was announced during the White House Forum on Antibiotic Stewardship. The plan is intended to bring together human and animal health groups that are dedicated to improving antibiotic stewardship throughout the country.

The CDC also recently discovered that health care facilities can prevent the spread of antibiotic-resistant, “nightmare bacteria” (carbapenem-resistant enterobacteriaceae or CRE) by simply coordinating their efforts, and it published guidelines for state and local health departments to alert local facilities when antibiotic-resistant bacteria is reported in the area.

Over the next year, the CDC will debut the AR Patient Safety Atlas, which is an interactive web platform that allows for open access to antibiotic resistance data relating to health care associated infections (HAIs) that are reported to the CDC’s National Healthcare Safety Network (NHSN). It also has plans to release the first antibiotic stewardship report that details progress that has been made in human medicine prescribing practices.

Tobacco Use

In 2015, the CDC’s Tips from Former Smokers campaign, which featured ads with real former smokers discussing their struggles with vision loss and colorectal cancers and is estimated to have motivated 1.6 million smokers to attempt quitting. The CDC says that the campaign resulted in 100,000 smokers quitting permanently, which avoided 17,000 premature deaths. The number of current adult smokers is at an all-time low, but the CDC notes that there remains a lot of work to be done to eliminate teen tobacco use.

The CDC plans on rolling out a new round of Tips from Former Smokers ads in order to continue its efforts at helping smokers quit and its January Vital Signs will focus on youth and tobacco use.

Prescription Drug Overdoses

Overdoses from prescription drugs remain at epidemic levels in the country, and the CDC emphasizes that the issue is a top priority for it and all of HHS. The CDC launched Prescription Drug Overdose: Prevention for States, which is an initiative to provide resources to states to help stop prescription drug overdoses. The CDC is also developing opioid prescribing guidelines to assist primary care physicians to provide safe care while reducing the risk of addiction and overdose. It also plans on release its opioid prescribing guidelines for chronic pain and will provide states with funding to better track opioid and heroin abuse and deaths.

CDC Director Tom Frieden, M.D., M.P.H., said, “Old and new threats to our health, such as Ebola, dengue, HIV, e-cigarette use among kids, foodborne illness, prescription drug overdoses, and increased drug resistance are just a few of the threats that kept us up at night – and will keep us busy in 2016.”