Surgical Procedure Could Spread Cancer, FDA Warns

The FDA is discouraging doctors and patients from using laparoscopic power morcellation for the removal of the uterus (hysterectomy) or the removal of uterine fibroids (myomectomy) since it could spread unsuspected cancerous tissue beyond the uterus. It has released a safety communication with its recommendations for physicians and for women that warns of the risks and lists considerations for parties who will perform or undergo hysterectomies and myomectomies, including alternative treatment options. The FDA will convene a public meeting of the Obstetrics and Gynecological Medical Device Panel to gain “input from clinical and scientific experts.”

Most women will develop uterine fibroids (leiomyomas), noncancerous tumors that arise from uterine muscular tissue, at some point during their lives. While generally not problematic, leiomyomas can become symptomatic, causing heavy or prolonged menstrual bleeding, pelvic pressure or pain, and frequent urination, sometimes growing to the size of cantaloupes, and may necessitate medical or surgical treatment. Surgical options include traditional surgical hysterectomy (performed either vaginally or abdominally) and myomectomy, laparoscopic hysterectomy and myomectomy without morcellation, laparotomy using a smaller incision (minilaparotomy), deliberate blocking of the uterine artery (catheter-based uterine artery embolization), high-intensity focused ultrasound, and drug therapy. More than 200,000 hysterectomies are performed each year for uterine fybroids. Laparoscopic power morcellation involves the use of a power morcellator to divide uterine tissue into small pieces or fragments that are removed through an incision in the abdomen. Patients sometimes choose a laparoscopic procedure because it is associated with a shorter post-operative recovery time and a reduced risk of infection.

According to William Maisel, M.D., M.P.H., deputy director for science and chief scientist at the FDA’s Center for Devices and Radiological Health, “There is no reliable way to determine if a uterine fibroid is cancerous prior to removal.” The FDA has determined that one in 350 women undergoing a hysterectomy or myomectomy due to fibroids will unknowingly have uterine sarcoma, a rare form of cancer that usually develops after menopause. Laparoscopic power morcellation in these women could spread cancerous tissue from the uterus to the abdomen and pelvis, “significantly worsening the patient’s likelihood of long-term survival.” Previously, the threat of spread was thought to be less common, affecting anywhere from one in 500 to one in 10,000 women.

In light of this information, the FDA has instructed manufacturers of power morcellators used in laparoscopic hysterectomies and myomectomies to review their current labeling to ensure that it includes accurate risk information. It has also advised physicians not to use the procedure in patients with suspected or known cancer. Physicians who deem the procedure the best option should discuss the risks with their patients. The FDA notes that some clinicians and medical institutions advocate the use of a specimen bag during morcellation to attempt to contain the uterine tissue and minimize the risk of spreading it. Women who have previously undergone the procedure and whose tissue tested normally (at noncancerous levels) should undergo routine follow-up with their physicians.

When the FDA convenes a public meeting of the Obstetrics and Gynecological Medical Device Advisory Committee, in addition to discussing the clinical role of laparoscopic power morcellation to treat uterine fibroids, it will discuss the use of a specimen bag and other surgical techniques that could reduce risks, as well as whether a boxed warning related to the risk of cancer spread should be required for laparoscopic power morcellators.

Software Vulnerability Endangers EHR, Devices; HHS Websites Unaffected

The “Heartbleed” bug, discovered last week by two information technology (IT) security teams, caused a vulnerability in a popular encryption software used by many medical professionals to protect patient data. Electronic health record (EHR) systems often use OpenSSL’s encryption software to secure protected health information (PHI). Heartbleed can reveal the contents of a server’s memory to hackers, including private data such as usernames, passwords, and credit card numbers. Attackers are also able to obtain copies of a server’s digital keys, and use those keys to impersonate servers or to decrypt communications. Security experts estimate that 66 percent of all devices connected to the internet, including internet-capable medical devices, could be attacked using Heartbleed.

Heartbleed Danger

According to members of the security team that discovered Heartbleed, the bug allows anyone on the internet to access and read the memory of systems protected by the vulnerable versions of the OpenSSL software. Affected information includes secret keys used to identify service providers and to encrypt data, as well as user names, passwords, and actual saved content, allowing attackers to steal data directly from the services and users and to impersonate services and users. A fixed version of OpenSSL has been released, but the vendors of operating systems, appliances, and independent software all must adopt the fix for each program that uses OpenSSL. Further, users and administrators should change their passwords to prevent use of their accounts by anyone who has accessed their private account information. Passwords changed before the fixed version is installed are not secure.

The security team that discovered Heartbleed said, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

Impact on Health Industry

OpenSSL is an open source protocol. Open source means users are universally granted free license to the product, which is not copyrighted. As a result, many health IT-related programs and devices use the protocol, including those that use Apache servers. A “cursory review” conducted by health IT developer Lauren Still found many web-based EHR platforms were vulnerable to the bug. Additionally, some Health Insurance Exchanges operated by states under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) were exposed. Medical Device and Diagnostic Industry says that the bug could be used to attack systems used to communicate with insulin pumps, home health care networks, and medical devices such as MRI machines.

Safety of HealthCare.gov, MyMedicare.gov

When the discovery of Heartbleed was announced, the Department of Homeland Security’s (DHS) U.S.-Computer Emergency Readiness Team (US-CERT) issued an immediate alert. Other DHS teams have reached out to vendors and asset owners to notify and assist them in determining vulnerabilities and protecting their data. DHS announced that “the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.” Building on DHS’s announcement, a CMS spokesperson stated “Due to CMS’s security protections, HealthCare.gov consumer accounts are not affected by this vulnerability. Additionally, other CMS consumer accounts, including MyMedicare.gov, were not affected by this vulnerability. Per standard practice, CMS continues to work with the states to monitor this issue and ensure that appropriate security measures continue to be in place.”

Developer and cryptography consultant Filippo Valsorda published a tool that allows users to check websites for Heartbleed vulnerability. For websites that require passwords, Last Pass created a similar checker tool. Wolters Kluwer tested a number of HHS websites, and confirmed that in addition to HealthCare.gov, Medicare.gov and the FDA’s online Drug Registration and Listing system were not vulnerable to Heartbleed; tests revealed that MyMedicare.gov and CMS’s EHR Incentive Program Registration & Attestation system may possibly be affected.

Sponge-Filled Syringe to Treat Gunshot Wounds Approved for Military Use

The FDA has approved a first-of-a-kind hemostatic dressing to control bleeding from battlefield wounds in the pre-hospital setting. The XStat™, manufactured by RevMedx, Inc., of Wilsonville, Oregon, is a temporary dressing for wounds in areas that a tourniquet cannot be placed, such as in the pelvis/groin or shoulder/armpit regions. The dressing can be used up to four hours, which could allow time for the patient to receive surgical care.

Necessity

According to the U.S. Army Medical Department, Medical Research and Materiel Command, since mid-World War II, nearly 50 percent of combat deaths have been due to bleeding out. Of those, half could likely have been saved if timely, appropriate care had been available. At the present time, military field medics have to pack layers of gauze into a wound to stop the bleeding, a time-consuming process that does not always work. Moreover, medics are taught that if the bleeding does not stop within three minutes, to go through the extremely painful process of pulling out the gauze and starting the process again.

The Device

According to the FDA, the XStat consists of three, syringe-style applicators containing 92 compressed, cellulose sponges that have an absorbent coating. RevMedx’s XStat syringe injects these hemostatic sponges into deep wounds. After approximately 20 seconds of contact with water from blood or bodily fluid, the sponges expand to fill the wound cavity, creating a temporary physical barrier to blood flow. No direct manual pressure is required. The number of sponges needed for effective hemorrhage control will vary depending on the size and depth of the wound. Up to three applicators may be used on a patient.

The Sponges

The tablet-shaped sponges are each 9.8 millimeters in diameter and 4 to 5 millimeters in height. They can absorb 3 milliliters of blood or body fluid. An applicator filled with 92 sponges can absorb about 300 milliliters of fluid.The sponges cannot be absorbed by the body and all sponges must be removed from the body before a wound is closed. For ease of visualization and to confirm removal of every sponge, each sponge contains a marker visible via X-ray.

FDA Review

The FDA reviewed XStat through its de novo classification process, a regulatory pathway for novel, low- to moderate-risk medical devices that are first-of-a-kind. In a preclinical model with aggressive non-compressible hemorrhaging, Xstat provided statistically significant improvement in hemostasis and survival 60 minutes after injury with a large reduction in blood loss, resuscitation fluid requirement, and medic treatment time compared to conventional hemorrhage control dressings.

The FDA’s review of XStat included animal studies demonstrating its effectiveness at stopping bleeding and the absorption capacity of the device. Non-clinical biocompatibility data and human factors testing were also provided to demonstrate the safety and usability of the device.

Interview with Co-Developers

On March 5, 2014, RevMedx’s Chief Executive Officer, Andrew Barofsky, and Director of Strategic Development, John Steinbaugh (a former special forces medic), appeared on Fox Business Channel’s Opening Bell and explained how their device can be used both on the battlefield to seal wounds and in civilian application by first responders.

HHS Proposes Framework for Development and Use of Health IT Products

HHS has issued a draft report, setting forth a proposed strategy and recommendations for a health information technology (health IT) risk-based framework. The report is the culmination of an intra-agency effort between the FDA, the HHS Office of the National Coordinator for Health IT (ONC), and the Federal Communications Commission (FCC), to promote product innovation, clarify health IT product oversight, and to reduce the inherent risks involved in such product use.

“This proposed strategy will facilitate innovation, protect patients and support FDA’s focused oversight on higher risk technology, similar to medical devices that are currently regulated,” stated FDA Director Jeffrey Shuren, M.D.in an HHS news release. “FDA looks forward to additional stakeholder feedback on the proposed framework in this draft report.”

Health IT

According to HHS, innovative health IT products offer significant benefits to patients, including better prevention of medical errors, reductions in unnecessary testing, better patient engagement, and quicker detection and response to health threats and emergencies. However, without a framework that guides the design, development, customization, implementation, integration, and use of such products, they could pose varying degrees of risk to patients who use them.

“The diverse and rapidly developing industry of health information technology requires a thoughtful, flexible approach,” stated HHS Secretary Kathleen Sebelius. “This proposed strategy is designed to promote innovation and provide technology to consumers and health care providers while maintaining patient safety.”

Draft Report

Consequently, the draft report sets forth three health IT categories that a product could fall under depending on its function and level of risk: (1) products with administrative health IT functionality, which could include software for billing and claims processing and poses little or no risk to patient safety; (2) products with health management health IT functionality, which could include software for health information and data management and poses a low risk to patient safety; and (3) products with medical device health IT functionality, which could include radiation treatment software and computer-aided detection software, and has potentially larger risks to patient safety.

“The draft report reflects FCC’s narrow but important role in encouraging new and innovative wireless medical technologies and ensuring that developers and users of these technologies are minimizing the potential for causing potentially harmful interference to radio services,” stated FCC Director Matt Quinn. “We look forward to future collaboration with all stakeholders to achieve the promise of health IT.”

The intra-agency draft report was released pursuant to the health IT requirements of the Food and Drug Administration Safety and Innovation Act of 2012 (P.L. 112-144).