Shuren talks cybersecurity, calls for pre-cert and diagnostic reform legislation

Regulatory NewsRegulatory News | 27 October 2022 |  By 

CDRH Director Jeff Shuren spoke to attendees at the 2022 annual Medtech Conference in Boston, MA.

BOSTON, MA – The head of the US Food and Drug Administration’s device center said that medical device cybersecurity vulnerabilities are an issue that keeps him up at night. He says he is also concerned about the lack of laboratory-developed test (LDT) oversight and fears that without new authorities, digital health innovation may go elsewhere.
Jeff Shuren, director of FDA’s Center for Devices and Radiological Health, made these remarks during a panel at AdvaMed’s The MedTech Conference on Wednesday.
Shuren and his colleagues at CDRH touched on the Medical Device User Fee Amendments (MDUFA V), the total product lifecycle advisory program (TAP), staff burnout during the COVID-19 pandemic and more. Several topics stood out during the discussion: medical device cybersecurity, the Verifying Accurate Leading-edge IVCT Development (VALID) Act and getting additional authorities to regulate digital health products.
Shuren noted that there has been a 17-fold increase in medical device cybersecurity vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS) between 2016 and 2020.
“We monitor an ever-increasing number of vulnerabilities in the US. You may not hear about all of this, but it is happening,” said Shuren. “This is the kind of stuff that keeps me up at three o’clock in the morning.”
While no deaths have been reported related to medical device cybersecurity vulnerabilities, Shuren said that FDA has seen patient care compromised because of such vulnerabilities. In many cases, hackers have exploited vulnerabilities in computer systems to spread ransomware, which in some cases has incapacitated hospital networks and impacted their ability to treat patients.
“This is our national security,” said Shuren. “Any weak link in the system is a way to get in there to get data to disrupt care or to extract money.”

Shuren noted that cyberattacks by malicious hackers and nation states have become more sophisticated over time. While the agency has received about $500,000 from Congress to address the issue, Shuren said it still needs more funding and greater authorities to combat the issue.
“This is not a nice to have, this is a must have quite frankly for the US,” said Shuren. “It just simply has to happen.”
Shuren also said that FDA needs additional authorities from Congress if it wants to maintain its leadership in the digital health space. He noted the agency’s recent report on its software precertification (Pre-Cert) program that would create a new pathway for certain medical software such as software as a medical device (SaMD).
One of the key findings of that report is that FDA currently only has authorities to a allow de novo applications through such a pathway, which Shuren said could have dire consequences for US innovation if left unchanged.
“If we're going to do anything like this where we can leverage our understanding of the capabilities of the developer we will need a change in legislation,” said Shuren. “In fact, if we don't do that, we think in the digital health space we're going to see technologies begins to hit a wall over the next few years, probably within the next five years, digital health will become painful in the United States.” 
Shuren said that this needs to be remedied in order for the US to retain its edge in the digital health space. “We’ve got to fix this,” he said, adding that it will take time for the agency to issue regulations and take other steps necessary to implement any new authorities.
“And quite frankly, we need that to happen to facilitate digital health and a whole variety of other modern technologies to come to market because the framework that’s in place was designed for my grandmother’s technology,” he said. “It is not fit for purpose today.”
Shuren said that he hopes the issue can be addressed in the next year or else the situation for digital health products will get worse.
Shuren and colleagues also discussed the VALID Act, which was stripped from the recent user fee legislation.
Speaking on different panel on Tuesday, FDA Commissioner Robert Califf said that if diagnostics reform is not passed as part of the December omnibus budget bill, the agency may resort to rulemaking to step up oversight of in vitro clinical tests (IVCTs) such as laboratory-developed tests (LDTs). [RELATED: Califf: FDA may use rulemaking for diagnostics reform if VALID isn't passed, Regulatory Focus, 25 October, 2022]
FDA has long used its enforcement discretion to refrain from regulating most LDTs because in the past they have typically been simpler tests for low-risk conditions and were not mass manufactured. In recent years, Shuren has spent time on Capitol Hill telling lawmakers that LDTs need to be regulated as they have become more complex, are meant to diagnose serious diseases and are being mass manufactured as kits and sold across the country.
After his talk, Shuren expressed his frustration that despite strong bipartisan support for the legislation, VALID failed to make it into the package that was passed in September.
“There's almost the point of what do I need to do? Do I need a pile of dead bodies before somebody says enough is enough,” Shuren told Focus. “LDTs are absolutely critical in healthcare, but patients and providers don't care who makes the tests, they just care that the tests work, and we've got LDT's that just don't work and there isn't that oversight in place to assure that they do… as a physician deeply concerns me.”
During his townhall, Shuren also said that FDA learned a lot of valuable lessons during the pandemic, including how to get guidances out much faster. He noted the first COVID-19 test guidance was cleared through the Trump administration within 36 hours, which shows that the agency can cut through the red tape when it needs to.
Ultimately, Shuren acknowledged that during the pandemic the agency has struggled to keep up doing its usual business while also going into overdrive to do its part in managing the crisis. He said that 2023 will be a “big transition year” for CDRH to get back to normal.


© 2023 Regulatory Affairs Professionals Society.

Discover more of what matters to you