FDA’s legislative wish list includes device cybersecurity, a generic exclusivity fix, and more

Regulatory NewsRegulatory News | 04 April 2022 |  By 

The US Food and Drug Administration (FDA) would receive new authorities under proposals in legislation introduced alongside the Medical Device User Fee Amendments (MDFUA V) reauthorization bill and in its FY2023 budget request. Those authorities include requiring medical device manufacturers to address cybersecurity, fixing a loophole with generic drug patent challenge exclusivity and clarification of the term medical device remanufacturing.
Over the past week, FDA submitted its $8.4 billion budget request to congress which also includes a number of legislative changes that the agency says will help it do its job better. Also, during last week’s House Energy and Commerce (E&C) health subcommittee hearing on MDUFA V reauthorization, the agency stated it would benefit from several riders to the legislative package to assist in its mission.
Budget request
In its annual budget request, FDA included provisions specifically addressing the pharmaceutical industry, including holding generic drug makers accountable for taking advantage of the agency’s patent challenge exclusivity but then delay bringing products to market. (RELATED: FDA seeks $8.4B in FY2023 to modernize regulatory infrastructure, prep for future pandemics, Regulatory Focus 28 March 2022)
“In practice, 180-day patent challenge exclusivity is not operating as expected to encourage early generic entry, because this exclusivity is often ‘parked’ by first applicants who either receive approval but do not begin marketing for extended periods of time following approval, or by first applicants who delay receiving final approval of their [abbreviated new drug applications] for extended periods of time,” the agency said. “This proposal would substantially increase the likelihood that generic versions of patent-protected drugs will come into the market in a timely fashion, and that multiple versions of generic products will be approved quickly (leading to significant cost savings).”
FDA’s proposal would allow the agency to approve subsequent applications unless the first generics applicant begins to market their drug sooner.
FDA also notes it lacks authority to hold drugmakers accountable when they are given accelerated approval based on a requirement for confirmatory studies but are slow to conduct those studies after the approval. To address the issue, the agency is asking greater authority to set timelines for manufacturers to complete their studies.
“A statutory provision would help provide greater assurance at the time of a drug product’s accelerated approval that the confirmatory study will progress in a timely manner, and reap high-quality, interpretable results,” it said.
On the medical device side, FDA is asking for the ability to require device makers to address cybersecurity issues on their connected devices.
Over the past few years, the agency has developed pre- and postmarket device cybersecurity guidances, published papers on cybersecurity best practices, and coordinated with the Department of Homeland Security and industry to address a growing number of threats and vulnerabilities. Despite all that work, FDA said it doesn’t have adequate authority to require medical device manufacturers to address cybersecurity issues.
“This proposal would advance medical device safety by explicitly requiring that medical device manufacturers design cybersecurity into their devices and by ensuring that FDA and the public have certain information about device cybersecurity,” the agency said. “Specifically, FDA seeks to have express authority to require: that premarket submissions to FDA include evidence demonstrating reasonable assurance of the device’s safety and effectiveness for purposes of cybersecurity; that marketed devices demonstrate a reasonable assurance of the device’s safety and effectiveness for purposes of cybersecurity; that devices have the capability to be updated and patched in a timely manner; that manufacturers provide a device Software Bill of Materials (SBOM) with their devices so users know which components of their devices are or may be subject to cyber threats; and that device manufacturers publicly disclose when they learn of a cybersecurity vulnerability so users know when a device may be vulnerable, and to provide direction to users to reduce their risk.”
Other items on FDA’s budget wish list include authorities to charge makers of imported regulated products beforehand for the destruction of their goods when they don’t conform to the agency’s requirements, additional powers to conduct remote inspections, require product-makers to notify the agency in detail when they know there will be a product shortage, and to lengthen drug expiration dates to prevent shortages.
MDUFA riders
During the E&C health subcommittee hearing later in the week to reauthorize MDUFA V, lawmakers proposed multiple riders that FDA said would be helpful in its mission, including a bill from Rep. Michael Burgess (R-TX) called the Protecting and Transforming Cyber Health Care (PATCH) Act. The bill explicitly addresses the issues the raises about cybersecurity in its budget request. (RELATED: Shuren apologizes for MDUFA delay, says FDA will start closing the spigot on new EUAs, Regulatory Focus 30 March 2022)
During the hearing, Rep. John Joyce (R-PA) proposed a bill called the Clarifying Remanufacturing to Protect Patient Safety Act that, as the name implies, would clarify and expand the definition of a medical device remanufacturer.
Last year the Center for Devices and Radiological Health (CDRH) published a draft guidance in which it stated that in some cases medical device servicers had made drastic updates to products that constituted as remanufacturing. The agency however noted such cases were rare but concerning since servicers are not regulated like manufacturers.
Joyce asked CDRH Director Jeff Shuren if it would be helpful to FDA if lawmakers clarified the definition of remanufacturing further in law to reduce ambiguity to which he said it would.
“The devil's in the details as to what it looks like but we know that even though we've got guidance going through there's more comfort when certain things are baked into the statute,” said Shuren. “We think that would be helpful depending on what that provision looks like and if there's interest, we'd be happy to work with the committee on it."
Another issue that Shuren has long touted is the need for FDA to have regulatory flexibility especially when it comes to digital health products and artificial intelligence/machine learning software on medical devices which require constant updating. (RELATED: Shuren: Let’s take regulatory flexibility beyond COVID-19, Regulatory Focus 22 March 2022)
Rep. Dan Crenshaw (R-TX), asked the director if the agency currently is capable of regulating AI/ML products to which he said the agency has already allowed 300 such products on the market including 50 in the past year alone.
"But I do think that we do need a regulatory flexibility that we don't currently have to better tailor the pathways to that kind of technology,” Shuren added. “The pathways in the law now are many years old."
Crenshaw noted that FDA published a paper several years ago stating it needed more authority to regulate digital health products and asked Shuren to reach out to the E&C committee about what statutory changes he wants to see in other to better regulate digital health products.


© 2023 Regulatory Affairs Professionals Society.

Discover more of what matters to you