WSGR ALERT

Manufacturers of Instruments Routinely Used in In Vitro Diagnostics Should Carefully Consider FDA's Recent Cybersecurity Guidance

December 4, 2018

High throughput sequencers, including next generation, or NGS, sequencers; polymerase chain reaction, or PCR, machines; flow cytometers; and other instruments are routinely used in conducting in vitro diagnostic assays. Many of these devices are interoperable—i.e., are capable of exchanging and using information across medical and non-medical networks, or the internet.

NGS sequencers are especially powerful as diagnostic medical devices:

"Most IVDs [in vitro diagnostics] detect only a single or a defined number of substances to diagnose one or several specified conditions. In contrast, NGS tests are capable of detecting the over 3 billion bases in the human genome, and in doing so identify the approximately 3 million genetic variants an individual may have. A single use of an NGS test could enable the diagnosis of any one, or more, diseases or conditions a patient presents with. NGS tests can also help to predict a patient's risk for developing certain conditions. Because it is possible to sequence the whole genome, it is not necessary to know what variant one wishes to identify prior to running and successfully interpreting an NGS test—a concept which is very different from how traditional IVDs are used."1

The use of NGS sequencers, as diagnostic medical devices, coupled with their interoperability, makes them potential targets for a medical device hack. We previously published an article about medical device hacking associated with more traditional medical devices (such as implantable cardiac devices), and the hack's consequences and potential ramifications. Traditional medical device manufacturers are, in our experience, generally aware of—and take steps to mitigate—cybersecurity risks associated with their products. But instruments like NGS sequencers can be medical devices, and these instruments can therefore be subject to different degrees of U.S. Food and Drug Administration, or FDA, regulation. And a hack of these instruments, functioning as medical devices, can directly result in harm to patients.

Recently, we summarized the FDA's draft guidance "Content of Premarket Submissions for Management of Cyber Security in Medical Devices" (the guidance). A key driver for the FDA's issuing the guidance is that cyber security incidents have "rendered medical devices and hospital networks inoperable" and that the "need for effective cybersecurity to ensure medical device functionality and safety has become more important…"2

The guidance defines two Tiers of cybersecurity risk. Medical devices have a Tier 1 risk if: 1. the device is capable of connecting to another medical or non-medical product network, or the internet; and 2. a cybersecurity incident affecting the device could directly result in harm to patients.3 Examples of Tier 1 devices include connected or connectable: implantable cardioverter defibrillators, pacemakers, left ventricle assist devices, brain stimulators, dialysis devices, infusion and insulin pumps.4 The second Tier, or Tier 2, is a device for which the criteria for a Tier 1 device are not met.

All of the above Tier 1 examples (e.g., pacemakers) are what would be thought of as traditional medical devices. But the incorporation of instruments such as interoperable NGS sequencers into IVDs, in the event of a hack, could result in delaying vital diagnostic outcomes or changing vital diagnostic results. In other words, a hack could directly result in harm to patients. So these interoperable instruments used in IVDs can be Tier 1 cybersecurity risks.

This takes on significant importance because of the sheer number of labs performing IVDs, and the sheer number of tests issuing from these labs. By one estimate, the commercial medical and diagnostic laboratory industry in the U.S. consists of about 17,000 establishments (single-location companies and units of multi-location companies) with combined annual revenues of about $50 billion. Medical labs account for about 65 percent of diagnostic industry revenue.

By another estimate, in 2018, about 75,000 genetic testing units, or GTUs, were actively marketed by Clinical Laboratory Improvement Amendments (CLIA)-certified laboratories in the U.S., and about 15 new GTUs per day are being offered. Thus, hacks on NGS instruments used in IVDs could directly and significantly harm large numbers of patients nationwide. Which brings us back to the guidance.

A significant part of the guidance is devoted to helping to ensure a device can be trustworthy. The guidance states that trustworthy devices: 1. are reasonably secure from cybersecurity intrusion and misuse; 2. provide a reasonable level of availability, reliability, and operation; 3. are reasonably suited to performing their intended functions; and 4) adhere to generally accepted security procedures.5 Trustworthiness is one of several considerations that instrument manufacturers should keep in mind.

As general considerations: manufacturers of interoperable instruments used in IVDs should think carefully about how and where their instruments will be used. One strategy for possibly controlling how an interoperable instrument can be used is employment of a label license. Also, where warranted, awareness of and compliance with FDA regulations are important. Designing devices to be used in IVDs as trustworthy devices should be carefully considered. And contingencies in the event of a hack should be put into place before the occurrence of an actual hack.

For questions regarding this alert, the guidance, or FDA's regulation of the cybersecurity risk of medical devices, please contact Vern Norviel, David Hoffmeister, or any member of the patents and innovation strategies or FDA/life sciences groups.

Charles Andres contributed to the preparation of this WSGR alert.


1 "Optimizing FDA's Regulatory Oversight of Next Generation Sequencing Diagnostic Tests"—Preliminary Discussion Paper, at 2. Available at: https://www.fda.gov/downloads/MedicalDevices/NewsEvents/WorkshopsConferences/UCM427869.pdf.
2 The guidance, at 4.
3 Id., at 10.
4 Id.
5 Id.