Michael, your comments are more timely than you know. But first...were you aware of the Patient Engagement Advisory Committee meeting prior to my post?
Original Message:
Sent: 26-Dec-2019 08:23
From: Michael Reents
Subject: Inside the Bubble 2019
HI, Julie.
I guess I'm a latecomer to this thread. I found your post extremely interesting (as our company's current cybersecurity nerd).
When you spoke of dissatisfaction being directed more to health care providers than to manufacturers, it reminded me of our experience. We had a cybersecurity initiative that took about a year and a half to complete. Once it was rolled out in our products, the tech help lines went crazy with customers wanting to turn off all of the security features. Cybersecurity looks great to facility administration and IT, but the end users don't want the inconvenience.
One example is individual user accounts. HIPAA requires logging for tracking who accessed what. If your system automatically logs on, there is no way to know who is using the system. Further, if all users use a shared account, there is again no way to know who accessed patient PI. And the rabbit hole gets much deeper.
------------------------------
Michael Reents
Bradenton FL
United States
Original Message:
Sent: 18-Dec-2019 20:54
From: Julie Omohundro
Subject: Inside the Bubble 2019
Inside the Bubble 2019 – Insecurity
If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. -- Kahlil Gibran
The topic at this year's Patient Engagement Advisory Committee (PEAC) meeting was cybersecurity. This has become my favorite domestic regulatory meeting, and I was especially looking forward to this one, because I thought the topic might bring out more experts and fewer wide-eyeds. I found that, when it comes to cybersecurity, these are not mutually exclusive groups, but the cybersecurity wide-eyeds tend to run a bit deeper (geekier?) than some others.
A CDRH presentation described patients as an "asset." Merriam Webster defines an asset as "an item of value owned." The presenter defined assets as "things that we care about" and "things that are worth protecting," apparently "things" being the operative word here. The other things cited as assets were medical devices and patient data. I wasn't especially surprised by this perspective, but I was a little surprised to hear it said out loud.
The same presenter advised the Committee that "Providing probabilistic estimates of a threat exploiting a vulnerability is unknowable." This struck me as more of a position firmly taken than a conclusion thoughtfully arrived at. It was a departure from the material in the slides, and the syntax made no sense. At first I thought he meant to say (or that someone else meant for him to say) that the probability that a threat will exploit a vulnerability is unknowable. But that didn't seem to mesh with whatever he was trying to say about providing probabilistic estimates, which was…I think…that, given the unknowable, you couldn't provide them. But isn't this what estimates are for? If you don't know the probability that something will happen, you estimate it. If you do know the probability, then you don't need to estimate it, right?
I subscribe to the long-standing and variously attributed wisdom that "it's not what you don't know that gets you into trouble, but what you think you know that you don't know." My impression was that CDRH thinks it knows something about the probabilities associated with other types of risks, and, further, that it thinks this knowledge can't be appropriately applied to cybersecurity risks, because of that whole unknowable thing. I wondered if the problem might lie more with what CDRH thinks it knows about other types of risks, than with what it thinks it doesn't know about cybersecurity risks. Or maybe CDRH is painfully aware that it doesn't know much about other types of risks, either, but would find it rather awkward to say so after all these years. Maybe, with cybersecurity risks, it's trying to curb expectations from the get-go.
One of the Committee members pressed CDRH on patient access to their data, noting that one of CDRH's slides showed a lot of players circled around the patient, communicating and coordinating, but the patient had been left out of the loop. The CDRH response agreed that patients should have access, but this access seemed limited to data as it pertains to cybersecurity breaches, not to all the data their device might have to offer, which is what the patients seemed to want.
There was only one presentation by a medical device company. It was a nice presentation about the company's response to reports of cybersecurity vulnerabilities involving its devices. It seemed reminiscent of the CDRH slide, with a lot of collaborating, but no reference to patients being engaged in that process.
AdvaMed offered a list of cybersecurity principles it had adopted. I thought they were okay principles, but somehow I had been expecting something more substantive from the industry's largest trade association. One of the Committee members asked what light these principles might shed on how AdvaMed would recommend that companies include patients in decision making and think about its communications to patients. The answer was it would recommend following FDA's guidance. So I guess its members really got their dues' worth there.
Most of the public speakers were either cyber MDs or cyber patients, which is to say, they knew far more about cybersecurity than most MDs and patients. Several had hacked their own devices. They seemed to be pretty uniform in their priorities, which were more transparency, more communication, and more control. In one patient's words, "my device, my body, my life, my choice."
A cyber MD currently associated with a university medical center gave a nicely thought-out presentation on informed consent and cybersecurity. I paid close attention, and saw no indication that he viewed this as an academic exercise. He really seemed to think that informed consent was part of medical practice. This puzzled me until he made a reference to doctors with "an informed consent document that they're going to do two dozen times that day in the OR." Ah. One of the Committee members picked up on it too and asked if this wasn't a little late to be seeking a patient's consent. I wondered if the Committee member was thinking what I was thinking, which was that, call it what you will, a form that a patient signs in the OR is not a consent form. It's a release form.
Based on the public presentations and the roundtable discussions, the non-cyber patients struck me as more pragmatic than the experts. Perhaps that's because for patients this is only a matter of life and death, while for other players it's a matter of financial, legal, political, and professional liability. These patients wanted their doctors to be their first point of contact in the event of any issue with their device, but they did not expect their doctors to be cybersecurity experts, nor did most of them want to become cybersecurity experts themselves. They simply wanted timely notification about any cybersecurity threat, practical information about what options were open to them in the event of a threat, and to be advised of sources for further information. Most were not amenable to the notion that anyone should sit on the information until everything got reviewed, analyzed, figured out, and maybe also resolved. (In other words, they weren't interested in being kept in the dark until everyone else involved had had ample opportunity to C their A's.)
Most thought manufacturers should be the best sources of information about their devices, and the actions patients might take in the event that a device they manufactured was breached. They thought doctors should be the best sources of information regarding the clinical ramifications of these options for individual patients. They did not think that either manufacturers or doctors were where they needed to be, but generally seem to accept that this was still a brave new world for everybody.
Where there was dissatisfaction, it seemed to be directed primarily at healthcare providers, and secondly at manufacturers, which I thought was appropriate. The dissatisfaction with healthcare providers seemed a bit more intense, probably because patients expect their healthcare providers to act in their patient's best interests, but they had no such expectations of manufacturers. From manufacturers, they seemed to want competence. Don't we all. No one seemed to be unhappy with CDRH, which I found refreshing. Perhaps this was because, unlike almost everyone else involved, the patients themselves didn't seem to have a lot expectations of CDRH, which I thought was also appropriate.
A number of the presenters were affiliated with one organized group of hackers or another. This took me back to my grassroots days, when I learned how easily such groups are taken over and manipulated to address agendas other than the ones they think they are pursuing. Who might want to bend a hacker group to their own agendas, and what those agendas might be…quite the intriguing question, no?
There was an undertone of concern emanating from CDRH and other players related to cyberattacks, national security, and nation-states, which not many patients seemed to share. My takeaway on this topic was that, inside the bubble, some "assets" are more worthy of protection than others. Perhaps rightly so, but maybe not nearly as much as they might like to think.
------------------------------
Julie Omohundro, ex-RAC (US, GS), still an MBA
Principal Consultant
Class Three, LLC
Mebane, North Carolina, USA
919-544-3366 (T)
434-964-1614 (C)
julie@class3devices.com
Original Message:
Sent: 22-Oct-2019 19:51
From: Julie Omohundro
Subject: Inside the Bubble 2019
Inside the Bubble - The Cardio Club
The Cardio Club was out in full force this year, sigh. It seemed to be totally in control of MDIC's early feasibility study project, which has been struggling for four years now to address a national emergency, the wholesale departure of early feasibility studies from the US. Whether they fled by plane, train, boat, car, or by scaling a wall in the dead of night, no one has said.
Everyone on MDIC's panel on early feasibility studies was a member of the Cardio Club, leading me to consider possible reasons why:
- Was no one from any other therapeutic area invited to participate? Or did they just not want to?
- Did someone think it would be appropriate for the Cardio Club to come up with a one-size-fits all approach to early feasibility studies for the entire industry? Or is this project intended to "foster innovation" only by the Cardio Club?
- Is it only the Cardio Club that needs "fostering"? Is it only the Cardio Club that can't figure out how to do an early feasibility study all by themselves?
I encountered the Cardio Club again at the Patient Engagement Advisory Committee (PEAC) meeting, where the scenario for the roundtable discussion was the potential hacking of…drum roll…a cardio implant.
Having sort of lost it during the roundtable discussion at the last PEAC meeting, I was hoping to be able to keep calm and carry on at this one. Now it looked like the discussion could be wading into waters where I might feel compelled to lose it again. But no! Someone from one of the big medical device companies piped right up and advised the FDAer who was moderating our discussion that CDRH really needed to get over this, leaving me free to sit back, relax, and enjoy. Which I did.
I wasn't able to figure out out What Is Really Going On with the Cardio Club this year. However, when I got home, sorted through and followed up on some of the bits and pieces I'd brought back from The Bubble. I think found some clues. Should they lead anywhere interesting, you'll be the first to know.
------------------------------
Julie Omohundro, ex-RAC (US, GS), still an MBA
Principal Consultant
Class Three, LLC
Mebane, North Carolina, USA
919-544-3366 (T)
434-964-1614 (C)
julie@class3devices.com
Original Message:
Sent: 06-Oct-2019 18:48
From: Julie Omohundro
Subject: Inside the Bubble 2019
In 2017, I spent an unhealthy amount of time inside the bubble, knowing I would not have any time for it in 2018. After I staggered back out again, gasping for air, I posted a multi-part series on LinkedIn, titled "Inside the Bubble." This year, I went back inside, but I didn't overdo it like I did in 2017.
Having spent less time there, you might think I wouldn't have nearly as much to say, but these days I'm watching with better informed eyes than in 2017. This doesn't mean that now I know What's Really Going On, but I think I might be getting warmer. In any case, this is just a heads up that I'm about to start posting some thoughts and observations from inside the bubble, again.
------------------------------
Julie Omohundro, ex-RAC (US, GS), still an MBA
Principal Consultant
Class Three, LLC
Mebane, North Carolina, USA
919-544-3366 (T)
434-964-1614 (C)
julie@class3devices.com
------------------------------