MCN Healthcare: Policy Management and Compliance Tools

The U.S. Food and Drug Administration (FDA) is informing health care professionals of a Class I Recall of Endologix, Inc.'s AFX Introducer System Model S17-45 due to reports of the dilator breaking during procedures.

The AFX Introducer System is intended to help introduce catheters and other medical devices into blood vessels during procedures with minimal blood loss. This recalled product was distributed and manufactured from April 1, 2013 through April 30, 2013 and distributed in the U.S. only in Florida, Indiana, Michigan, New Hampshire, New Jersey and New York. Affected lot numbers include 1079840, 1079843, 1079844, 1079845.

On May 13, 2013, Endologix sent its customers an Urgent Medical Device Recall Notice letter stating "Do not use or further distribute any affected product." The firm also instructed their customers to share this information with physicians who perform these procedures at their facilities. On May 21 the firm expanded the recall by mailing a recall notification letter to an additional customer. Customers may contact the firm with questions at 1-800-983-2284.

Read the complete MedWatch Safety Alert, including a link to the Recall Notice, at the link provided below.

The U.S. Food and Drug Administration (FDA) is investigating two unexplained deaths in patients who received an intramuscular injection of the antipsychotic drug Zyprexa Relprevv (olanzapine pamoate). The patients died 3-4 days after receiving an appropriate dose of the drug, well after the 3-hour post-injection monitoring period required under the Zyprexa Relprevv Risk Evaluation and Mitigation Strategy (REMS). Both patients were found to have very high olanzapine blood levels after death.

Under the REMS, patients are required to receive the Zyprexa Relprevv injection at a REMS-certified health care facility, to be continuously monitored at the facility for at least 3 hours following an injection, and to be accompanied home from the facility. The Zyprexa Relprevv label contains warnings about the risk of post-injection delirium sedation syndrome (PDSS), a serious condition in which the drug enters the blood too fast following an intramuscular injection, causing greatly elevated blood levels with marked sedation (possibly including coma) and/or delirium

The FDA is providing this information to health care professionals while it continues its investigation. If therapy with Zyprexa Relprevv is started or continued in patients, health care professionals should follow the REMS requirements and drug label recommendations. Patients and caregivers should talk to their health care professional(s) about any questions or concerns.

Healthcare professionals and patients are encouraged to report adverse events or side effects related to the use of these products to the FDA's MedWatch Safety Information and Adverse Event Reporting Program.

Read the complete MedWatch Safety Alert, including a link to the Safety Communication, at the link provided below.

The U.S. Food and Drug Administration (FDA) is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

According to the FDA, many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.

Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including:

• Network-connected/configured medical devices infected or disabled by malware;

• The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;

• Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);

• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);

• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

The FDA is not aware of any patient injuries or deaths associated with these incidents nor do they have any indication that any specific devices or systems in clinical use have been purposely targeted at this time.  The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified.

The FDA Safety Communication has recommendations for device manufacturers as well as health care facilities. 

The FDA is recommending that health care facilities take steps to evaluate network security and protect your hospital system. In evaluating network security, hospitals and health care facilities should consider:

• Restricting unauthorized access to the network and networked medical devices

• Making certain appropriate antivirus software and firewalls are up-to-date

• Monitoring network activity for unauthorized use

• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services

• Contacting the specific device manufacturer if there us suspicion of a cybersecurity problem related to a medical device. If unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution

• Developing and evaluating strategies to maintain critical functionality during adverse conditions.

Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. If a confirmed or suspected cybersecurity event has impacted the performance of a medical device or has impacted a hospital network system, the FDA encourages reporting through MedWatch, the FDA Safety Information and Adverse Event Reporting program.

Included with today's notice are policies and procedures related to the FDA Guidance on preventing cybersecurity attacks.  Organizations will find that many of the recommendations included in this FDA guidance are already required by existing HIPAA regulations.