FDA Issues Medical Device ID Final Rule
Tracking Adverse Events, Including Cybersecurity IssuesThe Food and Drug Administration has released a final rule for a medical device identification system that aims to make it easier and more efficient to track adverse events, including problems caused by cybersecurity issues, such as malware.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The new unique device identification, or UDI, system has two core elements. The first component is a unique number assigned by the device manufacturer to the version or model of a device, says Jeff Shuren, director of the FDA Center for Devices and Radiological Health. The identifier will also feature production-specific information, such as the product's lot or batch number, expiration date and manufacturing date.
The second component of the system is a publicly searchable database administered by the FDA, called the Global Unique Device Identification Database, or GUDID. It will serve as a reference catalog for every device with an identifier, Shuren explains.
No identifying patient information will be stored in the GUDID. However, healthcare providers will be able to document the UDI of each device in a patient's electronic health record or other clinical information systems, enabling individuals with devices to be more easily identified when a manufacturer issues a recall or safety notice for a product, Shuren says.
The ID will also make it easier for manufacturers and the FDA to identify problems with medical devices through adverse event reports. "This will make it easier to link a device with a patient's experience with a device," Shuren says.
The Devices Involved
Medical devices that will be required to have a UDI include those that are web-enabled or connected to a healthcare provider's network.
"If the medical device is a piece of ... software and hardware connected to a network, it will be required to have an UDI," says Jay Crowley, senior adviser for patient safety at the FDA's Center for Devices and Radiological Health.
"We do expect that medical device makers or others who report [adverse events] will [submit] reports ... with a UDI on them [for the medical device involved], and that would help us understand aggregate, and analyze those reports whether they were more traditional problems or related to cybersecurity," Crowley says.
The FDA is also beginning to test adverse event reports automatically created from electronic health records that include the UDI, Shuren says. "That would make it easier for practitioners to report problems to us," he says.
Dale Nordenberg, M.D., founder of the Medical Device Innovation, Safety and Security Consortium, believes a unique ID for medical devices could help address problems related to malware and other security issues. "An ID system will support surveillance for all types of adverse events because it enables accurate identification and surveillance of a specific device," he said in an earlier interview.
Compared with the FDA's proposed rule issued in September 2012, the final rule makes several changes based on some of the feedback in the 270 comments received. Among the changes is the elimination of a proposal that would have required directly imprinting the UDI on implantable devices. Instead, the UDI will be required only on the packaging of the implantable devices because many of those devices are so small.
The FDA plans to phase in the UDI system starting one year from now. The initial focus will be on high-risk medical devices. Many low-risk and one-time-use devices will be exempt from some or all of the requirements in the final rule.