What do you think will be the impact of this finding [BlueBorne Android malware] on the OmniPod Dash system? They are using the Android platform.
They have done clinical trials already, but if they were doing their clinical trials on an un-patched version of Android, do they have to restart with clinical trials? Anyone have a guess on the FDA requirements?
I would think any change to the OS would require a restart, but I do not know.
I am saying that, by analogy to the Dexcom FDA approval, the FDA does not care about the build number, so, if the Dash qualifies/ ships with a patched build number, the FDA won’t care. Ergo no impact to Dash.
The FDA needs to approve the whole thing, including the hardware and the OS version the system uses.
If they have done their clinical trials on Android version 7.1, and then it is found vulnerable, but they did not get their FDA approval yet, of course when it gets to FDA approval they care what version of Android it is on. They can’t release it on a vulnerable version.
I don’t think they can’t just put their system on a completely different OS version and skip trials. I would think they need to go back through their clinical trials.
They can’t just put it on a completely different OS version and think the FDA won’t care.
For instance, if they did clinical trials on Android, they could not put their system on Apple and think the FDA would simply approve it. It is an entirely different system.
A different version of Android is just…different. I don’t see how they would overlook that.
Per the Dexcom listing, the FDA does not care about the build number within the same version number. A new patch does not increment the version number, it only increments the build number (called versionCode in Android): it is the way the release system works with Android.
I just read an article about FDA and security and patching. The gist as I recall was the FDA does not require re-approval for patching. (Which for a change is entirely reasonable and practical.)
I can probably find the article again and link it in. It was interesting.
Edit: Document found as described below:
Postmarket Management of Cybersecurity in Medical Devices
December 28, 2016
Note that this is non-binding. I can only assume in FDA terms that means:
“Follow this or suffer the consequences.”
“21 CFR part 806 requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as “cybersecurity routine updates and patches,” are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR part 806. For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency.”
I just found another little “FDA Fact Sheet” that appears to give nice summaries around some of these issues. Would have been nice to stamp a date on this somewhere.
All true, so you are right that we can’t be sure. But I would say it is quite unlikely that FDA issues will impact Dash about this patch. I do think that they Insulet (Omnipod maker) want to patch quickly: that may delay them some.