At a private event held amid the fallout from the CrowdStrike incident, cybersecurity issues took a front seat, with the consequences of the evolving EU AI Act and the Loper Bright and Corner Post decisions also raising concerns for quality assurance and regulatory affairs professionals.
On July 23, 2024, regulatory compliance professionals from large and small medical device manufacturers, drug sponsors, law firms and Big Tech gathered in Boston to discuss AI’s influence on quality assurance and regulatory affairs (QARA) at a private event hosted by IQVIA Technologies. The day’s discussion began by addressing need the create an integrated QARA ecosystem as part of the product development process.
The discussion regarding AI’s effects on QARA was timely. As Denise Meade, healthcare and life sciences technology leader at Microsoft, noted, “When we focus on generative AI alone and the leap forward that’s occurred over the last three years, the industry has invested right as an industry—whether that’s Microsoft or OpenAI—in massive compute power applied to public amounts of information . . . to make large language models accessible.” Carlos Lugo, global vice president of product safety and surveillance at Philips, noted that there is still
a gap between the industry’s and society’s use of AI, highlighting that there are a million of uses for AI within healthcare today but there is often some hesitancy towards adoption.
From a global perspective, Lugo stated, “While I want to say that we are advanced in our adoption of AI in healthcare, I don’t think we are. We are behind compared to other industries and the rest of the world.” However, as noted by an audience member, the growing vulnerability and cybersecurity issues digital products face are the elephants in the room, especially since the global consequences of the CrowdStrike incident—in which a faulty update caused issues for many companies using Windows—were still be dealt with. Given this and other recent developments, there are significant questions around where the industry is going and what QARA’s role is as the industry evolves.
The Cybersecurity Elephant
CrowdStrike’s faulty update was deployed on July 19, and one high-profile consequence was that airlines were still delaying and canceling flights as of July 23, the day of the event. Mike King, senior director, product & strategy at IQVIA Technologies, highlighted the dangers of the incident to the life sciences and health care industries. “The software was deemed low risk but none of us could get into our machines on Friday,” he explained.
The second danger King noted is far more nefarious. “At least we knew it happened,” he said of the CrowdStrike incident, in contrast to a potential cybersecurity attack. “If you’ve got imaging software and you are using AI as part of imaging software designed to help you find stages of cancer that has been compromised without your knowledge, there is the potential that people will pass away from undiagnosed or misdiagnosed cancers.” He and the other panelists agreed that QARA professionals, as well as other stakeholders, need to be involved in both risk assessment and risk mitigation plans.
Alex Dennon, partner at Bristows Law Firm, noted that companies cannot ignore cybersecurity. “You cannot pretend it’s not an issue. You cannot pretend you’re not a target.” Christopher Hart, partner, privacy and data security group, Foley Hoag LLP suggested that “QARA professionals get familiar with the terminology, the steps that can be taken, understand what standards apply, try and find an ISO standard, and try and marry that up with your insurance.” Organizations must ensure that all stakeholders are aligned, Hart suggested, as they address questions such as, if we get a ransomware attack, are we going to pay them? Do we have a process for doing that, and would we get sanctioned if we pay the ransom?
Scott Kaplan, deputy general counsel at Baxter International Inc., stated that involving QARA early assists with combating cybersecurity issues. “Your research and development department may not be thinking of security concerns or how we protect code against malicious activities,” he said, and furthermore, addressing security issues early on demonstrates that integrated QARA systems do not slow down the development process. Instead, QARA professionals are able to address concerns before they can be raised during regulatory review, which can derail the process.
Yet navigating cybersecurity regulations may be easier said than done. “Unlike data privacy laws and rights, which have seen a convergence as they have increased, cybersecurity is instead experiencing a multiplicity of regulations, not necessarily going in the same direction,” Hart explained. This is creating a regulatory cybersecurity minefield, he said, which perpetuates inconsistency and confusion.
Loper Bright and Corner Post Complications
Adding to regulatory complications for QARA professionals are two recent Supreme Court decisions: the Loper Bright ruling that overturned Chevron on June 28,2024 and the Corner Post ruling announced on July 1, 2024.
Until the Loper Bright ruling, courts upheld Chevron deference, which made it difficult to overturn agency regulations if they were challenged judicially. Courts would defer to agency interpretations of ambiguous statutory language. The Loper Bright ruling declared that legal deference is unconstitutional and puts the interpretation of statutes into the hands of the courts.
As for the Corner Post ruling, it essentially removes the statute of limitations during which a company can challenge an agency regulation, which previously had been six years after the regulation was created. Corner Post changes the statute of limitations to six years after a company is injured by a regulation.
Hart explained that these two rulings have created a situation where “what has been settled law about agency rules is not now because regulations that depend on interpretations of statutes are up in the air without statute limitations.”
Concerning the regulatory change, Irina Erenburg, CEO of AVAVA, Inc. simply stated, “It’s a mess. The FDA, which is already challenging, is in play so the more breakthrough a technology it is, the risker it becomes.” Erenburg further explained that this change complicates development by adding a level of uncertainty as the FDA regulations could, in theory, change at any given time. “If
you can challenge FDA regulations and the interpretation of safety for medtech, medical malpractice insurance as a manufacturer, to me is in the air.” Combined with cybersecurity insurance, it is worth noting that smaller companies will have to be creative in finding ways to be competitive while being able to afford both insurances. Those also seeking investors will have to be able to demonstrate they are able to minimize the risks the new rulings have placed upon the industry.
Evolving with the EU AI Act
The EU AI Act came into force on August 1, 2024, with a majority of rules taking effect in August 2026. The Act establishes a framework for member countries to use when creating their own regulations regarding the use of AI. While the US is developing its own guidances for AI, the two largest markets for medical device and drug developers, the U.S. and EU, have furthered their agreement to collaborate on the safe use of AI, expanding on their previous collaborative AI efforts for the global good. Consequently, as the collaboration continues, the EU AI Act will play a major role in the evolution of the regulations for both markets.
However, there is skepticism around the EU AI Act, Following the announcement of the EU AI Act, the medtech industry has shown reluctance to develop in Europe While the EU AI Act is ambitious in its design to reduce risks to humans and create responsible use of AI, many experts fear that the same issues of the 2017 adoption of the Medical Devices Regulation and the In Vitro Diagnostics Medical Devices Regulation are going to be repeated. Critics note similar missteps between the two: unrealistic implementation timeframes, ambiguous guidances with vague language open to interpretation and loopholes, optimistic and unrealistic implementation timeframes, and competence shortages among notified bodies, and the lack of guidance from a competent national authority in many cases, among other pitfalls.
Consequently, medtech companies are actively seeking to develop AI products elsewhere. Dennon cautions that it will hinder both innovation and healthcare. Dennon highlighted, “There is a lack of infrastructure so while it is well-intentioned, it is ill conceived until the proper infrastructure has been built.”
Largely because of the value the United States puts on innovation and regulating technology, experts agree that its AI regulation will be entirely similar to the EU AI Act. However, as with other countries, United States regulators will most likely be following the EU AI Act and evaluating what is working versus what is not. Because medtech companies are reliant on both of these markets as part of their global success, QARA professionals must be mindful of the changing regulations.
Sarah Fairfield, associate director, regulatory affairs at
AbbVie, has a positive outlook for the future. “With the EU and FDA releasing their own guidances, I want to acknowledge that the International Medical Device Regulators Forum (IMDRF) released a guidance in July discussing guiding principles around AI”. It is her hope that organizations on an international level will align to make adhering to AI regulations easier and more efficient for both medtech and drug developers.
As the global community grapples with adopting AI, the regulatory complexities involved make the process a multi-stakeholder issue for each organization, one that requires the expertise of decision makers at different levels. But beyond that, the regulatory environments are changing globally, requiring collaborative efforts. The collaboration of QARA with their internal stakeholders as well as regulatory officials is one of the key pathways to evolve with different global markets’ AI regulations as they develop.
Hosted by BioSpace, this event was a collaborative effort between IQVIA Technologies, KPMG, and Microsoft. Recognizing the value of insights from key stake holders and leaders in the life sciences space, IQVIA Technologies will be releasing videos and summaries of the panel discussions. Please contact Lori Ellis, the head of insights and the moderator of the event, with any additional questions or requests for information.
