Software Pirates

Congress never gave the FDA power to control medical practice. But the agency seized it anyway--by regulating software and computers.

On July 1, 1997, the Food and Drug Administration arrested a laser. The laser belonged to Trevor Woodhams, an eye surgeon in Atlanta who has been practicing for 15 years and runs the Woodhams Eye Clinic. He uses surgical eye lasers, or excimer lasers, to treat nearsightedness and astigmatism. Woodhams built his laser because the existing, FDA-approved models didn't allow surgeons to perform techniques that are state of the art elsewhere in the world. In contemplating how the FDA might respond, he believed he had two things going for him: First, doctors who build one-of-a-kind devices can be exempt from standard FDA regulation if they meet certain criteria, and Woodhams's lawyer had assured him that the "custom device" exemption applied to him. Second, the FDA has repeatedly said it does not regulate medical practice--device manufacturers, yes; doctors, no.

Which is why Woodhams was a bit surprised in mid-1996, soon after he built his laser, when the FDA told him the custom device exemption didn't apply to him and that, as a regulated device manufacturer, he was violating the law by making and using an unapproved device. To get FDA approval for a device, you need to do studies, and to do studies, you need an investigational device exemption (IDE). Woodhams didn't agree that he was subject to FDA regulation in the first place, but the FDA had more money and more lawyers. "As a private practitioner, I didn't have the resources to fight the FDA on this," he says, "and I figured it was probably better to go along with them."

Woodhams sent in his IDE application in the spring of 1997. The FDA turned him down, as it often does when it's not convinced of a product's safety or efficacy. Many of the FDA's objections stemmed from disagreements over what sort of surgery is acceptable--disagreements bordering on the forbidden territory of medical practice. The FDA also wanted Woodhams to do "profilometry studies," which basically amount to testing the laser on plastic and having the plastic analyzed to make sure the laser and the computer inside it are really doing what they're supposed to be doing. Woodhams didn't think this was necessary--the two companies whose lasers were already approved for the same techniques had never been asked to do profilometry studies--but he sent for the tests anyway.

The FDA told Woodhams not to treat any patients until the IDE was approved and to limit himself thereafter to practices approved in the IDE. He agreed to follow the IDE protocol but said he wouldn't stop treating patients while waiting for IDE approval: It would hurt him financially; he had been doing the procedures for years with full disclosure and without harming patients; and he had patients who were relying on him, some who needed touch-ups, others who'd had one eye operated on and who needed the same work done on their second eye. Woodhams told the FDA he would work with it and submit a revised IDE application.

Then a marshal showed up at his office and put his laser under arrest. "They didn't move it or fiddle with it or chop it up," Woodhams says, "but they put a big sticker on it that said no one could touch it, under order of the U.S. marshal." He called his contact at the FDA. "I thought I was working with you and we were close to a resolution," he recalls saying. "Why was this done?" He asked whether he should send in his revised IDE application as soon as he got the results of the profilometry studies, or submit the incomplete IDE application and send the profilometry results later. The contact wasn't sure whether an IDE was even possible now. After all, Woodhams had no laser.

The enforcement action against Trevor Woodhams was one of the first in a series. The FDA is now actively seeking out doctors and manufacturers who make excimer lasers without the agency's permission. The FDA thinks of this as nothing new; it's been enforcing the Food, Drug, and Cosmetic Act against recalcitrant manufacturers for years. But the excimer laser controversy raises fundamental questions about the FDA's mission. Despite the reformist zeal of the 104th Congress, and despite the resignation of activist Commissioner David Kessler, the FDA's power is expanding, even without new laws or regulations. The key to this expansion is the evolution of technology and the FDA's regulatory control over software products.

Once upon a time, there were drug and device companies, which were subject to FDA regulation, and doctors, who were shielded by the FDA's inability to regulate medical practice. Back then, it was easy to tell which was which. But times change. Today, medical devices are no longer simply physical tools; increasingly, they are technologically savvy gadgets with sophisticated software that can interact with patients, diagnose diseases, and administer treatment. The manufacturer can almost be seen as a second doctor. As technology brings drug and device companies into the realm of medical practice, it brings medical practice closer to the jurisdiction of the FDA. Without any changes in the law, the FDA's purview is growing.

The FDA, which has been regulating food and drugs since the turn of the century and medical devices since 1976, has tried to regulate software since the mid-1980s. If you are asking yourself how software can be a medical device, the FDA has anticipated your question. "Well, you may be asking yourself, how can software be a medical device?" said Dr. Bruce Burlington, head of the FDA's Device Center, during a software policy meeting at the National Institutes of Health in September 1996. According to the law, a medical device is an "instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or related article, including any component, part, or accessory...intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or intended to affect the structure or function of the body."

No one was thinking of software in 1976, when the Food, Drug, and Cosmetic Act was amended to cover medical devices; the FDA came to device regulation not because of bad software but because of defective IUDs. But with a definition that broad, all software used for medical purposes, or used to make a medical device, is presumed to be a device, and subject to regulation, unless the FDA specifically exempts it. This can include the software in pacemakers, systems that track blood donations, expert programs to evaluate X-rays, even databases of medical literature that aid doctors in determining prescriptions. It can also include the software that controls excimer lasers. Call us "the Food, Drug, and Software Administration," Burlington pleasantly suggested. "As we sit there and look at our floppy disks and try to figure out what to make of them, it is a conundrum for us."

So far computers in medicine mainly have been used to control devices, but Dr. Harry Burke, an assistant professor of medicine at New York Medical College, thinks their use will expand dramatically. In the future, he says, medical software will deal with pattern recognition, risk assessment, diagnosis, and medical data management--for instance, programs that read Pap smears to determine which slides need human review and which don't. "This is a gigantic area," Burke explained at the NIH conference. He predicts that if the FDA takes an expansive view of what software can be considered a "medical device," new medical software applications will outnumber new drug applications in 10 years, and will be "an order of magnitude greater" in 20 years. "Regulating all of this domain is obviously impossible," he says.

Impossible or not--and for better or worse--the FDA claims jurisdiction. When Intel announced the mathematical flaws in its Pentium chips, the FDA made all device manufacturers using Pentiums do a safety analysis on their products and take "appropriate mitigating steps" so the chip's problems didn't affect the devices. Blood banks have also been affected. Blood bank management software is used to track units of blood from the time of donation. It keeps a record of testing results, remembers the donation time of each unit to avoid giving someone spoiled blood, keeps track of the blood center's entire inventory, and records whether any adverse effects were observed from a transfusion. Since the late 1980s, blood banks have had to make sure their computer systems comply with "good manufacturing practices" (GMPs), a set of vague FDA recommendations. Vendors of blood bank management software have to get FDA premarket clearance and are subject to inspections if the FDA thinks their software could have contributed to the release of tainted blood.

Preventing the use of unsuitable blood is, of course, all well and good. Leonard Wilson, chief of the FDA's biologic devices branch, points out that HIV-positive blood can kill a recipient within several years, and a mismatch between AB and O blood can kill a patient within 15 minutes. In fact, the FDA became an active blood cop only after being browbeaten by Rep. John Dingell (D-Mich.) several years back about injuries caused by bad blood-bank software.

But the FDA has created some bad blood of its own because of its approach to regulation. The Health Industry Manufacturers Association has called the regulatory process a "very, very long and arduous operation for blood bank systems vendors"; the Red Cross and the American Association of Blood Banks agree. Blood management software manufacturers find they can't submit the new version of their software to the FDA, because the agency, never one for haste, hasn't approved the old version yet. Knowing the hoops they'll have to jump through, software manufacturers are less inclined to enhance their products in the first place. One blood expert, noting "the dearth of modern freestanding software in blood banking," has forecast "doom for quality software" unless regulations are relaxed. That may be a bit hyperbolic, but this is blood we're talking about. Blood banks use software to reduce human error by automating or verifying manual processes. Better software improves the blood supply; slowing the process down could cost lives.

The FDA disputes the industry's complaints. "While we do have some software that has taken a long time to clear, we did clear one package in 22 days," Wilson recalls. "We felt very good about that. That doesn't get in the way of any innovation at all." Still, even low-risk device approvals often take a long time, in many cases exceeding the maximum set by the law. At any rate, since blood bank regulation has never been subjected to a cost-benefit analysis, there is no way of knowing whether, on balance, hazards associated with blood have been reduced; if so, by how much; and at what price.

The effects of software regulation are as pervasive as the use of medical software itself. Dr. Martin Weinhous, chief medical physicist in the radiation oncology department at the Cleveland Clinic in Ohio, once used a software program developed by another medical physicist to set up patients for breast cancer X-ray therapy. In X-ray therapy for breast cancer, the affected tissue can be irradiated from three different directions, and to avoid overdosing or underdosing the patient, the doctor has to be sure that there are no gaps or overlaps of the X-ray beams. Once the doctor knows which treatment machine is to be used, and what the patient's measurements are, he can figure out where the patient should be positioned and how the beams should be directed. But this calculation, when performed manually on a calculator, is tedious, error-prone, and time-consuming, taking up to half an hour. The software shortens the calculation to one or two minutes. The program got FDA clearance, Weinhous wrote in a paper delivered at the NIH conference, but as it evolved, "the FDA began to require more of its creator. Eventually, the FDA required that [the developer] test his software tool against every possible PC and Macintosh configuration, even though the inherent risk is small. Faced with unrealistic GMP requirements, he ceased manufacturing of the device. So we in radiation oncology have no choice but to continue to use a less sophisticated and more error-prone method."

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.


Get Reason's print or digital edition before it’s posted online

  • Progressive Puritans: From e-cigs to sex classifieds, the once transgressive left wants to criminalize fun.
  • Port Authoritarians: Chris Christie’s Bridgegate scandal
  • The Menace of Secret Government: Obama’s proposed intelligence reforms don’t safeguard civil liberties