Software Pirates

Congress never gave the FDA power to control medical practice. But the agency seized it anyway--by regulating software and computers.


On July 1, 1997, the Food and Drug Administration arrested a laser. The laser belonged to Trevor Woodhams, an eye surgeon in Atlanta who has been practicing for 15 years and runs the Woodhams Eye Clinic. He uses surgical eye lasers, or excimer lasers, to treat nearsightedness and astigmatism. Woodhams built his laser because the existing, FDA-approved models didn't allow surgeons to perform techniques that are state of the art elsewhere in the world. In contemplating how the FDA might respond, he believed he had two things going for him: First, doctors who build one-of-a-kind devices can be exempt from standard FDA regulation if they meet certain criteria, and Woodhams's lawyer had assured him that the "custom device" exemption applied to him. Second, the FDA has repeatedly said it does not regulate medical practice–device manufacturers, yes; doctors, no.

Which is why Woodhams was a bit surprised in mid-1996, soon after he built his laser, when the FDA told him the custom device exemption didn't apply to him and that, as a regulated device manufacturer, he was violating the law by making and using an unapproved device. To get FDA approval for a device, you need to do studies, and to do studies, you need an investigational device exemption (IDE). Woodhams didn't agree that he was subject to FDA regulation in the first place, but the FDA had more money and more lawyers. "As a private practitioner, I didn't have the resources to fight the FDA on this," he says, "and I figured it was probably better to go along with them."

Woodhams sent in his IDE application in the spring of 1997. The FDA turned him down, as it often does when it's not convinced of a product's safety or efficacy. Many of the FDA's objections stemmed from disagreements over what sort of surgery is acceptable–disagreements bordering on the forbidden territory of medical practice. The FDA also wanted Woodhams to do "profilometry studies," which basically amount to testing the laser on plastic and having the plastic analyzed to make sure the laser and the computer inside it are really doing what they're supposed to be doing. Woodhams didn't think this was necessary–the two companies whose lasers were already approved for the same techniques had never been asked to do profilometry studies–but he sent for the tests anyway.

The FDA told Woodhams not to treat any patients until the IDE was approved and to limit himself thereafter to practices approved in the IDE. He agreed to follow the IDE protocol but said he wouldn't stop treating patients while waiting for IDE approval: It would hurt him financially; he had been doing the procedures for years with full disclosure and without harming patients; and he had patients who were relying on him, some who needed touch-ups, others who'd had one eye operated on and who needed the same work done on their second eye. Woodhams told the FDA he would work with it and submit a revised IDE application.

Then a marshal showed up at his office and put his laser under arrest. "They didn't move it or fiddle with it or chop it up," Woodhams says, "but they put a big sticker on it that said no one could touch it, under order of the U.S. marshal." He called his contact at the FDA. "I thought I was working with you and we were close to a resolution," he recalls saying. "Why was this done?" He asked whether he should send in his revised IDE application as soon as he got the results of the profilometry studies, or submit the incomplete IDE application and send the profilometry results later. The contact wasn't sure whether an IDE was even possible now. After all, Woodhams had no laser.

The enforcement action against Trevor Woodhams was one of the first in a series. The FDA is now actively seeking out doctors and manufacturers who make excimer lasers without the agency's permission. The FDA thinks of this as nothing new; it's been enforcing the Food, Drug, and Cosmetic Act against recalcitrant manufacturers for years. But the excimer laser controversy raises fundamental questions about the FDA's mission. Despite the reformist zeal of the 104th Congress, and despite the resignation of activist Commissioner David Kessler, the FDA's power is expanding, even without new laws or regulations. The key to this expansion is the evolution of technology and the FDA's regulatory control over software products.

Once upon a time, there were drug and device companies, which were subject to FDA regulation, and doctors, who were shielded by the FDA's inability to regulate medical practice. Back then, it was easy to tell which was which. But times change. Today, medical devices are no longer simply physical tools; increasingly, they are technologically savvy gadgets with sophisticated software that can interact with patients, diagnose diseases, and administer treatment. The manufacturer can almost be seen as a second doctor. As technology brings drug and device companies into the realm of medical practice, it brings medical practice closer to the jurisdiction of the FDA. Without any changes in the law, the FDA's purview is growing.

The FDA, which has been regulating food and drugs since the turn of the century and medical devices since 1976, has tried to regulate software since the mid-1980s. If you are asking yourself how software can be a medical device, the FDA has anticipated your question. "Well, you may be asking yourself, how can software be a medical device?" said Dr. Bruce Burlington, head of the FDA's Device Center, during a software policy meeting at the National Institutes of Health in September 1996. According to the law, a medical device is an "instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or related article, including any component, part, or accessory…intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or intended to affect the structure or function of the body."

No one was thinking of software in 1976, when the Food, Drug, and Cosmetic Act was amended to cover medical devices; the FDA came to device regulation not because of bad software but because of defective IUDs. But with a definition that broad, all software used for medical purposes, or used to make a medical device, is presumed to be a device, and subject to regulation, unless the FDA specifically exempts it. This can include the software in pacemakers, systems that track blood donations, expert programs to evaluate X-rays, even databases of medical literature that aid doctors in determining prescriptions. It can also include the software that controls excimer lasers. Call us "the Food, Drug, and Software Administration," Burlington pleasantly suggested. "As we sit there and look at our floppy disks and try to figure out what to make of them, it is a conundrum for us."

So far computers in medicine mainly have been used to control devices, but Dr. Harry Burke, an assistant professor of medicine at New York Medical College, thinks their use will expand dramatically. In the future, he says, medical software will deal with pattern recognition, risk assessment, diagnosis, and medical data management–for instance, programs that read Pap smears to determine which slides need human review and which don't. "This is a gigantic area," Burke explained at the NIH conference. He predicts that if the FDA takes an expansive view of what software can be considered a "medical device," new medical software applications will outnumber new drug applications in 10 years, and will be "an order of magnitude greater" in 20 years. "Regulating all of this domain is obviously impossible," he says.

Impossible or not–and for better or worse–the FDA claims jurisdiction. When Intel announced the mathematical flaws in its Pentium chips, the FDA made all device manufacturers using Pentiums do a safety analysis on their products and take "appropriate mitigating steps" so the chip's problems didn't affect the devices. Blood banks have also been affected. Blood bank management software is used to track units of blood from the time of donation. It keeps a record of testing results, remembers the donation time of each unit to avoid giving someone spoiled blood, keeps track of the blood center's entire inventory, and records whether any adverse effects were observed from a transfusion. Since the late 1980s, blood banks have had to make sure their computer systems comply with "good manufacturing practices" (GMPs), a set of vague FDA recommendations. Vendors of blood bank management software have to get FDA premarket clearance and are subject to inspections if the FDA thinks their software could have contributed to the release of tainted blood.

Preventing the use of unsuitable blood is, of course, all well and good. Leonard Wilson, chief of the FDA's biologic devices branch, points out that HIV-positive blood can kill a recipient within several years, and a mismatch between AB and O blood can kill a patient within 15 minutes. In fact, the FDA became an active blood cop only after being browbeaten by Rep. John Dingell (D-Mich.) several years back about injuries caused by bad blood-bank software.

But the FDA has created some bad blood of its own because of its approach to regulation. The Health Industry Manufacturers Association has called the regulatory process a "very, very long and arduous operation for blood bank systems vendors"; the Red Cross and the American Association of Blood Banks agree. Blood management software manufacturers find they can't submit the new version of their software to the FDA, because the agency, never one for haste, hasn't approved the old version yet. Knowing the hoops they'll have to jump through, software manufacturers are less inclined to enhance their products in the first place. One blood expert, noting "the dearth of modern freestanding software in blood banking," has forecast "doom for quality software" unless regulations are relaxed. That may be a bit hyperbolic, but this is blood we're talking about. Blood banks use software to reduce human error by automating or verifying manual processes. Better software improves the blood supply; slowing the process down could cost lives.

The FDA disputes the industry's complaints. "While we do have some software that has taken a long time to clear, we did clear one package in 22 days," Wilson recalls. "We felt very good about that. That doesn't get in the way of any innovation at all." Still, even low-risk device approvals often take a long time, in many cases exceeding the maximum set by the law. At any rate, since blood bank regulation has never been subjected to a cost-benefit analysis, there is no way of knowing whether, on balance, hazards associated with blood have been reduced; if so, by how much; and at what price.

The effects of software regulation are as pervasive as the use of medical software itself. Dr. Martin Weinhous, chief medical physicist in the radiation oncology department at the Cleveland Clinic in Ohio, once used a software program developed by another medical physicist to set up patients for breast cancer X-ray therapy. In X-ray therapy for breast cancer, the affected tissue can be irradiated from three different directions, and to avoid overdosing or underdosing the patient, the doctor has to be sure that there are no gaps or overlaps of the X-ray beams. Once the doctor knows which treatment machine is to be used, and what the patient's measurements are, he can figure out where the patient should be positioned and how the beams should be directed. But this calculation, when performed manually on a calculator, is tedious, error-prone, and time-consuming, taking up to half an hour. The software shortens the calculation to one or two minutes. The program got FDA clearance, Weinhous wrote in a paper delivered at the NIH conference, but as it evolved, "the FDA began to require more of its creator. Eventually, the FDA required that [the developer] test his software tool against every possible PC and Macintosh configuration, even though the inherent risk is small. Faced with unrealistic GMP requirements, he ceased manufacturing of the device. So we in radiation oncology have no choice but to continue to use a less sophisticated and more error-prone method."

Software developers also feel the costs of FDA regulation. Frank Houston, a software validation consultant with Taratec Development Corp. in Bridgewater, New Jersey, tells the story of a company "who shall remain nameless" that sells software to keep copies of medical images for insurance purposes. Insurance adjusters use the pictures when deciding whether a claim was justified, but because an X-ray scanned into the computer isn't as good as the original X-ray, doctors are advised not to use the computer images to diagnose disease. In fact, the software constantly displays on the screen, "Not approved for diagnostic use." After about two hours of telephone calls to various parts of the FDA, Houston and the company decided the program might qualify to escape regulation. But the gray areas of device regulation are large enough that they decided they'd better file for FDA clearance anyway. The manufacturer spent weeks preparing the documentation, and the FDA has been sitting on it for a year. All this "for a product," says Houston, "that, in the end, lacks any significant risk to health. Something's wrong with this picture."

All this should have been expected. Software, unlike most physical devices, evolves rapidly and is sometimes changed daily, according to the user's needs. The FDA, on the other hand, takes its time. It began talking about software regulation in 1985. The first written draft policy came out in 1987 and was revised in 1989. Once the guidelines were finally out, the floodgates did not open; the approval process is inherently unsympathetic to quick innovation. The most routine form of FDA approval for low-risk devices is called the "510(k)" or "premarket notification," and it is reserved for products that are "substantially equivalent" to those already on the market. Imagine telling a software developer that to be easily introduced into the U.S. marketplace, its product had better be the same as or based on an existing program. "It's patently obvious that any agency that requires congressional approval is not going to move faster than market-driven technologies," says Avrohom Gluck of Neuromedical Systems, a Pap smear screening device company in Suffern, New York. "The agency has been, and still is, severely handicapped in that they need to regulate in the face of many in both government and industry who understand neither the technology nor the quality systems needed to ensure public safety."

It doesn't help that software is not like drugs or even like most traditional devices. Drugs are approved for "safety and efficacy" in treating particular diseases. But this is less true for devices, and much less true for software, which is often used for many different tasks. Nancy George, of Software Quality Management, a Towson, Maryland-based consulting firm that assists companies with regulatory compliance, describes a device that lets patients do their own testing at home, collects and transmits data 24 hours a day, makes video home visits, generates hospital-like charts, and even teaches the patient. "It does everything but serve coffee," George explained to the FDA. "Is it record keeping? Is it training? Is it telemedicine? Is it critical?" Concludes Harry Burke, the New York Medical College professor, "Really, what we've got is a can of worms. I mean, it could get really dicey here if we're not careful."

Because software evolves rapidly and has 1,001 different uses, it is particularly easy to stifle through regulations that are just a bit too inflexible. And because software changes constantly, it is never perfect, though it is often vastly superior to the manual, paper-based processes it is meant to replace. Imperfection has never sat well with the FDA, which gets a great deal of bad publicity if something it approves hurts someone but none at all if someone dies because of regulatory delay. Accordingly, the FDA dreams, in the words of T.S. Eliot, "of systems so perfect that no one will need to be good."

After 12 years of software regulation, the FDA admits that its efforts have "not been completely successful." FDA officials have toyed with regulating software differently according to whether it's in source code or executable code. As anyone who knows anything about software could have told them, source code can be easily converted into executable code, so that distinction makes no sense. The FDA has also tried to regulate software differently depending on whether it's distributed for free or for profit. Such a distinction has nothing to do with risk, which is the only conceivable justification for the FDA's existence. The FDA is now trying to reinvent its software regulations. The rules are in flux or, as one NIH conference participant put it, "loosey-goosey."

While software regulation may be loosey-goosey, there are certain constants in the FDA's approach. One of them is the agency's ongoing crusade against "off-label uses" of drugs and devices. Drugs and devices are approved and labeled for particular uses. The FDA doesn't just approve, say, AZT or excimer lasers. It approves AZT for the purpose of treating patients with HIV, or excimer lasers for the purpose of performing certain procedures to correct nearsightedness. Drug companies can advertise and label approved drugs only for approved uses. But once a drug is approved, a doctor can prescribe it for any use, on- or off-label. The FDA hates that. What's the use of demanding clinical trials proving a drug's efficacy in treating a particular condition if a patient can then go and take the drug for a different condition?

The FDA has a long history of fighting off-label use of medicines. When Congress passed the 1938 Food, Drug, and Cosmetic Act, it made it clear that once a drug was approved, consumers could buy it over the counter, with or without a prescription. Disregarding Congress's intent, the FDA carved out a category of drugs that are available only by prescription, and it tried to limit doctors' ability to prescribe drugs for uses not approved by the agency. In 1951 Congress upheld the prescription-only rules but reaffirmed that the FDA couldn't control what doctors prescribe. Even in 1962, when the FDA was given sweeping new powers over drugs, Congress stressed that the agency could control consumers and manufacturers but not doctors.

Congress attacked the FDA anyway in 1971 for not doing more to protect consumers from off-label uses of prescription drugs. In 1972, the FDA proposed criminalizing off-label prescriptions. The FDA's creative theory was that prescribing a drug for unapproved uses adds to the drug's "label"–a metaphysical construct that goes beyond the paper wrapped around the bottle–and since the new "label" has no instructions for the new use, the drug is then "misbranded." And naturally, there's no way to fix the (real) label to reflect the new use, since only FDA-approved information can go there. Doctors protested, arguing that off-label prescription is fundamental to sound medical practice. The FDA backed down. To this day, once a drug is approved, it is up to the doctor and patient to use it properly.

Excimer lasers are now caught in the off-label controversy. They have been approved for phototherapeutic keratectomy (PTK), which is used to treat diseased, scarred corneas. They have also been approved for photorefractive keratectomy (PRK), but only to treat certain degrees of nearsightedness and some forms of astigmatism. In other countries, the best refractive surgeons use PRK to treat farsightedness and a wider variety of astigmatisms. These surgeons also use excimer lasers to perform a procedure called LASIK (laser-assisted in situ keratomileusis), which is essentially the same as PRK but performed inside the cornea instead of on the surface. Many surgeons prefer LASIK to surface PRK because it can lead to less regression and scarring. The FDA only recently (in July 1997) gave its final, conditional approval to LASIK.

If excimer lasers were drugs, doctors would not care that these other uses were not approved. They would simply buy the drug and use it for whatever purpose they thought best. But excimer lasers are not drugs. They are devices that include software, and the software itself is considered a device. John Calfee, an economist at the American Enterprise Institute, explains the implications: "Imagine that the oncologist using a combination drug therapy uses a computer-controlled device to administer the drugs. Suppose the computer software determines all dosages, and does so according to settings provided by the physician. Now suppose that when the FDA approves the drug-administration device for marketing, it also approves the software in every detail. If the FDA forbids physicians or others from reprogramming the device, it could effectively tell doctors how to administer the drug and could even exercise considerable control over which kinds of patients receive the drug and even which illnesses are treated."

Consider how this sort of thing happens with excimer lasers. Only two companies are approved to sell excimer lasers in the United States: Summit Technology of Waltham, Massachusetts, and VISX of Santa Clara, California. When the FDA approved Summit's and VISX's excimer lasers, it mandated that the machines be activated by a keycard, available from the companies, that allows only approved software to be loaded. These keycards, which cannot be used more than once, cost $250 per operation and are available only from the laser manufacturers. The $250 royalty goes to a company called Pillar Point Partners, which is owned by Summit and VISX. In effect, the FDA has not only established a duopoly, in which Summit and VISX are the only companies allowed to manufacture excimer lasers, but has also enshrined a royalty payment system as part of the approved laser design. Some suspect the FDA is in the pockets of the laser manufacturers, but the FDA's explanation is also plausible: This is a convenient way to restrict the software that can be used with the lasers. As long as correction of nearsightedness and some forms of astigmatism are the only approved uses for the laser, the keycards will allow you to load software only for those procedures.

The FDA claims this is not regulation of medical practice. Using an approved device for an unapproved use is medical practice, but using an unapproved device is just illegal, and always has been under the FDA's device approval authority. The laser-plus-nearsightedness-software is an approved device; the laser-plus-farsightedness-software is an unapproved device. FDA software restrictions, therefore, are entirely appropriate. Says FDA spokeswoman Sharon Snider, "If a product can't be used any other way because that's all the software is programmed for, that's all [the doctors] can use it for. That has nothing to do with FDA restricting the practice of medicine."

Nothing to do with restricting the practice of medicine? Only if you're fixated on technical definitions. Regulating the choices of medical practitioners means restricting the practice of medicine, whether it's called "off-label use" or "using an approved laser with unapproved software." The software, by FDA approval, sets the treatment area at a diameter of six millimeters, though this may not be the best size for all patients. Also by FDA approval, the software will not allow a doctor to change the curvature of the eye by more than six diopters, a limit that would exclude people with the worst cases of nearsightedness. This is not restricting the practice of medicine?

Imaginative doctors can get around some of the restrictions. Operating on eyes with the LASIK procedure was possible (but far from ideal) before LASIK was approved, though companies couldn't advertise that fact and doctors couldn't load LASIK software into the laser. Also, it's possible to change the curvature of the eye by more than six diopters by running the program twice, though this, too, is not ideal: It costs twice as much, since it requires two keycards, and the patient has to sit there with an exposed eye while the machine is configured a second time.

But even the most imaginative doctor's options are limited by the available software. Treating farsightedness, for example, is extremely difficult, though not unheard of. "I think you have to be a pretty brave, committed soul to do some of these new and innovative things, what with the FDA looking over one shoulder and the plaintiffs' attorneys looking over the other," says Trevor Woodhams. Dr. Stephen Trokel, who spoke to an FDA panel in July 1996 on behalf of the American Society of Cataract and Refractive Surgery, reported that "the current micromanagement by the FDA of innovations in refractive surgical technology encourages `offshore' investigations, encourages the movement of patients to foreign surgical centers, encourages the proliferation of unregistered, noncommercial, and totally unregulated lasers, and, most importantly, encourages the development of combination surgery where arcane and untested, imaginative mixtures of surgical techniques are created to overcome FDA labeling."

Trokel's warning is neither speculation nor hyperbole. Vagueness and inconsistency are hallmarks of FDA eye laser policy. It doesn't take a refractive surgeon to recognize this, though many refractive surgeons have firsthand experience in the matter. Because small details change the most and are the hardest to get a handle on, the desire to regulate small details will lead to a constantly shifting legal regime, with FDA interpretations changing unpredictably based on ever-changing medical technology. Many doctors and manufacturers don't know whether they're covered by the law. Some doctors who feel their medical practice is being restricted by the software lockouts have taken to re-importing "gray market lasers"–lasers made by Summit and VISX for export, which neither require royalty keycards nor have the software lockout. Others, like Trevor Woodhams, have created "black box lasers" or "garage lasers"–basically, homemade lasers, constructed out of readily available components.

The FDA believes these lasers do not fall under the "custom device" exemption. "A custom device basically is a product made for use on one person," says the FDA's Snider, echoing the definition easily found in the Code of Federal Regulations, Title 21, Part 812, Section 3, Subsection (b)(5). Once you use the laser on multiple patients, she says, "there's no way that would be considered a custom device." Some doctors point out that since a laser's software must be reconfigured with the statistics of each patient, the devices–the hardware-plus-software combinations–really are individualized.

Woodhams, whose laser is under arrest, feels the FDA has treated him unfairly. He invested $350,000 in his laser and is still paying off the bank loans. Now he has to take his patients to an outside surgery center, which is inconvenient and requires him to pay the $250 royalty to Pillar Point Partners. The Summit and VISX lasers can treat a smaller range of conditions than Woodhams's own laser, which is why he built it in the first place. He had been getting customers turned away by other eye surgeons; now he, too, has to turn those customers away. The FDA enforcement action has doubled his costs per operation. "I felt like I was dealing in good faith in a gray area," he says. "I felt like they did not return the same good faith in their treatment of me."

Besides making unwitting criminals out of justifiably confused doctors, the irrationality of FDA policy encourages doctors and manufacturers to evade the law. Some surgeons have been buying lasers from unapproved manufacturers. On June 11, the FDA requested that U.S. marshals seize nine excimer lasers made by Photon Data of Winter Park, Florida. Surgeons were using Photon's lasers for PRK to treat nearsightedness. The offending equipment, which had a combined estimated value of more than $3 million, was seized at two Photon Data locations and at a private freight forwarder. Dr. Jui Teng Lin, the company's president, did not return my phone calls, but Woodhams, who knows of Lin's outfit, says Lin was building excimer lasers using the very newest technology, selling them to individual practitioners in the United States and abroad, and helping his domestic customers get investigational device approval from the FDA. "Personally," Woodhams says, "I don't think there was anything objectionable with what he was doing."

The FDA's Snider says neither Photon's nor Woodhams's lasers have been linked to any injuries, though the agency has received unsubstantiated reports of injuries related to laser eye surgery and is trying to learn more. In short, the FDA showed that it cares about hypothetical patients who might be hurt if the lasers remained in use, but it showed no consideration for the patients who could have been helped. The FDA did not show that it prevented harm, on balance, by seizing Photon's lasers, and the law does not require it to do so.

In a sense, what the FDA is trying to do now was contained in its mandate from the start. We just didn't know it at first, because limited technology made the scope of the FDA's power seem smaller than it really was. Now we know. As AEI's John Calfee puts it, "FDA regulation expands even when it seems to be standing still….It is now clear that in the absence of new legislation, the FDA of tomorrow will be more inclusive and more intrusive. To regulate more, the FDA does not need to expand its regulatory domain. It can preside over a spontaneous explosion in regulation, confident that expanding medical technology will move more and more of medical technology and medical practice into the boundaries of FDA regulation."

For years, both critics and supporters of the FDA have assumed that deregulation would reduce the agency's power. "Well, in our country," they figured, as Alice told the Red Queen in Through the Looking-Glass, "you'd generally get to somewhere else–if you ran very fast for a long while as we've been doing." The Red Queen's answer suggests the truth may be more complex than that: "A slow sort of country! Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!" And so it is with FDA reform. The FDA must shrink just to stay the same size.

Alexander Volokh (volokh@netcom.com) is a policy analyst at the Reason Public Policy Institute.