SUMMER 2017 THE LIFE SCIENCES REPORT

Factoring in Human Factors

By Shannon E. Clark, P.E., CEO, UserWise, Inc. users to the design of medical devices device that minimizes risks related to human including mechanical and software error. The errors of focus when reducing According to a recent British Medical Journal driven user interfaces, systems, tasks, usability risks from most devices are usually research report, the mean rate of death from user documentation, and user training cognitive in nature (i.e., not ergonomic in medical error in U.S. hospitals is estimated to to enhance and demonstrate safe and nature). be over 251,000 people per year. Though many effective use.” medical errors are due to medication errors, The need for usability testing is driven by patient hand-offs, and issues with hospital Overall, the objective of human factors FDA regulation 21 CFR 820.30(g), which processes, other errors are attributable to engineering is to minimize or eliminate human states: “Design validation shall ensure that poor medical device design.1 Human factors error through the design of the medical device. devices conform to defined user needs and engineering plays an essential role in reducing The FDA defines “use error” to mean: intended uses and shall include testing of production units under actual or simulated the rate of these avoidable deaths and “user action or lack of action that was additional adverse outcomes. different from that expected by the use conditions.” Usability validation testing is manufacturer and caused a result that one type of design validation, and it includes The U.S. Food and Drug Administration (FDA) (1) was different from the result expected bringing in end-users to simulate use of defines “human factors engineering” as: by the user and the final medical device in a simulated use (2) was not caused solely by device failure environment. “The application of knowledge about and human behavior, abilities, limitations, and (3) did or could result in harm.” There is a trend of increasing FDA enforcement other characteristics of medical device of human factors requirements for medical “Human factors” at the FDA is synonymous device development and, correspondingly, with usability risk reduction. The focus of increased adoption of human factors processes In This Issue usability risk reduction is to design a medical among medical device manufacturers.

Factoring in Human Factors...... Pages 1-4 1 Martin A. Makary and Michael Daniel, “Medical error—the third leading cause of death in the US,” 353 British Medical Journal i2139, 2016. An Interview with Justin Klein of New Enterprise Associates...... Pages 5-7 Continued on page 2...

Life Sciences Venture Financings for WSGR Clients...... Pages 8-9

Patenting MedTech with Software – An WSGR Ranked as No. 1 Life Sciences Law Firm Update for Inventors...... Pages 10-12 For the second consecutive year, Wilson Sonsini Goodrich & Rosati has been ranked No. 1 in The Serious and Immense Impact of a the Life Sciences Law Firm Index, which identifies the most active and relevant firms for life Medical Device Hack...... Pages 13-17 sciences companies based on research conducted by Breaking Media, the publisher of MedCity News. Researchers compiled the index based on data in three research categories—corporate, Select Recent Life Sciences Client intellectual property, and regulatory—and also incorporated information on firms’ work with start- Highlights...... Pages 18-19 up companies and thought leadership contributions. Upcoming Life Sciences Events...... Page 20 For more information, please visit http://abovethelaw.com/2017/05/wilson-sonsini-tops-life- sciences-law-firm-index-for-2nd-straight-year/. Factoring in Human Factors

Continued from page 1...

Figure 1: FDA Focus on Human Factors (HF) and Industry Response User research helps to identify design requirements by obtaining direct input from intended users. It reveals what people FDA focus on HF are really thinking and how people really Frequency of device behave through observation at point of use. manufacturers The researcher evaluates environmental, doing HF Quality of HF social, and motivational aspects of the submissions to design. User research can include shadowing the FDA doctors, nurses, and technicians in various hospital settings and/or conducting one-

AND BETTER HF on-one interviews to reveal user needs. For home-use medical devices, user research

MORE is particularly valuable for defining where the device may be used (e.g., Will they keep their device at their bedside or on a wet surface on their bathroom sink? What level of water ingress testing should we consider Quality System 1st FDA Guidance, Human Factors team FDA Human Factors conducting?). Regulations (1996) Human Factors (2000) formed at the staff grows Office of Device Evaluation (FDA) Step 2: Use-Related Risk Analysis TIME A use-related risk analysis is performed to: *Adapted from “Human Factors/Usability for Medical Devices: An Historical Perspective,” Ron Kaye Office of Device Evaluation, CDRH, Food and Drug Administration, NIST Workshop on Usability and HER Technology, June 7, 2011. • Predict potential use errors and associated consequences for patients The FDA shared a graph titled “Center Effort manufacturers continue to scramble to and users on HF/Usability and Industry Response” in incorporate the new human factors process. • Identify risk control measures to make 2011 (Figure 1). The graph suggests that the design as error-proof as possible there was a low level of FDA focus on human The FDA Human Factors Engineering • Identify use scenarios to examine factors when the quality system regulations Process during usability testing were published in 1996. As a result, very few manufacturers were incorporating human The FDA-recommended human factors The use-related risk analysis is a powerful factors processes when the FDA issued its process can be described in five steps, as tool to prioritize design efforts and tackle first human factors guidance in 2000. depicted in Figure 2 below. the most serious use errors first. Various use errors are prioritized according to On February 3, 2016, the FDA updated its Step 1: User Research how serious their consequences are, how human factors guidance, Guidance for frequently they occur, and how easily they Industry and FDA Staff – Applying Human The goal of user research is to help can be detected by end-users. Factors and Usability Engineering to Medical identify and refine design requirements Devices (originally published in 2000). The by understanding the users and the use It is best to eliminate the given use errors effect of the amended guidance has been through the design of the device. If it is not environments. The focus of user research is rippling quickly through the medical device possible to eliminate a use error through industry. While manufacturers of higher-risk on making data-backed assumptions about design, the following options are pursued, in medical devices began adopting the new who the end-users will be and how they will order of preference:2 human factors processes in 2011 and earlier, perceive and interact with the product in their many new and established medical device context of use. 1. Guard against the use error

Figure 2: The FDA-Recommended Human Factors Process

Use-Related Iterative Prototyping & Human Factors Quality System Risk Analysis Usability Testing Usability Validation Submission/Compliance

2 Content from ISO 14971:2007.

2 Factoring in Human Factors

2. Warn against the use error COSTFigure OF 3: CostMEDICAL of Medical DEVICE Device DevelopmentDEVELOPMENT With and WITH Without AND Human WITHOUT Factors 3. Information for safety HUMAN FACTORS (HF) a. Labeling Critical design issues & b. Instructions for use expensive last- Unexpected minute design validation results changes from HF — features need to c. Training team be modified & re- validated Incorrect 4. Remove feature (least desirable) assumptions were made about how users would interact with the product - the team realizes Investment too late that there is a in extensive mismatch between user training & support Step 3: Iterative Prototyping and Usability HF expectations & the due to ease-of-use ensures you product’s design issues; R&D only Testing are addressing had time to fix the the right user safety issues needs & making the right design Usability testing is conducted with early-stage assumptions prototypes to reveal the prototypes’ strengths, Usability Long-term validation support costs testing weaknesses, and potential use errors. passes on the first try Make Usability testing includes observing intended ACTURER INVESTMENT design mistakes users’ interaction with the device to reveal early & often Cost WITHOUT potential use errors. Subjective feedback human factors on the design is also collected from the / MANUF usability study participants, but observation Cost WITH

ART UP human factors

of end-users is usually the primary method for ST collecting data.

esting Analysis User ResearchFirst Prototype Design Freeze Multiple early-stage usability studies—called Released Product Verification & Validation “formative usability testing”—are usually Use-Related Risk conducted. In response to each study, rapid Iterative Prototyping & Usability T D EVELOPMENT PHASE ( TIME) modifications are made to the device design in an effort to improve the usability and to the next development phases with greater - Changes post-validation may trigger the reduce use errors. It is an iterative process confidence. need for further testing or may require consisting of three stages: a justification for no further usability Step 4: Usability Validation validation testing 1. Conducting usability testing of early • Test conditions that are sufficiently At the end of the development process, product prototypes realistic to represent actual conditions usability validation examines user interactions 2. Identifying use errors with the device user interface to identify use of use 3. Guiding design changes to eliminate these errors that could result in serious harm. use errors The results of the usability validation study are Usability validation also demonstrates that used to demonstrate the safety and efficacy of These three stages are repeated until results mitigations in the use-related risk analysis are the device with respect to usability. from formative usability testing show that sufficient to minimize use errors. the design is ideal or that the use errors are minimized. Per FDA requirements, usability validation testing must include the following: Investing in iterative prototyping and usability By conducting multiple usability testing can save time and money in the long • At least 15 participants as representative studies and refining the product run. The process allows a company to “take intended users for each user profile shortcuts” toward an optimized product - Participants cannot be internal cheaply and early on, the by allowing imperfect designs to fail more employees quickly. It is expensive to invest in tooling and - Participants must be U.S. residents (non- development team can progress manufacturing of final prototypes, and the U.S. citizens can be included) to the next development phases human factors engineering process facilitates • All critical tasks (i.e., tasks associated obtaining usability data using low-fidelity with use errors that could lead to serious with greater confidence prototypes. By conducting multiple usability harm) studies and refining the product cheaply and • Software and hardware configuration early on, the development team can progress equivalent to the final design

Continued on page 4...

3 Factoring in Human Factors

Continued from page 3...

Step 5: Human Factors Submission/Compliance • Combining human factors with pre-clinical Shannon E. Clark is the founder work or a clinical trial—this may seem and CEO of UserWise, a A human factors submission report is prepared like a good idea at first, but it inevitably consultancy that helps medical at the end of the human factors process. This presents unique challenges device manufacturers and report describes the full human factors process • Recruiting fewer than 15 end-users for start-ups to design safe and and explains how use errors were minimized. validation—FDA human factors reviewers easy-to-use medical devices. The consultants at at the Office of Device Evaluation rarely UserWise conduct usability testing for a variety A human factors engineering submission report of medical devices, ranging from surgical robots is usually required for a pre-market approval accept fewer than 15 end-users per user type (i.e., 15 nurses and 15 surgeons in the to home-use injection platforms. UserWise (PMA) submission, and the FDA reserves the consultants also perform safety assessments to right to request the human factors engineering case where both users use the device) • Forgetting to mine the databases on comply with U.S. and international regulations report for other types of submissions as well related to human factors. (e.g., 510(k)). UserWise recommends always FDA.gov to discover what recalls and submitting a human factors engineering medical device reports (MDRs) have Before founding UserWise in 2015, Shannon submission report in order to expedite and been reported for similar products before was a human factors engineer at Intuitive streamline the FDA’s review of a submission. communicating with the FDA—the FDA Surgical and Abbott Laboratories. She knows about the recalls and MDRs, so graduated in 2010 from UCLA with a B.S. For compliance outside of the U.S., it is these should be well analyzed and thought in mechanical engineering and a technical necessary to assemble a usability engineering through before corresponding with the breadth in technology management. file and compliance checklist for IEC 62366- FDA Additionally, Shannon is a Certified 1:2015, Medical devices – Part 1: Application • Inadequately resourcing a development Professional Industrial Engineer, holds two of usability engineering to medical devices. project with designers who “know the patents, and has written and published three books. user” and bake usability into a medical

device She can be reached at • Aligning incentives between R&D [email protected]. UserWise recommends always management and the goals of the submitting a human factors marketing and sales organizations to encourage R&D to reduce on-market About UserWise engineering submission report training and product support costs in the long term Our mission is to inspire in order to expedite and human factors engineering best practices within both Fortune 500 streamline the FDA’s review of Conclusion medical device companies and start-ups, and to facilitate the development of usable Usability testing is a rigorous process that has a submission medical devices. We work with companies to become increasingly important for obtaining fulfill any and all of the steps in the usability a 510(k) clearance or a premarket approval. engineering process to facilitate the design Planning and testing during the early stages of of safe and usable medical devices. We offer Tips on Human Factors product development can yield great benefits risk analysis, usability testing, and compliance and efficiency in bringing a product to market. documentation, as well as corporate trainings Here are some common human factors pitfalls The human factors process can save huge and assistance navigating regulatory clearance. that UserWise has seen companies encounter: amounts of research and development time and money, as well as minimize delays during To learn more, visit • Not having a clear human factors strategy an FDA submission, reduce the risk of product www.UserWiseConsulting.com. when meeting or corresponding with the recalls, and reduce on-market training and FDA for the first time maintenance costs. • Assuming that your medical device requires usability validation testing when it could have been validated in another manner

4 An Interview with Justin Klein of New Enterprise Associates Wilson Sonsini to actively guide our portfolio companies to development hurdles, the regulatory path, Goodrich & expand their market opportunities and scale reimbursement/payment structures, and the Rosati partner with our capital and other resources over go-to-market opportunities to commercialize James Huie time. We raise some of the largest funds in something. These are all critical elements. recently sat down the industry, and we believe that being able Thematically, we try to stay open-minded, with Justin Klein, to invest capital at scale allows us to be an focusing on different subsectors, whether it’s a partner at entrepreneur’s partner throughout his or her therapeutics, devices, or services, and over New Enterprise company’s lifetime, from seed and Series A time we migrate toward the larger, open-ended Associates stages all the way through growth equity, opportunities in each category. (NEA), one of the and potentially as they go public and beyond. world’s largest and most active venture capital What we’ve found is that in almost all of our In the last few years, you’ve been a part of firms. Among other topics, Justin discussed sectors, it is increasingly capital-efficient to some of the largest-ever exits for venture- NEA’s mission and commitment to investing start a business and demonstrate early traction backed medical device companies. in early-stage companies, the current state of in multiple markets. But to really scale, a Looking forward, what opportunities do the healthcare investment industry, and the business continues to take resources, and you see and what concerns you most advice he’d offer to entrepreneurs. Below is a NEA strives to be in a position where we can about the current healthcare market? selection of highlights from their discussion. partner with those entrepreneurs early, help them craft and further expand their vision, and Broadly, we remain very enthusiastic about Tell us about NEA. What’s the firm’s then be their lead financial partner for every investing in healthcare. We try to be mindful overall mission and how does NEA try step of the journey. of things like economic and political cycles to differentiate itself across its core that could affect our portfolio companies and What are you looking for in your portfolio markets? therefore our investments. If possible, we try companies in terms of unique qualities to identify long-term secular trends that we or traits of success, particularly in the NEA is a classically constructed venture think our companies will succeed in, regardless healthcare space? capital firm. We’re going to celebrate our of some of the shorter-term market or political cycles. 40th anniversary this year, making us one In the healthcare space, we’re most focused of the oldest and—because of our firm size on investing in companies that present and strategies—one of the largest, most open-ended business opportunities, such as Our system faces real challenges in terms active venture capital firms across all sectors. standalone businesses that could go public of the affordability of—and access to— Technology innovation, which broadly includes and self-finance over time, or those that healthcare. We expect that to continue to be categories like consumer or enterprise-oriented become coveted acquisition candidates for a very hot topic. Ultimately though, healthcare technologies and electronics, makes up a some of the larger players in the industry. is one of the most important dimensions of a substantial portion of where NEA invests. We like to build companies and franchise person’s life. It’s close to 20 percent of our GDP, And healthcare is the other major category opportunities predicated on solutions that and the opportunity for technology to improve in which we focus our efforts. Within each address significant unmet clinical needs, and clinical outcomes or reduce costs still remains NEA investment fund, which we tend to raise do so at reduced costs. I think the pairing of fairly open-ended. We want to be careful not to every 2.5 to 3.5 years in regular cycles, we’re those phrases is important. It’s something invest in entities that bear significant political committing about a third of our dollars to the we’ve been focused on for our entire history. To risks, where opinions about how to do things healthcare space, which includes biopharma be something big, we believe a company really fall in or out of favor, which could completely therapeutics, medical devices, and healthtech, has to demonstrate evidence to convince all derail an investment opportunity. But we as well as healthcare services and stakeholders to adopt new technologies or new do believe there are some durable trends healthcare IT. ways of delivering healthcare. that allow us to invest in a number of these companies and to support them from their One of the things we prioritize as a capital Of course, we also look at other things like earliest stages all the way through to being partner to entrepreneurs is being in a position the nature of the unmet need, the clinical mature businesses.

Continued on page 6...

5 An Interview with Justin Klein of New Enterprise Associates

Continued from page 5...

Do you feel like the healthcare industry merits to a late-stage investment focus, but What are some of the key events that you is on an upward trend? Do you envision it’s also important to recognize that there are look forward to attending each year? Are more activity in the next few years, or at competencies that big, established companies there any new conferences that you’re least in 2017? have in these channels, like commercial eyeing? distribution or manufacturing, that are difficult We’re coming out of a significant bull market for a start-up to compete with. Annually, there are a handful of events I try in the biopharma space as of a couple of years to attend that are fairly spaced out during ago. Of course, there also have been some Where our companies excel is in identifying the course of the year. It probably starts in pullbacks along the way, but most people unmet needs, developing innovative products January with the J.P. Morgan Healthcare believe there can be a relatively healthy Conference, which is kind of the annual “must that have IP protection, and executing on a IPO window this year in multiple healthcare attend.” There are a couple of conferences development plan that generates evidence subsectors. Public market investors continue to in the spring and early summer, whether it’s for the FDA, payers, patients, and physicians look for growth opportunities in their portfolios, WSGR’s Medical Device Conference, the to really embrace things and bring them and strategic acquirers need to find revenue MedTech Investing Conference in Minneapolis, growth opportunities in new businesses to to market. Some of our peers have moved or Piper Jaffray’s annual conference. Then, in expand their markets, particularly after a period away from earlier-stage investing, but I don’t the fall, there are some different events that of consolidation among a lot of the big pharma think that’s irrational. From 2008 to 2012, investment banks or other industry groups put and medtech companies. And we’re seeing particularly for medical devices, there were together, and those are a great way to keep in financing environments and acquisition/IPO a lot of headwinds, particularly around the regular touch with people. discussions look fairly positive across all of our U.S. regulatory process. Although we’ve seen categories. So, we think it’s going to continue the regulatory climate become much more Throughout the year, I typically attend a to be a fairly healthy time in the ecosystem. reasonable and predictable in recent years, handful of conferences that focus on clinical that era was so taxing for investors and their areas where we have active portfolio In January 2016, you gave an interview at portfolio companies that it’s hard to stomach companies, such as cardiovascular disease, the J.P. Morgan Healthcare conference re-testing earlier-stage investment where interventional pain, or personalized medicine. where you underscored NEA’s capital requirements and timelines were And sometimes I attend conferences that commitment to investing in early-stage extended pretty significantly, almost beyond overlap the due diligence we’re doing on a new companies and, specifically in your case, the reach of a lot of our peers. space. early-stage medical device companies. Can you offer some insights into NEA’s We are intentional in our strategy to raise Outside of the U.S., are there any reasoning and commitment to early-stage relatively large funds, which gives us the ability particular markets that you or your companies? to sustain our commitment to companies over companies are most interested in? the long term, and gives them the opportunity I recently did a quick tabulation of our medical As a firm, NEA is certainly global in its reach. to complete the mission. When we invest device investment activity in our last two Our interest in start-up companies, as well in early-stage companies, we try to be very funds, and between those, we made 13 new as the markets where they’ll bring their thoughtful about the total capital requirement investments, nine of which were at the Series innovations, is global. We have a very active A or seed stage, including companies that we and syndicate formation. I think maybe 10 investment practice in Asia, largely on the seeded in incubators. Those numbers would to 15 years ago, we might have taken on tech side, though we’ve made some select probably surprise most folks, because overall, some Series A innovations or technologies healthcare investments there over time. More the medtech venture market has shifted away that would have required a series of multiple recently, we’ve expanded our investment from pre-regulatory approval or pre-data-stage de-risking financings over time, whether it’s practice to include more opportunities in medical device companies since around 2008. validating technology development, clinical Europe. One of the companies I’m involved On the contrary, we have deliberately tried to evidence, regulatory approval, reimbursement, with is called FIRE1 (Foundry Ireland), which is embrace that stage of investment because, or commercial traction. There are probably an Ireland-domiciled medical device incubator one, there are still a lot of opportunities and, fewer of those types of opportunities we’re that we funded in partnership with the Foundry, frankly, there is less competition from other willing to step up for. We try to find spaces Lightstone Ventures, and Medtronic. Since investors investing in those deals. And two, where our companies are in an overall strong creating the incubator, we’ve advanced the at a high level, we’re trying to invest in the position to execute on a plan that answers program to include an outstanding senior parts of the medtech ecosystem where we really hard stakeholder questions relatively management team that’s based on the ground as investors and our start-up companies have early in the process of building that company or in Ireland, and we’re actively building the some competitive advantage. There can be funding that program. company there. Some other examples of

6 An Interview with Justin Klein of New Enterprise Associates

investments in our biopharma practice have It’s often the case that we meet entrepreneurs creating investment opportunities that wouldn’t been companies coming out of Western Europe but may not invest for three or four years. otherwise exist. There are always new, and the UK, including Adaptimmune in the But along the way, we’re able to track their creative ways to do this job better and be a immuno-oncology space, NightstaRx in the progress and help provide introductions to folks better partner or entrepreneur. So, I don’t know gene-therapy space, and CRISPR Therapeutics who may join their team, or we may introduce whether there have been dramatic differences in the gene-editing space. Overall, something other investors who get involved earlier than like 90 percent of our dollars are committed to we do. Then, at the right opportunity, we’ll from my first day to yesterday, but it’s a U.S.-domiciled companies. But we recognize sign up to lead a financing and, once we do, continual process that’s been a lot of fun. that terrific innovation is happening all over we are fully committed to them. Having those the globe, and we’re comfortable with backing early conversations during that relationship- Justin Klein joined NEA in 2006 and is a teams based in those countries. We’re working building process is fundamental, because these partner on the healthcare team. Justin focuses with them to build our companies across the can be very durable partnerships. It’s rarely an on medical device, healthcare technology, Atlantic, sometimes opening offices and/or 18-month relationship; usually it’s three, five, and biopharmaceutical company investments. taking them public in the United States, and in seven, or even 10 years, and hopefully what He serves as a director of Advanced Cardiac other cases growing them for the long term, comes out of it is interest in doing it again. Therapeutics, Cartiva, ChromaCode, FIRE1, regardless of borders. Around 60 percent or more of our investment Intact Vascular, Personal Genome Diagnostics, opportunities are introduced to us through PhaseBio Pharmaceuticals, Relievant Do you have any advice for entrepreneurs entrepreneurs or folks that we worked with who are looking to work with NEA or who in the past, and if we had a great experience Medsystems, Senseonics (NYSE: SENS), may be trying to start a company for the together, we’d love to find that next venture to VertiFlex, Vesper Medical, and VytronUS. first time? do it again and again. Justin’s past board memberships and investments include CV Ingenuity (acquired First, I think it’s encouraging that the past five I think that touches one last point. You’ve by Covidien), Nevro (NYSE: NVRO), Topera years have been a fantastic time to start a been an investor for quite some time (acquired by Abbott), TriVascular (NASDAQ: company and raise capital for that company, now. What would you say the biggest TRIV, acquired by Endologix), and Ulthera whether it’s in tech or healthcare. There’s a differences are between being an investor lot of fundamental innovation happening in now and being an investor when you first (acquired by Merz). He is also a member of all sectors of the venture ecosystem that’s started? the advisory boards for Duke’s Innovation & creating tremendous opportunities for new Entrepreneurship Initiative, the Johns Hopkins businesses. We like to see entrepreneurs who From a personal perspective, this is my 11th Center for Bioengineering Innovation & Design, are passionate about an area where they have year of investing and I’ve had the benefit of and the National Venture Capital Association’s a lot of deep experience. And in general, we being part of NEA and working with some Medical Industry Group and its Medical try to support them, recognizing that their time fantastic folks who came before me in our Innovation and Competitiveness Coalition is the most precious thing that any of us have medical technology practice. I started at (MedIC), as well as a member of AdvaMed’s to commit to one of these ventures. So, if it’s NEA as an associate, where I was entirely an entrepreneur that really knows their space supporting other partners. Today I’m proud to Business Development Committee. well and they’ve identified a problem and be on a dozen boards and am actively trying developed a technology-driven solution that we to grow our medical device and healthcare Prior to NEA, Justin worked for the Duke share an interest in, we’d love to talk to them technology investment practice with my University Health System—reporting directly as early as possible in the company’s formation colleagues in the service of our companies and to the hospital CEO on health system strategy, process. Whether or not we choose to invest our industry. With board responsibilities and finance, and clinical service unit operations— can be affected by a variety of different other leadership opportunities outside of the as Duke built one of the nation’s first and considerations, but we look for opportunities firm, I’ve only become busier over time, which largest healthcare integrated delivery systems. to get involved where we can make an impact is great. It’s been a fantastic experience. Justin concurrently earned his M.D. from the on that company’s trajectory. That may mean Duke University School of Medicine and his funding them with the right amount of capital, In each of these investing climates, the J.D. from Harvard Law School. He has also or it may mean helping them set a vision that markets move in cycles, whether it’s related aims for something bigger or more expansive to politics or the economy, and there’s always served as a member of the board of trustees than they would have otherwise if they hadn’t something to learn or figure out how to of Duke University, where he earned his had that conversation. do better. It could be solving some sort of A.B. in economics and his B.S. in biological complicated financing or M&A transaction, or anthropology and anatomy.

7 Life Sciences Venture Financings for WSGR Clients

By Scott Murano, Partner (Palo Alto)

The table below includes data from life sciences transactions in which Wilson Sonsini Goodrich & Rosati clients participated across the first and second halves of 2016. Specifically, the table compares—by industry segment—the number of closings, the total amount raised, and the average amount raised per closing across the two six-month periods.

1H 2016 2H 2016 1H 2016 1H 2016 Average 2H 2016 2H 2016 Average Life Sciences Number of Total Amount Amount Number of Total Amount Amount Industry Segment Closings Raised ($M) Raised ($M) Closings Raised ($M) Raised ($M)

Biopharmaceuticals 31 420.39 13.56 33 370.91 11.24

Genomics 5 31.01 6.20 5 32.30 6.46

Diagnostics 8 37.84 4.73 11 98.45 8.95

Medical Devices & Equipment 48 309.39 6.45 47 321.76 6.85

Digital Health 10 40.18 4.02 10 71.33 7.13

Healthcare Services 4 8.24 2.06 6 140.08 23.35

Total 106 847.05 112 1,034.83

The data demonstrates that venture financing to 47 closings, but the total amount remaining industry segments (in descending activity increased during the second half of raised increased 4 percent, from $309.39 order of 2H 2016 number of closings)—digital 2016 compared to the first half of 2016 with million to $321.76 million. The industry health, healthcare services, and genomics— respect to the total amount raised and the segment with the second-largest number of were flat or up in number of closings and up number of closings. Specifically, the total closings—biopharmaceuticals—experienced in total amount raised during the second half amount raised across all industry segments an increase in number of closings, but a of 2016 compared to the first half. increased 22.2 percent from the first half of decrease in total amount raised during 2016 to the second half, from $847.05 million the second half of 2016 compared to In addition, our data suggests that Series to $1,034.83 million, while the number the first half. Specifically, the number of A and Series B financing activity compared of closings across all industry segments biopharmaceuticals closings increased 6.5 to bridge financings and Series C and later increased 5.7 percent, from 106 closings to percent, from 31 closings to 33 closings, equity financings increased during the second 112 closings. while the total amount raised decreased 11.8 half of 2016 compared to the first half. The percent, from $420.39 million to $370.91 number of Series A closings as a percentage Notably, the industry segment with the million. Meanwhile, diagnostics, the industry of all closings increased from 31.8 percent largest number of closings—medical segment with the third-largest number of to 41.1 percent, while the number of Series devices and equipment—experienced closings during the second half of 2016, B closings as a percentage of all closings a slight decrease in number of closings, experienced increases in both number of increased from 15.9 percent to 17 percent. but an increase in total amount raised closings and total amount raised; the number Offsetting those gains, bridge financing and during the second half of 2016 compared of closings increased 37.5 percent, from Series C and later financing activity relative to the first half. Specifically, the number of 8 closings to 11 closings, while the total to all other financings decreased during the closings in medical devices and equipment amount raised increased 160.2 percent, second half of 2016. The number of bridge decreased 2.1 percent, from 48 closings from $37.84 million to $98.45 million. All financing closings as a percentage of all

8 Life Sciences Venture Financings for WSGR Clients

financings decreased 58.5 percent, from activity at the Series A stage in terms of $105.2 million to $43.65 million; and the number of closings. The second half of 2016 Series A and Series B financing average pre-money valuation for Series C and also saw an increase in pre-money valuations activity compared to bridge later financings increased 18.6 percent, from for Series A financings, unlike the prior six- $120.97 million to $143.45 million. month period, which witnessed an increase financings and Series C in number of Series A closings but a decrease Other data taken from transactions in which in pre-money valuations. This suggests that and later equity financings all firm clients participated in the second half companies are moving into a greater position of 2016 suggests that life sciences is tied increased during the second with services as the second-most attractive half of 2016 compared to the industry for investment. During that period, life sciences (as well as services) accounted The second half of 2016 was first half for 24 percent of total funds raised by our clients, while the software industry— the third consecutive six-month traditionally the most popular industry for investment—accounted for 29 percent of period of improved financing closings decreased from 31.8 percent to 26.8 total funds raised. percent, while the number of Series C and activity later financing closings as a percentage of all Overall, the data indicates that access to closings decreased from 15 percent to 10.7 venture capital for the life sciences industry percent. increased from the first half of 2016 to the second half. It is also worth noting that of leverage at the Series A stage, as there Average pre-money valuations for life financing activity during the first half of 2016 are more Series A deals getting done and at sciences companies increased for Series A had increased significantly over the second relatively higher pre-money valuations. financings and Series C and later financings, half of 2015, and the second half of 2015 but decreased for Series B financings during had increased over the first half of 2015—so the second half of 2016 compared to the first the second half of 2016 represents the third Scott Murano half. The average pre-money valuation for consecutive six-month period of improved (650) 849-3316 Series A financings increased 70.1 percent, financing activity. Moreover, the second half [email protected] from $10.86 million to $18.47 million; the of 2016 represents the second consecutive average pre-money valuation for Series B six-month period of improved financing

WSGR Ranked No. 1 for Q1 2017 Venture Financings

Dow Jones VentureSource recently ranked Wilson Sonsini Goodrich & Rosati as the leading law firm for U.S. venture financings in the first quarter of 2017.

Dow Jones VentureSource’s legal rankings for Q1 2017 issuer-side venture financing deals placed WSGR ahead of all other firms by the total number of rounds of equity financing raised on behalf of clients. The firm is credited as the legal advisor in 61 rounds of financing, while its nearest competitor advised on 42 rounds of financing.

Of particular interest to The Life Sciences Report, WSGR ranked first for Q1 2017 issuer-side U.S. deals in the healthcare and medical devices and equipment industries.

9 Patenting MedTech with Software – An Update for Inventors

By John Shimmick (Associate, Palo Alto) and Charlie Hagadorn (Associate, Seattle)

MedTech includes traditional medical devices and smart devices brought about by the tech revolution. From surgical robotics to apps for smart phones, smart devices and connectivity have forever changed the way we think of healthcare and how it is delivered.

Examples of computer-based medical devices include surgical robotic systems and lasers used for LASIK surgery. Additional examples include smart patches worn by patients for remote monitoring and 3D scanners used to plan orthodontic treatment. Even an iPhone programmed with the right app can transform a smart phone into a healthcare instrument. software in the United States may be of States, provided that the claims are not The smart phone illustrated in the figure to interest to inventors. directed to a judicial exception.2 the right is an example of many new MedTech devices. Often there is a local device, such as The Good News: Software Is Still Under Alice, courts will apply a two-part test. a smart phone, that has sensors or actuators Patentable The first step is to determine whether the claim that interact with the local environment. The at issue is directed to a judicial exception such local device also could be a spectrometer, a The United States requires that subject matter as an abstract idea. In step two, the court surgical robot, a laser eye surgery system, or recited in the claimed invention be patent will consider whether the claims contain an a diagnostic instrument, for example. A local eligible. In particular, 35 USC § 101 defines “inventive concept” sufficient to “transform processor, such as a processor of the smart “patent-eligible subject matter” as “any new the nature of the claim into a patent-eligible phone, is coupled to the local device or sensor and useful process, machine, manufacture, or application.”3 In assessing patentability within the device that may gather data from composition of matter, or any new and useful under § 101, it is important that the court not the local device and may control the local 4 device. The local device transmits the data to a improvement thereof.” The Supreme Court oversimply the claims. In McRO, the claims remote server in the cloud. The remote server has created judicial exceptions that preclude were directed to automated animation of lip can be configured to do much more than merely patentability under § 101 and held that laws synchronization to sounds. In particular, the store data—it can be configured to perform of nature, natural phenomena, and abstract claims were limited to rules that evaluate analytics and machine learning, and offer ideas do not qualify as patent-eligible subject subsequences consisting of multiple sequential guidance to the local device. matter. In recent years, several cases in the phonemes. These claims were held not to be United States have cut back on the extent to directed to an abstract idea.5 If claims are It is important to note that software can which software can be patented because the directed to an abstract idea, the claims can transform old or existing hardware into a new claims at issue failed to recite patent-eligible still be found patentable, so long as they do invention. For this reason, an update on recent subject matter.1 The good news, however, is not preempt the field. In general, courts will case law and strategies for claiming MedTech that software is still patentable in the United look at the technical problem being solved

1 See, e.g., Bilski v. Kappos, 130 S. Ct. 3218, Supreme Court (2010); Mayo Collaborative v. Prometheus Labs., 132 S. Ct. 1289, Supreme Court (2012); Alice Corp. Pty. Ltd. v. CLS Bank Intern., 134 S. Ct. 2347, Supreme Court (2014). 2 See, e.g., DdR Holdings, LLC v. Hotels. Com, LP, 773 F. 3d 1245, Federal Circuit (2014); ENFISH, LLC v. Microsoft Corp., 822 F. 3d 1327, Federal Circuit (2016); McRO, Inc. v. Bandai Namco Games America Inc., 837 F. 3d 1299, Federal Circuit (2016). 3 Alice, 134 S.Ct. at 2355. 4 McRO, 837 F. 3d at 13133. 5 McRO, 837 F. 3d at 13133 at 1316.

10 Patenting MedTech with Software – An Update for Inventors

and the solution presented with the claimed resources for their examiners with respect invention. In Enfish, the claims were directed to subject-matter eligibility under § 101 and to a self-referential table that was a specific related case law. The evolving guidelines MEDTECH SOFTWARE type of data structure designed to improve address how examiners should formulate MOVES FAST the way a computer stores and retrieves their subject-matter eligibility rejections data in a memory table feature. These claims under § 101 and how examiners should Track One Prioritized Exam at the were viewed as a particular implementation evaluate an applicant’s response to such USPTO is a valuable tool to keep of a solution to a problem in the software rejections. In addition, the U.S. Patent Office patents aligned with MedTech arts, and were held not to be directed to an also compiles regularly updated summaries product and business cycles. abstract idea.6 of § 101 subject-matter eligibility decisions from the U.S. District Courts, the Court of Some keys to success for software MedTech Appeals for the Federal Circuit, and the The traditional route to a U.S. patent takes patents include emphasizing that the claimed United States Supreme Court. 3-4 years. Sometimes this means that subject matter: the patent is granted around the same The U.S. Patent Office subject-matter time the claimed invention is phased out as obsolete or superseded by the next- • improves another technology or eligibility page is available at: https://www. generation product. technical field; uspto.gov/patent/laws-and-regulations/ • improves the functioning of the examination-policy/subject-matter-eligibility. computer itself; The Track One Prioritized Exam program • applies the idea with, or by use of, a If You Have a Killer App, Consider allows a patentee to get a final disposition customized machine; Patenting It on patentability from the examiner within • includes a limitation other than what 12 months of the request for prioritized is well-understood, routine, and In general, the U.S. Patent Office will give status being granted. conventional in the field; and/or patentable weight to software instructions • includes unconventional steps that that are stored on a tangible medium, such Under the traditional route, patents take confine the claim to a useful application. as an app. Given that software is patentable, much longer to issue: an app that transforms a smart phone into MedTech IP features that can help secure more than a mere phone is still patentable, • Average time to first action on the patent eligibility include: provided that the statutory requirements merits from filing = about 16 months are met. In general, drafting the patent • Average time to final disposition from • providing solutions to problems application and claims to address the filing = about 26 months (56 months that arise only in the context of the technical problem solved by the software with one or more RCEs) technology itself (problem did not pre- app can help with patentability, because the • Average number of office actions = 2.5 date the technology); courts and the U.S. Patent Office often look • improvements to efficiency that better to this when evaluating whether the claims Compare to prioritized applications: utilize computing resources to handle recite patent-eligible subject matter as noted massive data sets, enhance speed, or above. • Average time to first action on the allow scale-up; merits from grant of request = about 4 • sensors, external to the computer months running the software, that must feed • Average time to final disposition from data to the software; and In general, drafting the patent grant of request = about 8 months • distinct machines, other than the • Average number of office actions = 1.2 computer running the software, that application and claims to must communicate with each other. The bottom line is that, in the fast-moving address the technical problem MedTech space, we often recommend U.S. Patent Office Subject-Matter filing a non-provisional patent application Eligibility Resources solved by the software app can under the Track One Prioritized Exam help with patentability program. Over the past few years, the U.S. Patent Office has produced guidelines and other

6 Enfish, 822 F. 3d 1327 at 1339. Continued on page 12...

11 Patenting MedTech with Software – An Update for Inventors

Continued from page 11...

The claims can be written to cover the tangible The ornamental appearance for an article claims, method claims, and software claims medium that stores the software instructions includes its shape or configuration, along (i.e., tangible medium claims). For example, of the app. These claims effectively cover the with the surface ornamentation applied to the the hardware that is used locally is often app that someone downloads onto their phone. article. Both design and utility patents may be patentable. Examples of patentable hardware For example, the claims can be directed to the obtained on an article if the invention resides include specific tools used for surgical robotics, software instructions of the app that control both in its utility and ornamental appearance. stents, and balloons that are used to treat the local device and handle the processing and U.S. patent law has evolved to allow the patients. The general requirements for such display of data. protection of the visual appearance of a GUI inventions include novelty, non-obviousness, as “surface ornamentation” on the screen and utility. The system that is used locally, Design Patents Can Protect Unique of a monitor or smartphone. This was first including the software, can also be patented, Devices and Graphic User Interfaces announced in Ex Parte Strijland, 26 USPQ for example with a combination of hardware (GUIs) 2d 1259 (BPAI 1992). New and non-obvious and software. icons associated with GUIs are protectable via The user display and interface that allows design patents. New and non-obvious aspects For software inventions, claims can often be the user to interact with data are areas that of the layout of the GUI, including the specific written to cover how data is processed in the may be patentable as well. Where a MedTech location of each element and even animations, cloud (e.g., the server). In many instances, it application includes a novel and non-obvious are also protectable. can be helpful to have a hook between the device or sensor and GUI, or way of presenting, server and the hardware. For example, if there summarizing, or formatting information, Design patents have other additional benefits: is any special data from the local device that consider supplementing the utility patent is being sent to the server, claims directed to application with a design patent application. • Speed – The typical time to a first office the receipt and processing of this data with the action is about 13 months and the average server can provide useful points of distinction In general terms, a utility patent protects total pendency is about 20 months for a over the prior art. the way an article is used and works, while design application. a design patent protects the way an article To learn more, please contact Mike Hostetler, looks (the so-called “ornamental aspects”). • Success – The allowance rate is about 84 Sabrina Poulos, Mike Rosato, Doug Portnow, percent for design applications. Jim Heslin, John Shimmick, Scott Burkette, Charlie Hagadorn, or Peter Eng. • Global Scope – Many foreign jurisdictions have robust design protection regimes. Where a MedTech application John Shimmick • Secrecy – Design applications do not (650) 849-3319 includes a novel and non- publish unless and until they issue as an [email protected] obvious device or sensor and enforceable U.S. patent.

GUI, or way of presenting, • Term – U.S. design patents have a term Charlie Hagadorn running 15 years from the date of grant. (206) 883-2537 summarizing, or formatting [email protected] Additional Strategies for Protecting information, consider MedTech supplementing the utility patent Many approaches can work, depending on the application with a design patent nature of the technology and the invention. In general, it is helpful to describe and claim the application invention from several perspectives, including the local device and the remote server. For each of these, it can be helpful to have device

12 The Serious and Immense Impact of a Medical Device Hack

By David Hoffmeister (Partner, Palo Alto), called its “negligent level of attention to rebuttal report stating that the researchers Vern Norviel (Partner, San Francisco, San cybersecurity.”4 at MedSec used “flawed test methodology Diego, and Boston), Mark Solakian (Partner, on outdated software,” demonstrating a Boston), Lou Lieto (Partner, Boston), Lydia At the time of the Muddy Waters report, St. “lack of understanding of medical device Parnes (Partner, Washington, D.C.), Lawrence Jude was in the process of being acquired by technology.”5 As the case has proceeded, Perrone (Of Counsel, Washington, D.C.), Abbott Laboratories for $25 billion. St. Jude Muddy Waters has released additional Wendell Bartnick (Associate, Austin), shareholders were slated to receive, for each videos and expert reports elaborating on Jennifer Fang (Associate, Boston), Prashant share of St. Jude common stock held, its allegations. Abbott’s deal with St. Jude Girinath (Associate, Boston), Jake Gatof $46.75 in cash and 0.8708 shares of Abbott recently closed, and the company has (Associate, Boston), and Charles Andres common stock, representing about $85 per continued to assert that these allegations are (Associate, Washington, D.C.) exaggerated and untrue.6

On August 25, 2016, the investment firm In this article, we explore select ramifications Muddy Waters Research announced it had A host of different government of a medical device hack, and provide some taken a short position in St. Jude Medical, agencies enforce laws that suggested practices for companies that offer Inc., and released a report suggesting a medical devices to the public. “strong possibility that close to half of” St. impose obligations on medical Jude revenues were about to disappear for The Regulatory Landscape a period of roughly two years because St. device manufacturers whose Jude’s implantable cardiac devices were Companies that manufacture and sell allegedly vulnerable to cyber-attacks.1 The devices gather, store, or medical devices to the public face a complex report further stated that the cyber-attacks transmit information regulatory landscape. A host of different included crash attacks that cause devices to government agencies enforce laws that malfunction—including by apparently pacing impose obligations on medical device at a potentially dangerous rate and a battery manufacturers whose devices gather, store, drain attack that could be particularly harmful or transmit information. to device-dependent users.2 St. Jude share, by the end of the year. In contrast, upon release of the Muddy Waters HIPAA The Muddy Waters report was largely based report, St. Jude stock closed at $77.82, on analysis conducted by the cybersecurity well below the deal value, leading analysts For example, the Health Insurance company MedSec Holdings Inc. MedSec to speculate about the prospect of the Portability and Accountability regulations Chief Executive Officer Justine Bone acquisition by Abbott. (HIPAA rules) issued and enforced by the suggested that St. Jude’s products had an Department of Health and Human Services “astounding” level of problems, including In response, St. Jude filed suit in the U.S. (HHS) govern the privacy and security of lack of encryption and authentication District Court for the District of Minnesota protected health information (PHI).7 The between devices, which could allow hackers against Muddy Waters and MedSec, HIPAA rules require implementation of to tap into implanted devices.3 MedSec claiming that the allegations of cybersecurity reasonable and appropriate administrative, had negotiated compensation tied to the vulnerabilities are false. St. Jude further physical, technical, and organizational success of Muddy Waters’ trade position, alleged that the two companies used “false data security safeguards, including data and Ms. Bone stated that partnering with and misleading tactics” to scare patients, security risk assessments, and ongoing risk Muddy Waters was the most powerful drop share prices, and make cash on the management efforts to reduce cyber risks and way to inflict pain on St. Jude for what she side as a result. St. Jude also released a vulnerabilities. Compliance with the HIPAA

1 See http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/. 2 Id. 3 See http://www.bloomberg.com/news/articles/2016-08-25/carson-block-takes-on-st-jude-medical-with-claim-of-hack-risk. 4 Id. 5 See http://www.reuters.com/article/us-st-jude-medical-cyber-idUSKCN11129K. 6 Despite the company’s assertions that the allegations are exaggerated and untrue, the FDA contacted the company on April 12, 2017, and gave them 15 days to explain how it has addressed cybersecurity concerns. 7 The HHS regulations implementing the privacy and data security provisions of HIPAA are at 45 C.F.R. §§ 160, 164.

Continued on page 14...

13 The Serious and Immense Impact of a Medical Device Hack

Continued from page 13...

meet ever-evolving threats, and confirming The SEC up-to-date HIPAA compliance. The FTC’s enforcement Public medical device companies should also The FTC consider whether a security vulnerability or actions require companies to data breach should be disclosed to investors implement and maintain data In addition to the specific rules that govern and, by extension, to the U.S. Securities PHI, the Federal Trade Commission (FTC) has and Exchange Commission (SEC). The SEC security programs that contain taken a similar approach to data security has the authority to investigate possible more generally. Relying on the very broad violations of the federal securities laws, administrative, technical, and language in Section 5 of the FTC Act, which which include failures of public companies prohibits unfair and deceptive acts and physical safeguards appropriate practices in or affecting commerce, the FTC for the size and complexity of has brought over 60 enforcement actions against companies that allegedly failed to Public medical device the business and the sensitivity maintain adequate data security. Some of these actions were based on allegations that companies should consider of the personal information a company engaged in a deceptive practice collected if it did not have measures in place that whether a security vulnerability matched the public representations it made about its data security efforts.9 Even without or data breach should be an affirmative representation, however, the disclosed to investors and, by rules is mandatory for device manufacturers FTC could challenge a device manufacturer’s that collect or transfer PHI. 8 data security practices as unfair if the extension, to the SEC manufacturer failed to employ reasonable Device manufacturers and others that fail and appropriate measures to prevent to comply with the HIPAA rules may face unauthorized access to the information it significant penalties. For example, in August collected. to make adequate disclosures, withhold 2016, HHS imposed a $5.55 million penalty material information, and/or misrepresent to, in a settlement with Advocate Health Care The FTC’s enforcement actions, virtually all or mislead, investors.10 Network due, in part, to an alleged failure to of which are settlements, require companies conduct a data security risk assessment and to implement and maintain data security In 2011, the SEC issued written guidance to implement reasonable physical security programs that contain administrative, to public companies to assist them in measures. In roughly the same timeframe, technical, and physical safeguards “assessing what, if any, disclosures HHS settled a case against Oregon Health appropriate for the size and complexity should be provided [to shareholders/ & Science University (OHSU) that included of the business and the sensitivity of the investors] about cybersecurity matters.” The a $2.7 million civil penalty. The case was personal information collected from or guidance notes that “[a]lthough no existing based on allegations that OHSU’s risk about consumers. Similar to HHS, the FTC disclosure requirement explicitly refers to assessment did not cover all electronic expects companies to engage in regular risk cybersecurity risks and cyber incidents,” if PHI that it maintained, and that OHSU did assessments. Device manufactures should a public company experiences a “material not reasonably and appropriately address consider implementing data security plans cyberattack” it “would not be sufficient” for documented vulnerabilities and risks in a that meet these standards and should review the company to merely disclose that a risk timely manner. These settlements underscore their public statements, including their of cyber-attacks exists (i.e., via standard the importance of conducting regular risk privacy policies, to ensure that their practices risk factors); rather, the public company may assessments, ensuring that the device are consistent with any public commitments. be required to disclose specifics regarding manufacturer’s data security mechanisms the cyber event and its potential costs and

8 The protocol that HHS uses in HIPAA compliance audits is available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/. 9 For example, in January 2016, the FTC investigated and settled a case against Henry Schein Practice Solutions, Inc., for its alleged failure to provide industry-standard encryption of patient information despite advertising that it did so. In re Henry Schein Practice Solutions, Inc., No. C-4575 (May 20, 2016). 10 While the SEC engaging in the regulation of cyber or security events may seem odd, it is not. The underlying facts of such securities violations related to a cyberattack or security vulnerability in a medical device likely do not undermine such authority. See Securities Act of 1933 (Securities Act), Sections 19 & 20, 15 U.S.C. §§ 77s, 77t; Securities Act of 1934 (Exchange Act), Section 21, 15 U.S.C. § 78u.

14 The Serious and Immense Impact of a Medical Device Hack

consequences. Outside of standard risk device. Recognizing that the cybersecurity of communication shut-off of in-use medical factor disclosure, the SEC recommends connected medical devices could present a devices until, for instance, a vulnerability- that companies review other disclosures growing problem, the FDA issued guidance on mitigating patch can be implemented. such as the Management’s Discussion post-management security in 2016.12 While and Analysis of Financial Condition and the FDA’s guidance touches on a number of Reporting obligations to various agencies Results of Operations (MD&A), Business, areas, when evaluating post-market risk, the of the federal and state governments, Legal Proceedings, and Financial Statement FDA encourages companies to: and mechanisms for addressing any FDA- sections. mandated action, should be contained in the 1) monitor cybersecurity information incident response plan that is prepared and in sources for identification and detection In 2014, former SEC Commissioner Luis place ahead of any hack. of cybersecurity vulnerabilities and risk; Aguilar publicly stated that cybersecurity is 2) understand, assess, and detect the Plan of Action “of particular concern to the SEC” and that presence and impact of a vulnerability; he hoped the disclosures discussed in the 3) establish and communicate processes 2011 guidance “helped investors and public Medical device hacks can have serious for vulnerability intake and handling; and wide-ranging repercussions: they companies to focus and assess cybersecurity 4) clearly define essential clinical can endanger patient lives, result in issues.” Current SEC Chair Mary Jo performance of the device to develop White has reaffirmed the SEC’s focus on mitigations that protect, respond, and data breaches, materially affect stock cybersecurity.11 Of course, the dispositive recover from the cybersecurity risk; prices, sour investor relationships, scuttle question in determining whether disclosure 5) adopt a coordinated vulnerability ongoing transactions, and tarnish a device is required is whether the cyber-attack/ disclosure policy and practice; and manufacturer’s reputation. Hackers may also security vulnerability is material to investors. 6) deploy mitigations that address attempt to use their ability to hack a device In the recent past, many companies that cybersecurity risk early and prior to to extract a ransom in exchange for not have suffered large cybersecurity breaches exploitation. harming patients relying upon the device, for have not reported these in their period or providing information about how the hack is current reports on Form 10-K, 10-Q, or 8-K, The FDA has enforcement authority over performed, or for containing or preventing a and there have been a limited number of SEC medical device manufacturers. If a medical data breach. enforcement actions for failure to disclose device: a) has uncontrolled risk, including breaches. a cybersecurity risk, to essential clinical To prepare for a possible intrusion, performance that b) may reasonably cause companies whose devices may be subject to Increasing scrutiny and public awareness serious adverse health consequences or hacking should develop an incident response of cyber incidents, however, could lead to death, then the manufacturer may be in plan. Companies should also create a a tightening of disclosure standards. Public violation of the Federal Food, Drug, and culture that encourages and enables timely companies should be careful to ensure proper Cosmetic Act (FDCA). FDCA violations may reporting, evaluation, and escalation of disclosure. subject the device manufacturer to FDA reports of a possible hack, regardless of the enforcement actions, which can include the source. This can be achieved, for example, The FDA seizure and recall of medical devices. through comprehensive training of personnel and putting into place appropriate internal Finally, medical device companies should Thus, if a medical device hack endangers reporting mechanisms and structures. also consider the U.S. Food and Drug the health or safety of patients, the medical Administration’s (FDA’s) role in any medical device manufacturers should work with the In addition, companies should consider device hack, especially where the hack could FDA13 to mitigate the hacking-associated reviewing existing internal compliance result in harm or death to patients. risks in an expeditious manner. Companies policies, including those related to should be prepared to recall medical devices whistleblowing, to ensure these are designed The FDA regulates medical devices under, for that contain the vulnerability, re-engineer to appropriately identify and address reports instance, the Medical Device Amendments the medical device or its software to remove of information technology and cybersecurity of 1976, and is keenly concerned with the the hacking vulnerability, and facilitate issues. For example, whistleblowers safety and effectiveness of any medical and “white hat” hackers should have

11 Earlier this year, the SEC hired Chris Hetner as its first Senior Advisor to the Chair for Cybersecurity Policy. 12 See “Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff,” FDA (Jan. 22, 2016), available at: http://www. fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf. 13 Manufacturers regulated by the FDA may be required to report certain vulnerabilities under 21 C.F.R. parts 803, 806, and 1004.

Continued on page 16...

15 The Serious and Immense Impact of a Medical Device Hack

appropriate avenues to report potential cyber Therefore, companies should draft, 10) Reporting response efforts to senior vulnerabilities. implement, and regularly test their incident management. response plans.16 Incident response plans 11) Assessing legal and business risks Incident Response Plan and Team typically include detailed instructions for the from a security incident. following: 12) Determining breach notification The discovery of a hack is, at minimum, obligations under applicable law 1) Identifying and preparing the members unsettling for any company. Senior of the incident response team. This and contracts. This includes state managers are faced with making decisions includes determining, in advance, what and federal government and agency under extreme time pressures, which can roles and responsibilities key decision reporting requirements, and their significantly impact the business. makers will have in the event of a hack. associated timeframes, as well as 2) Putting communication trees (e.g., having a detailed plan for notifying In making these decisions, senior managers phone trees) in place and pressure- health care providers and their must be able to adjust in response to testing them to ensure timely access patients. unfolding events and new information. to key decision makers in the event of 13) If a ransom is demanded, deciding Manufacturers may also have obligations a hack. in advance the company’s policy on to notify various government agencies such 3) Cultivating good working relationships ransom payment, keeping in mind as the FDA and HHS, as well as affected with law enforcement and relevant that in some situations, the general individuals and their caregivers.14 governmental agencies before any hack policy may need to be adapted to meet occurs (the first time law enforcement incident specifics.17 Managing this effort can be complicated and meets your team should not be after a uncertain, and being prepared is a significant hack occurs). factor in mitigating costs and damages 4) Understanding, implementing, and Having and following an incident response associated with a hack. A key factor in updating protective mechanisms plan helps an organization methodically security incident preparedness is developing required by different laws. take the proper steps while responding to an incident response plan. Supporting the 5) Identifying suspected incidents an incident. Organizations with a plan will centrality and importance of an incident 6) Responding to suspected hacks from an be able to more quickly assess the incident response plan, research conducted by the IT perspective. so that they can respond in a timely, cost- Ponemon Institute shows that failure to have 7) Bringing in outside legal and forensics efficient, and effective manner. an incident response plan and team in place experts; legal should be involved from is a leading factor that can increase the the start. Intellectual Property Considerations incident costs and damages.15 8) Documenting a hack. 9) Mitigating damage from a hack. Timely fixing or patching over the hack is

14 FTC v. Wyndham Worldwide Corp, 12-CV-1365 (D. Ariz. 2012) (Complaint). 15 “Cost of a Data Breach Study: United States,” Ponemon Institute (June 2016). 16 HIPAA requires regulated companies to have an incident response plan. HHS recently reached a settlement with the University of Mississippi Medical Center imposing a monetary penalty of $2.75 million for HIPAA violations, including a failure to implement policies and procedures to address security incidents and a failure to properly notify individuals affected by a data breach. 17 Although this article does not deal with device design and manufacturing issues per se, companies should also consider taking steps to minimize the possibility of a device being hacked by: limiting the communication range of the device, using handshake protocols, making use of sophisticated encryption software, and allowing for external communication with the device to be shut off.

In addition, the FDA has provided draft guidance to medical device manufacturers to address pre-market concerns that networked medical devices may be vulnerable to cybersecurity threats that pose safety and effectiveness risks. See “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff,” FDA (Oct. 22, 2014), available at: http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf.

While not legally binding, medical device companies are nevertheless strongly encouraged to follow the FDA’s guidance, which, among other things, promotes the benefits of collaboration on and sharing of cyber risk information and intelligence with the medical device community through participation in an Information Sharing Analysis Organization.

The guidance also recommends using the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, and evaluating premarket risk by:

- identifying assets, threats, and vulnerabilities; - assessing the impact of these threats and vulnerabilities on the device functionality and end-users/patients; - assessing the likelihood of a threat and of a vulnerability being exploited; - determining risk levels and suitable mitigation strategies; and - assessing residual risk and risk acceptance criteria.

16 The Serious and Immense Impact of a Medical Device Hack

of paramount importance. But the ability to First, if a medical device manufacturer is relations can help a company weather a hack. make hardware or software modifications that involved in a transaction to sell the company, it Any proposed communication, however, should mitigate a hacking vulnerability may not simply should be careful in ensuring proper disclosure be evaluated in light of the potential for the be a technical problem. Any fix to a device’s regarding the features and limitations of the communication to be used in a future investor hardware or software should also not violate medical device and proactively addressing or patient lawsuit. intellectual property to which the medical any cybersecurity vulnerabilities to limit device manufacturer does not have rights. post-closing issues. The medical device Conclusion Thus, medical device manufacturers should manufacturer should also carefully consider maximize patent claim scope, strategically how risk—in the form of indemnification— With the growth of medical devices that leverage licenses, and be aware of the should be allocated after the deal closes. communicate wirelessly, share data, and relevant patent landscapes so as to create can be adjusted or turned off remotely, a “buffer” that allows for modifications that Second, disclosure of a hack may put the threat, reach, and potential fallout of could be reasonably foreseeable in response downward pressure on a medical device hacking will continue to increase. Medical to a hack. company’s stock. To protect against hostile device manufacturers should proactively take takeover at a vulnerable point, companies may steps to minimize the possibility of hacking, Other Considerations want to consider implementing appropriate and have structures in place—including an protective actions. incident response plan—to deal with a hack, A medical device hack (or the possibility of a should it occur. hack) raises diverse considerations beyond Finally, one way to minimize fallout from a those discussed above. While it is not hack is to control the narrative, which includes possible to address all of these, we point providing thoughtful responses, such as out three relevant examples as catalysts for planned changes to address vulnerabilities. further thought. Strategic, clear, timely, and honest public

David Hoffmeister Lydia Parnes Prashant Girinath (650) 354-4246 (202) 973-8801 (617) 598-7810 [email protected] [email protected] [email protected]

Vern Norviel Lawrence Perrone Jake Gatof (415) 947-2020 (202) 973-8818 (617) 598-7812 [email protected] [email protected] [email protected]

Mark Solakian Wendell Bartnick Charles Andres (617) 598-7803 (512) 338-5455 (202) 973-8875 [email protected] [email protected] [email protected]

Lou Lieto Jennifer Fang (617) 598-7802 (617) 598-7800 [email protected] [email protected]

17 Select Recent Life Sciences Client Highlights

Ninth Circuit Affirms Dismissal of New Enterprise Associates and new investor definition polymerase chain reaction Securities Class Action Against Align Questa Capital Management. WSGR technology. WSGR represented ChromaCode Technology represented Advanced Cardiac Therapeutics in the transaction. For additional details, On May 5, the U.S. Court of Appeals for the in the transaction. More information is please see http://www.prnewswire.com/ Ninth Circuit affirmed the dismissal of a available at http://www.businesswire.com/ news-releases/chromacode-raises-12-million- securities class action filed against Align news/home/20170502005519/en/Advanced- in-series-b-for-commercial-launch-and- Technology, maker of the Invisalign teeth- Cardiac-Therapeutics-Announces-45-Million- appoints-alex-dickinson-as-executive- aligning system. It’s the first time the Ninth Funding. chair-300445858.html. Circuit has ruled that the U.S. Supreme Court’s decision in Omnicare, Inc. v. Laborers Dist. Savara Secures $15 Million Loan and Drchrono Raises $12 Million Council Constr. Ind. Pension Fund, which Security Agreement with Silicon Valley Drchrono, a provider of the electronic health articulated the standards for pleading falsity Bank record, practice management, medical billing, of opinions, applies to Section 10(b) fraud Savara, a clinical-stage specialty revenue cycle management, and healthcare claims of the Securities Exchange Act of 1934. pharmaceutical company focused on the application programming interface (API) It’s also the first goodwill accounting case the development and commercialization of novel platform, announced on April 6 that it has Ninth Circuit has decided, holding that therapies for the treatment of serious or raised $12 million in a Series A round of judgments about goodwill accounting should life-threatening rare respiratory diseases, financing. The round was led by Runa Capital, be treated as opinion statements. WSGR announced on May 1 that it has entered into a with participation from Maxfield Capital, represented Align Technology and its former loan agreement—which provides for a $15 Quicken CEO Eric Dunn, and FundersClub. The CEO and CFO in the matter. More information million debt facility, $7.5 million of which is proceeds will fuel the company’s growth in is available at https://www.wsgr.com/WSGR/ immediately available to Savara—with larger healthcare organizations and revenue Display.aspx?SectionName=clients/0517- Silicon Valley Bank. WSGR represented cycle management business. WSGR align.htm. Savara in the transaction. Please refer to represented drchrono in the transaction. http://www.prnewswire.com/news-releases/ Please see http://www.marketwired.com/ Outset Medical Announces $76.5 Million savara-secures-15-million-loan-and-security- press-release/drchrono-raises-12m-series-a- in Funding agreement-with-silicon-valley- financing-round-build-medical-practice- Outset Medical, a commercial-stage company bank-300448508.html for further details. future-2208370.htm for further details. delivering first-of-its-kind technology to the global dialysis market, announced on May 3 Savara Announces Closing of Merger Vital Therapies Announces Pricing of that it has raised $76.5 million in a Series C with Mast Therapeutics Public Offering of Common Stock round of equity funding. A new investor, funds On April 27, Savara announced the closing of On March 22, Vital Therapies, a advised by T. Rowe Price Associates, led the its previously announced merger with biotherapeutic company developing a round, which also included participation from biopharmaceutical company Mast existing investors Fidelity Management & Therapeutics, under which the stockholders of cell-based therapy targeting the treatment of Research Company, Partner Fund Savara have become the majority owners of acute forms of liver failure, announced the Management LP, Warburg Pincus, Perceptive Mast, and the operations of Mast and Savara pricing of an underwritten public offering of Advisors, and The Vertical Group. WSGR have combined. WSGR represented Savara in 8,750,000 newly issued shares of its common represented Outset Medical in the the transaction. For further details, please see stock at a price to the public of $4.00 per transaction. Please refer to http://www. http://www.prnewswire.com/news-releases/ share, for gross proceeds of approximately businesswire.com/news/ savara-announces-closing-of-merger-with- $35 million. WSGR represented Vital home/20170503005383/en/Outset-Medical- mast-therapeutics-300447355.html. Therapies in the offering. Additional Announces-76.5-Million-Funding-Innovative information is available at https:// for further details. ChromaCode Raises $12 Million in Series globenewswire.com/news- B Round release/2017/03/22/943085/0/en/Vital- Advanced Cardiac Therapeutics Raises Molecular diagnostics company ChromaCode Therapies-Announces-Pricing-of-Public- $45 Million announced on April 27 that it has raised $12 Offering-of-Common-Stock.html. Advanced Cardiac Therapeutics, a medical million in a Series B round of financing led by device company focused on developing a New Enterprise Associates with participation AliveCor Raises $30 Million Series D next-generation ablation catheter to treat from Domain Associates and Okapi Ventures. Financing cardiac arrhythmias, announced on May 2 that The proceeds will be used to fuel AliveCor, a leader in FDA-cleared mobile it has raised $45 million in new equity funding development and establish the commercial electrocardiogram technology for mobile led by Ajax Health alongside existing investor infrastructure for the company’s high- devices, announced on March 16 that it has

18 Select Recent Life Sciences Client Highlights

raised $30 million in a Series D round of participation from Johnson & Johnson announced on January 10 that it has been financing led by Omron Healthcare with Innovation and other world-class strategic acquired by Roche Holdings. Under the terms participation from Mayo Clinic and existing pharmaceutical, technology, and financial of the agreement, Roche has acquired inside investors. WSGR represented AliveCor investors. WSGR represented GRAIL in the ForSight VISION4 for an undisclosed upfront in the transaction. More details are available transaction. Please refer to https:// payment and additional earn-out payments at http://www.prnewswire.com/news- globenewswire.com/news- related to development and commercial releases/alivecor-unveils-first-ai-enabled- release/2017/03/01/929515/0/en/GRAIL- milestones. WSGR represented ForSight platform-for-doctors-to-improve-stroke- Closes-Over-900-Million-Initial-Investment-in- VISION 4 in the transaction. For additional prevention-through-early-atrial-fibrillation- Series-B-Financing-to-Develop-Blood-Tests-to- information, visit http://www.prnewswire. detection-300424529.html. Detect-Cancer-Early.html for more details. com/news-releases/forsight-vision4-inc- announces-acquisition-by-roche-300388249. Vertiflex Completes $40 Million Delinia to Be Acquired by Celgene html. Financing Round On January 26, Celgene, a global On March 8, Vertiflex, a leading innovator of pharmaceutical company, and Delinia, a Trefoil Therapeutics Raises $5.2 Million advanced, minimally invasive interventions for privately held biotechnology company Trefoil Therapeutics, an early-stage spinal stenosis, announced that it has developing novel therapeutics for autoimmune biopharmaceutical company focused on completed a $40 million round of financing led diseases, announced that they have entered developing a regenerative approach to by new investors Endeavour Vision and H.I.G. into an agreement for the acquisition of corneal endothelial dystrophies and other BioHealth Partners, with participation from Delinia by Celgene. Under the terms of the diseases, announced on January 5 that it existing investors New Enterprise Associates, agreement, Celgene will make an initial has raised $5.2 million in a Series 1 round of Thomas, McNerney & Partners, and Alta payment of $300 million and Delinia financing led by Hatteras Venture Partners Partners. WSGR represented Vertiflex in the shareholders will be eligible to receive up to with participation from AJU IB Investment, transaction. For more information, please see an additional $475 million in contingent Correlation Ventures, ExSight Capital, http://www.businesswire.com/news/ payments upon achievement of certain and InFocus Capital. WSGR represented home/20170308005249/en/Vertiflex- development, regulatory, and commercial Trefoil Therapeutics in the transaction. For Completes-40-Million-Financing. milestones. WSGR represented Delinia in IP more information, please see http://www. matters related to the transaction. Please mikeblaber.org/series1.htm. First Circuit Reverses Dismissal of refer to http://ir.celgene.com/releasedetail. Amphastar Antitrust Suit cfm?ReleaseID=1009217 for additional PvP Biologics and Takeda Announce On March 6, the U.S. Court of Appeals for the details. Development Agreement Around Novel First Circuit revived an antitrust suit brought Therapeutic for Celiac Disease by Amphastar Pharmaceuticals—a specialty KenSci Secures $8.5 Million in Series A On January 5, Takeda Pharmaceutical, a pharmaceutical company that focuses Round global pharmaceutical company, and PvP primarily on developing, manufacturing, KenSci, a healthcare data platform and Biologics, a developer of an oral enzyme for marketing, and selling technically challenging machine learning-powered applications the treatment of celiac disease, announced generic and proprietary injectable, inhalation, company, announced on January 25 that it has a global agreement for the development of and intranasal products—against Momenta raised $8.5 million in a Series A round of KumaMax, a novel enzyme designed to break Pharmaceuticals and Sandoz that was financing led by Ignition Partners with down the immune-reactive parts of gluten in previously dismissed by the U.S. District Court participation from Osage University Partners the stomach. PvP will conduct all R&D through for the District of Massachusetts. WSGR is and Mindset Ventures. The proceeds will phase one proof-of-principle studies per a representing Amphastar in the matter. For accelerate innovation for KenSci’s machine pre-defined development plan. Takeda will further details, please see https://www.wsgr. learning platform and expand operations to fund $35 million for PvP’s expenses related to com/WSGR/Display. support the company’s rapidly growing the plan in exchange for an exclusive option aspx?SectionName=clients/0317-amphastar. customer base. WSGR represented KenSci in to acquire PvP following receipt of a pre- htm. the transaction. For further details, please see defined data package. Upon PvP’s successful http://www.businesswire.com/news/ completion of the development plan, Takeda GRAIL Raises More Than $900 Million in home/20170125005319/en/KenSci-Secures- may exercise its option to acquire PvP Series B Financing 8.5M-Series-Funding-Fight-Death. by paying an undisclosed fee as well as GRAIL, a life sciences company whose development and regulatory milestones. mission is to detect cancer early, announced ForSight VISION4 Announces Acquisition WSGR represented PvP in the transaction. on March 1 that it has raised more than $900 by Roche Please see http://www.businesswire.com/ million through the first close of its previously ForSight VISION4, a privately held news/home/20170105005656/en/Takeda-PvP- announced Series B round of financing. The biotechnology company revolutionizing drug Biologics-Announce-Development-Agreement- round was led by ARCH Venture Partners, with delivery for treatment of retinal diseases, Therapeutic for further details.

19 Upcoming Life Sciences Events

25th Annual Medical Device Conference Phoenix 2017: The Medical Device and Biotech Board of Directors and Senior June 1-2, 2017 Diagnostic Conference for CEOs Executives Reception The Palace Hotel October 18-20, 2017 January 10, 2018 San Francisco, California The Ritz-Carlton, Half Moon Bay The San Francisco Museum of Modern Art https://www.wsgr.com/news/medicaldevice Half Moon Bay, California (SFMOMA) https://www.wsgr.com/news/phoenix San Francisco, California Wilson Sonsini Goodrich & Rosati’s 25th Annual Medical Device Conference, aimed at The 24th Annual Phoenix Conference will Wilson Sonsini Goodrich & Rosati’s annual professionals in the medical device industry, convene top-level executives from large Biotech Board of Directors and Senior will focus on understanding the challenges healthcare companies and CEOs of small, Executives Reception, held to coincide with facing the medtech start-up today, and the venture-backed firms to discuss issues of the J.P. Morgan 36th Annual Healthcare strategies that are emerging to respond interest to the medical device industry Conference, is an exclusive networking event to these challenges. Through a series of today, as well as to network and gain geared toward executives and directors of topical panels, attendees will hear from valuable insights from both industry biotechnology companies. industry CEOs, venture capitalists, industry leaders and peers. strategists, investment bankers, and market analysts.

Casey McGlynn, a leader of the firm’s life sciences practice, has editorial oversight ofThe Life Sciences Report and was assisted by Philip Oettinger, Elton Satusky, Scott Murano, and James Huie. They would like to take this opportunity to thank all of the contributors to the report, which is published on a semi-annual basis.

Casey McGlynn Philip Oettinger Elton Satusky Scott Murano James Huie (650) 354-4115 (650) 565-3564 (650) 565-3588 (650) 849-3316 (650) 565-3981 [email protected] [email protected] [email protected] [email protected] [email protected]

THIS PUBLICATION IS PROVIDED AS A SERVICE TO OUR CLIENTS AND FRIENDS AND IS FOR INFORMATIONAL PURPOSES ONLY. IT IS NOT INTENDED TO CREATE AN ATTORNEY-CLIENT RELATIONSHIP OR CONSTITUTE AN ADVERTISEMENT, A SOLICITATION, OR PROFESSIONAL ADVICE AS TO ANY PARTICULAR SITUATION.

650 Page Mill Road, Palo Alto, CA 94304-1050 | Phone: 650-493-9300 | Fax: 650-493-6811 | www.wsgr.com

Austin Beijing Boston Brussels Hong Kong Los Angeles New York Palo Alto San Diego San Francisco Seattle Shanghai Washington, DC Wilmington, DE

© 2017 Wilson Sonsini Goodrich & Rosati, Professional Corporation. All rights reserved.