Michael Barbella , Managing Editor11.09.22
The end is within sight.
After 30 long months of lockdowns, lost work, disrupted routines, vaccinations, booster shots, and social isolation, the COVID-19 finish line loomed large on the horizon this year.
“We have never been in a better position to end the pandemic,” WHO Director-General Tedros Adhanom Ghebreyesus, Ph.D., declared at a mid-September press conference. “We are not there yet, but the end is in sight.”
Ghebreyesus’ proclamation was welcome news to the billions of inhabitants who have spent the last two and a half years struggling to tread water amid the ambiguity of a pandemic. For much of that period, it seemed the world had entered a cruel “Groundhog Day” time loop, interminably reliving the same story without hope for resolution.
That time loop finally broke this year as humankind made significant headway in its fight against the deadly coronavirus. Vaccines and booster shots improved mortality rates, relieving the strain on hospitals; face masks become optional in many places as infection rates declined, enabling friends, families, and co-workers to reconnect without fear of contamination.
Seemingly, out of nowhere, the pandemic was no longer big news. The Russia-Ukraine conflict, astronomical gas prices, record high inflation, and recession murmurs all pushed the pandemic to the back burner.
But SARS-CoV-2 was never far from our collective thoughts.
While COVID-19’s end may have begun (or is it the end of the beginning?), Ghebreyesus reminded the world of the importance of keeping our eyes on the prize.
“A marathon runner does not stop when the finish line comes into view, she just runs harder, with all the energy she has left. So must we,” he said. “We can see the finish line, we’re in a winning position. But now is the worst time to stop running. Now is the time to run harder and make sure we cross the line and reap the rewards of all our hard work.”
Time for a sprint to the finish. The reward is worth the effort.
The dread and apprehension are gone, as are the paralyzing bouts of sleep anxiety. Also missing are the unpleasant thoughts and illusory presumptions that often dawned after sunset.
Replacing all that misery is serenity, certitude, and a bit of contentment—sensibilities that help Lauren sleep without fear these days after a harrowing year-plus interruption in her sleep apnea treatment.
“Life or death,” Lauren told NBC-TV affiliate WESH (Daytona Beach, Fla.) in June. “I could die without it.”
Lauren survived (physically, at least) without her nightly infusion of pressurized air, but the frustrating quandary in which the Orlando, Fla., resident found herself is one of the many hallmarks of pandemic life, spawned by a perfect storm of product recalls, sole-source dependency, and continuing supply chain troubles.
That storm—swirling for nearly 18 months—has left quite a swath of victims and damage in its wake.
Among the victims is Winter Springs, Fla., resident Steve Dross, who’s been waiting eight months (and counting) for a CPAP (continuous positive airway pressure) machine. “I think it’s ridiculous,” Dross griped to WESH. “In this day and age, you shouldn’t have to wait a year for a CPAP machine.”
Indeed, a months-long wait for a CPAP machine is preposterous. But it’s become typical in this day and age of COVID-19-induced material and component shortages, intermittent lockdowns, production slowdowns, escalating shipping costs, grandiose geopolitical aspirations, and faulty polyurethane foam.
CPAP machines have joined an expansive list of medical devices facing critical shortages from the world’s gnarled supply chain. The assistive breathing apparatuses are functional only with computer chips, a component that has become as hard to find as lumber and silicone rubber amid the Great Supply Chain Disruption.
The chip’s descent into the supply chain void was neither swift nor straightforward. Its tumble began with the East Asian trade wars of the late 2010s (U.S.-China, 2018; Japan-Korea, 2019), which increased lead times, inflated pricing, and tightened constraints on raw materials. The U.S.-China dispute triggered semiconductor wafer hoarding in the Middle Kingdom while the Japan-Korea tussle sent manufacturers scrambling for chipmaking chemicals. Compounding the growing shortage were COVID-19 lockdowns and production interruptions from both extreme weather and factory fires.
A colossal miscalculation of anticipated demand, however, sealed the chip supply’s ultimate fate: Major buyers—fearing a severe global recession—scaled back their orders during the pandemic’s early days, leading to a manufacturing slowdown. But the recession never materialized; economic growth actually mushroomed after COVID-19’s initial shocks wore off, leaving the industry woefully unprepared to meet the planet’s surging appetite for telecommunications technology and other commodities.
“Demand for chips is high. It is getting higher,” U.S. Commerce Secretary Gina Raimondo said in January. “Five days of inventory. No room for error. That tells you how fragile this supply chain is. We aren’t even close to being out of the woods. The semiconductor supply chain is very fragile and it’s going to remain that way until we can increase chip manufacturing.”
Increasing manufacturing won’t be easy, though. Adding chip-making capacity is time-consuming and expensive (it can take up to two years and cost billions of dollars). The U.S. government is offering some financial help, providing $52 billion in funding to stateside semiconductor manufacturers, but the money is unlikely to immediately impact supply. Similarly, new factories planned by Intel, Samsung Electronics, and Texas Instruments are not expected to be operational before mid-2024 or 2025 at the earliest.
Increasing manufacturing at existing semiconductor plants is no less complicated. Russia’s war with Ukraine has hobbled sourcing of chip-making ingredients like krypton and neon, and COVID -19 outbreaks in Southeast Asia have stymied the industry’s lead frames stockpile.
The sourcing issues, production disruptions, skyrocketing demand, and international turmoil have caused lead times and chip prices to balloon, with lead times now stretching upwards of 40-50 weeks and costs running at least 10% to 20% above pre-pandemic levels.
“There’s no easy way to get around a short supply of semiconductors and rising costs when every company is in the same boat,” Jabil Global Procurement Vice President Scott Graham wrote in a blog earlier this year. “Having already taken blows from 2021 and 2022’s uncertainties (so far), the markets that rely most heavily on chips...are braced for more unknowns.”
And ugly truths. The chip shortage and other vexing supply chain disruptions have significantly eroded corporate profits this year, particularly in industries that depend on integrated circuits for digitizing components. The automotive industry has sustained the largest losses (an estimated $210 billion in 2021), but the consumer electronics, LED/lighting, power, and medtech sectors have all been affected as well.
While medtech’s financial suffering pales in comparison to automotive’s overall deficit, supply-related challenges have had a far graver impact on its end users, as evidenced by the long waits for life-saving CPAP machines.
Those waits basically resulted from too few chips and too much demand, courtesy of the global shortage and Royal Philips’ Class I recall of more than 5.5 million sleep apnea and ventilator devices in June 2021. Both challenges have made it difficult, if not impossible, to meet CPAP machine demand in a timely manner.
San Diego-based ResMed Inc. spent months scouring its supply chain for available stock, to no avail. The company eventually increased production in Q4 (ended June 30) by redesigning certain AirSense 10 CPAP and APAP machines without cellular communication chips. Rebranded as card-to-cloud devices, the revamped products lack some remote features and substitute automatic data transmission with an SD card-assisted manual upload.
“We’ve been able to mitigate some of the electronic component bottlenecks with the launch of our redesigned card-to-cloud AirSense 10 devices...” ResMed CEO Mick Farrell told investors during a Q4 earnings call in August.
“During the last month of the quarter, during June, we were able to allocate more products to our customers than in recent months and in recent quarters. The global supply chain environment remains very much in flux across multiple industries. We are starting to see indications that the macro environment is improving, particularly semiconductor availability. We’re not out of the woods yet, but the compass is pointing to true north and we are on top of it.”
ResMed’s production compass may indicate true north, but the firm’s supply chain struggles have prevented its fiscal magnetometer from achieving a precise directional match. A “very significant double-digit de-commit” from a semiconductor supplier cut ResMed’s anticipated recall windfall by $100 million; during a Q3 earnings call, Farrell adjusted the gain downward from $300 million-$350 million to $200 million-$250 million.
“...our supply chain allowed us to sort of take two steps forward and two steps back versus two steps forward and one step back,” Farrell said in April. “That didn’t allow us to achieve that extra $100 million of incremental revenue we thought we would achieve through fiscal ‘22 for the first half. So that’s going to be tougher and it moves things a little bit further back.”
ResMed was not alone on the two-step dance floor, though. Most major medical device firms boot-scooted their way to financial disappointment from this year’s supply chain troubles.
Medtronic, for example, posted an 8% sales loss in its first fiscal quarter (2023), Philips recorded a $53 million deficit in its second quarter (2022), and GE Healthcare failed to improve its year-over-year Q2 revenue despite a $160 million improvement over the previous three months. Baxter International, meanwhile, lowered its 2022 sales and earnings guidance after a subpar second-quarter performance. The company cut its projected sales growth from 23%-24% on a reported basis and 25%-26% on a constant currency basis to the high teens (reported) and the mid-20s (constant currency). Adjusted EPS fell to $3.60-$3.70 from $4.12-$4.20.
“We have been severely impacted by a lot of factors—the worldwide stress on the supply chain, the inability of our suppliers to supply—and that shows up all over the operations of our company,” Baxter chief financial officer Jay Saccaro told investors during a Q2 earnings call in July. “We’re continuing to navigate a dynamic and ever-changing macro environment. This near-term volatility has created certain challenges for our business, and led us to lowering our full-year outlook. It’s an incredibly volatile dynamic that we’re experiencing as we look at our supplier base.”
That volatility halved Smith+Nephew’s cash flow in the first six months of 2022 (compared to last year), and trimmed its trading profit margin by 0.4%. Although the latter reduction was minor, it nevertheless spawned skepticism among analysts over the comp- any’s ability to achieve its 21% trading profit margin in 2024.
Market instability also decimated NuVasive Inc.’s Q2 2022 net income in spite of a 5.3% sales hike. The company lost $893,000, or 2 cents per share, on $310.5 million in proceeds, compared with $1.79 million in profit, or 3 cents per share, on $294.8 million in Q2 2021 revenue. The loss is not expected to affect sales this year —a 6%-8% growth rate is still within range—but the firm has lowered its diluted EPS to 95 cents-$1.25 from $1.05-$1.35.
For some medtech companies, however, the fallout from prolonged supply chain chaos has been far less tangible. The instability has impacted on-time delivery service at Intuitive Surgical Inc. and delayed product shipments at Stryker Corp.
“I think the persistent thing we are seeing is because the supply chain has been so spotty,” Stryker chief financial officer Glenn Boehnlein said in July, “we are just—feeling inefficiencies in our processes and how we manage our manufacturing across the globe with...inconsistencies of when we will have raw materials available for teams to work on.”
Those raw materials could be available sooner rather than later, actually. Improvements in resin and semiconductor bottlenecks over the summer have given device executives reason to hope for a near-term end to the world’s supply chain drama.
“I am certainly hopeful that we see easing of electromechanical components, along with the normalization of freight lanes and freight times and the impact,” Baxter’s Saccaro said. “I’m optimistic that all of those things will occur...this situation that we’re in, I know it will resolve. I just can’t answer at this point how quickly that will occur.”
Unfortunately, nobody can.
Read more: bit.ly/3ylvOpV
Doctors in January diagnosed son Gavin with type 1 diabetes, a chronic condition that robs the pancreas of its insulin-making ability. Such a life-altering prognosis can be unsettling, worrisome, and even a bit frightening for those afflicted, especially children, who may be confused by their body’s betrayal.
Confusion was just one of the emotions coursing through the Spoth household after Gavin’s diagnosis. Despondency, anxiety, and astoundment were present too while the boy and his family gradually forged a treatment strategy based on the latest blood glucose measuring/monitoring technology.
Those feelings, however, eventually gave way to anger and frustration over (perceived) subpar diabetes management software and patient data security risks. “One thing that is abundantly clear over our first few months post-diagnosis is that, while the medical technology is for the most part wonderful and works the overwhelming majority of the time, the software behind that technology is highly lacking,” Eric Spoth told the U.S. Food and Drug Administration (FDA) in written testimony this past summer. “Integration with existing operating systems and devices is shoddy at best, if attempts are made by the companies at all. While the systems themselves are seemingly stable, we quickly realized we needed better integration with hardware than these companies provide.”
In his testimony, Spoth lauded the benefits of third-party software, noting these systems are easily integrated with current smart devices and thus allow for continuous blood glucose monitoring. Limiting access to these systems, he warned, will restrict consumer choice and potentially create software tech monopolies. He also advised against prohibiting diabetes patients from accessing their personal data.
“I am conscious of the cybersecurity concerns here, but there really should be a middle ground for those who use these systems not for administering insulin, but for collecting readings as part of an entire approach to care,” Spoth testified. “These systems are often better than these companies can offer and a lot of people rely on them so please I beg you try to be light-handed with your regulations.”
Spoth’s testimony was among the deluge of feedback the FDA received after releasing an updated medical device cybersecurity draft guidance in April. Most comments (1,870 total) came from diabetes patients and/or their caregivers concerned the revised regulations would considerably limit their ability to access their medical devices and (blood glucose) data.
“Do not lock patients out of their own medical data, or out of control of their own medical devices. That should be of paramount importance in every cybersecurity policy—companies cannot be allowed to hold patients hostage by holding vital data and treatment options in walled gardens where the company’s rules are more important than the patient’s health,” William Ray wrote in his comments to the FDA. “As a Type 1 diabetic, I rely on continuous glucose monitoring data to make adjustments to my insulin, and I rely on an insulin pump to manage delivery of that insulin in accordance to the adjustments I need. If I don’t continuously balance and rebalance those numbers, I will die. But as the rules stand today, I cannot connect those devices, I cannot automate routine adjustments, and I can’t even view all my data in one place because those devices will not work together. The American consumer deserves access to their own data. We deserve control of our own healthcare. Whatever cybersecurity options are discussed, it needs to be absolutely guaranteed that patients have total control over digital access, and not just the corporations who sell the devices.”
The FDA’s guidance proposes a total product lifecycle approach to device cybersecurity, recommending that security controls be baked into product design, addressed in premarket submissions, aligned with quality system regulations, and applied to older legacy equipment. The revised regulations would replace a 4-year-old document that updated FDA’s 2014 cybersecurity guidance.
The agency’s total lifecycle strategy aims to extend responsibility for software cybersecurity beyond specified departments to all divisions within a medtech organization. The guidance encourages device manufacturers to create and adopt a Secure Product Development Framework (SPDF), which the FDA describes as a set of processes that help reduce the number and severity of vulnerabilities throughout the product lifecycle. The guidance recommends that SPDFs encompass manufacturers’ risk management initiatives, security architecture for all devices, and cybersecurity testing details.
“The increasingly interconnected nature of medical devices has demonstrated the importance of addressing cybersecurity risks associated with device connectivity in device design because of the effects on safety and effectiveness. Cybersecurity risks that are introduced by threats directly to the medical device or to the larger medical device system can be reasonably controlled through using an SPDF,” the FDA guidance states. “The primary goal of using an SPDF is to manufacture and maintain safe and effective devices. The benefit of following an SPDF is that a device is more likely to be secure by design, such that the device is designed from the outset to be secure within its system and/or network of use.”
The SPDF is one of several notable changes included in the updated draft guidance. Another removes risk tiers (creating a process where documentation scales naturally with increasing cybersecurity risk) while a third adds Investigational Device Exemptions to the document’s overall scope. In addition, the guidance further clarifies the requirements for premarket submission documents.
One of the guidance’s key alterations, however, is the switch from a more comprehensive Cybersecurity Bill of Materials (CBOM) to a Software Bill of Materials (SBOM), which aligns the new directive with President Biden’s May 2021 executive order to bolster America’s cybersecurity posture. The FDA replaced the CBOM to alleviate some of the burden on device manufacturers, since most cybersecurity concerns lie within the software.
According to the guidance, the SBOM should provide various details of a product’s embedded software, including its name, version, manufacturer, level of support, end-of-support date, and any known vulnerabilities. The SBOM must be regularly updated to reflect any software changes, and it should support both 21 CFR 820.30 (Design History File) and 21 CFR 820.181 (Design Master Record) documentation.
Although industry representatives generally welcomed the addition of an SBOM, many were critical of its provisions. The Medical Device Manufacturers Association (MDMA), for instance, took issue with some terminology—specifically, the use of “any known vulnerabilities” and “end-of-support date.”
“We are concerned that ‘any known vulnerabilities’ may be overly burdensome [and] too broad...an improvement would be ‘Vulnerabilities that affect the product and represent a new or increased safety risk,’” MDMA president/CEO Mark B. Leahy wrote in a July 7 letter to the FDA. “Alternately, we recommend [the] item be removed entirely from the SBOM and instead FDA should rely on known defects to capture this information, recognizing that vulnerabilities will likely become out of date quickly and too much information could clutter the more important vulnerabilities. Additionally, the software component’s ‘end-of-support’ date is frequently unknown and can change due to acquisitions.”
Microsoft recommended that SBOMs be “top-down rather than bottom-up” and Connected Health Initiative suggested the SBOMs stay consistent with industry standards and the National Telecommunications and Information Administration specification of minimum SBOM elements.
Microsoft also advised the FDA to address the ways in which medical device manufacturers can use cloud services to conform to guidance expectations in multiple areas—including but not limited to security risk management, security architecture, cybersecurity testing, and cybersecurity transparency.
“The FDA correctly recognizes that medical device security is a shared responsibility among stakeholders throughout the use environment of the medical device system. The guidance, however, never explicitly identifies cloud service providers as potential key stakeholders despite [the] cloud’s explosive growth in recent years,” Kevin Reifsteck, director for Critical Infrastructure Protection, Customer Security and Trust, Corporate, External and Legal Affairs at Microsoft, wrote in a July 7 submission to the FDA. “Before issuing its final guidance, however, we recommend the FDA consider revising the document to explicitly address the use of cloud computing and incorporate more internationally recognized cybersecurity standards and best practices. We believe that making these revisions will strengthen medical device security, lower barriers to medical device innovation, and help reduce the cost of device development over the long-term.”
In the eight years since finalizing its first cybersecurity guidance, the FDA has progressively reinforced its efforts to fend off digital miscreants. It has developed an “internal playbook” to help agency staff address cybersecurity threats, signed memoranda of understanding with multiple stakeholders to create sharing analysis organizations, and last year, named its first-ever cybersecurity director.
Yet the threat persists, seemingly immune to any remedy the FDA or industry dishes out. The problem, in fact, appeared to snowball in 2022, with healthcare-related breaches spiking during the spring; Baxter International, BD, Fresenius Kabi, and Medtronic acknowledging security vulnerabilities in several of their products, and America’s second-largest hospital chain, CommonSpirit Health, falling victim to a massive ransomware attack.
Adding fuel to the growing conflagration was the Federal Bureau of Investigation’s (FBI) mid-September warning about the safety risks posed by unpatched and legacy medical devices. A notification from the FBI’s Cyber Division said the agency identified “an increasing number of vulnerabilities” from unpatched medical devices running on outdated software and products lacking adequate security features. The vulnerabilities exist in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. “Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health,” the notification read.
In its warning, the FBI noted that 53% of connected medical devices and other Internet of Things (IoT) hospital equipment have known vulnerabilities. Moreover, roughly one-third of healthcare IoT devices have an identified critical risk, which could potentially implicate devices’ technical operation and functions.
To reduce the possibility of a cyberattack, the FBI recommends health systems take various steps to better identify vulnerabilities and actively secure medical devices. The steps include endpoint protection (antivirus software), identity and access management (changing default passwords), asset management (using inventory results to identify critical medical devices), vulnerability management (routine vulnerability scans), and training (teaching employees to identify and report possible threats).
“Medical devices have known vulnerabilities that impact various machines used for healthcare purposes...” the FBI notification warned. “Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.”
And that’s just the tip of the iceberg.
Read more: bit.ly/3EFB7EQ
Understandable, considering the superior quality of his work. But, truth be told, he was not actually the inventor of that axiom.
Twain was more of an editor than a creator in this case, likely paraphrasing the 1854 adage from its original form: “Figures won’t lie but men that draw up the tables may.”
Regardless of exact wording, the underlying message is clear—in their most basic form, figures (numbers, mathematical data) are factually truthful, but can be presented in misleading ways.
Case in point: medtech M&A in 2022. Activity was down compared to last year, as record high inflation, geopolitical unrest, global recession fears, and lingering supply chain troubles eroded investor confidence.
“What are some of the contributing factors...having [investors] pause a little bit? Inflation became real, it wasn’t transitory anymore, and the war in Europe—that was something we didn’t think about in 2021,” Dave Sheppard, managing director and COO of M&A advisory firm MedWorld Advisors, noted in an Oct. 6 webinar. “What we find is that buyers can deal with good news and they can deal with bad news, [but] where they become a little challenged in making decisions is [with] uncertainty.”
Such aversion to market ambiguity is evident in merger and acquisition activity this year. Deal value and volume fell considerably from 2021 levels, reflecting a shift in focus to integration and value-capture transactions, financial analysts claim.
Data from various industry sources confirm the decline in 2022 M&A activity, though each uses slightly different measuring tools. A PwC analysis, for example, found that semi-annualized deal value fell 85%, while J.P. Morgan statistics show a first half decline in venture capital investments. Financing for medtech diagnostics, digital therapeutics, and tools diminished 19.1% to $16.1 billion through June 30, the investment bank reported.
Deal volume was down as well. Stout’s healthcare and life science transaction totals posted double-digit decreases in the first half of 2022, falling 15.7% in Q1 to 438 deals and 36.8% in Q2 to 338 proceedings. While a weaker first half was expected given the bolus of transactions consummated late last year, the second-quarter decline was far greater than Stout analysts had anticipated.
The springtime slump makes sense in retrospect, as it coincided with worsening inflation, strict COVID-19 lockdowns in China, and escalating warfare between Russia and Ukraine (leading to higher gas prices and supply shortages). Yet the poor M&A showing tells only part of the story.
The other part (a very important one, incidentally) is the record level of M&A activity last year. “2021 was an incredible outlier year. It is by far the biggest year that M&A has ever seen,” MedWorld Advisors CEO and president Florence Joffroy-Black told webinar participants. “If you remember, things were kind of stopped in 2020, people waited, and in 2021, people started all over again. What’s interesting is we went up not only in the number of deals [in 2021] but also in the value of deals. 2021 will go down as a record year not only because of the value in deals but also because of the size of the mergers that took place.”
Transaction size was definitely a contributing factor to 2022’s downfall. The mega deals that helped bolster medtech M&A value last year (Thermo Fisher-PPD, $17.4 billion; Baxter-Hillrom, $12.4 billion; Steris-Cantel Medical, $4.6 billion) were missing in 2022.
In place of those larger acquisitions were smaller, capabilities-driven deals that helped enhance Beckman Coulter Diagnostics’ and Getinge’s Clinical Decision Support services (via StoCastic and FLUOPTICS, respectively); strengthen Frensenius Kabi’s IV drug offerings (courtesy of Ivenix); expand Becton Dickinson’s pharmacy technologies prowess (through Parata Systems and MedKeeper); and fortify Boston Scientific Corp.’s embolization proficiency (via Obsidio).
Some of the portfolio-enhancing deals were sizable, including BD and Parata Systems ($1.5 billion); ArchiMed and Natus Medical ($1.2 billion); ResMed and MEDIFOX DAN ($1 billion); Masimo and Sound United ($1 billion); Alcon and Aerie Pharmaceuticals ($770 million); and Sema4 and GeneDx ($623 million).
Not quite on par with last year’s activity.
Such a substandard performance, however, must be taken in context. Medtech M&A may indeed have been anemic this year compared with 2021 (an aberration, no doubt), but it nevertheless fared significantly better than in pre-pandemic years.
As Joffroy-Black agreed in the webinar, “Overall M&A activity in 2022 is still positive, even if the numbers tell a different story. There’s a lot of cash out there being used in deals. The level of cash used in M&A transactions has definitely gotten higher. If you look at healthcare...the deal count is down but it’s still a good number compared to 2020 or 2019. We are ahead of where we were then.”
Not a bad position to be in these days.
Read more: bit.ly/3TJvvOk
After 30 long months of lockdowns, lost work, disrupted routines, vaccinations, booster shots, and social isolation, the COVID-19 finish line loomed large on the horizon this year.
“We have never been in a better position to end the pandemic,” WHO Director-General Tedros Adhanom Ghebreyesus, Ph.D., declared at a mid-September press conference. “We are not there yet, but the end is in sight.”
Ghebreyesus’ proclamation was welcome news to the billions of inhabitants who have spent the last two and a half years struggling to tread water amid the ambiguity of a pandemic. For much of that period, it seemed the world had entered a cruel “Groundhog Day” time loop, interminably reliving the same story without hope for resolution.
That time loop finally broke this year as humankind made significant headway in its fight against the deadly coronavirus. Vaccines and booster shots improved mortality rates, relieving the strain on hospitals; face masks become optional in many places as infection rates declined, enabling friends, families, and co-workers to reconnect without fear of contamination.
Seemingly, out of nowhere, the pandemic was no longer big news. The Russia-Ukraine conflict, astronomical gas prices, record high inflation, and recession murmurs all pushed the pandemic to the back burner.
But SARS-CoV-2 was never far from our collective thoughts.
While COVID-19’s end may have begun (or is it the end of the beginning?), Ghebreyesus reminded the world of the importance of keeping our eyes on the prize.
“A marathon runner does not stop when the finish line comes into view, she just runs harder, with all the energy she has left. So must we,” he said. “We can see the finish line, we’re in a winning position. But now is the worst time to stop running. Now is the time to run harder and make sure we cross the line and reap the rewards of all our hard work.”
Time for a sprint to the finish. The reward is worth the effort.
Fishin’ Chips
The nights are not so difficult now.The dread and apprehension are gone, as are the paralyzing bouts of sleep anxiety. Also missing are the unpleasant thoughts and illusory presumptions that often dawned after sunset.
Replacing all that misery is serenity, certitude, and a bit of contentment—sensibilities that help Lauren sleep without fear these days after a harrowing year-plus interruption in her sleep apnea treatment.
“Life or death,” Lauren told NBC-TV affiliate WESH (Daytona Beach, Fla.) in June. “I could die without it.”
Lauren survived (physically, at least) without her nightly infusion of pressurized air, but the frustrating quandary in which the Orlando, Fla., resident found herself is one of the many hallmarks of pandemic life, spawned by a perfect storm of product recalls, sole-source dependency, and continuing supply chain troubles.
That storm—swirling for nearly 18 months—has left quite a swath of victims and damage in its wake.
Among the victims is Winter Springs, Fla., resident Steve Dross, who’s been waiting eight months (and counting) for a CPAP (continuous positive airway pressure) machine. “I think it’s ridiculous,” Dross griped to WESH. “In this day and age, you shouldn’t have to wait a year for a CPAP machine.”
Indeed, a months-long wait for a CPAP machine is preposterous. But it’s become typical in this day and age of COVID-19-induced material and component shortages, intermittent lockdowns, production slowdowns, escalating shipping costs, grandiose geopolitical aspirations, and faulty polyurethane foam.
CPAP machines have joined an expansive list of medical devices facing critical shortages from the world’s gnarled supply chain. The assistive breathing apparatuses are functional only with computer chips, a component that has become as hard to find as lumber and silicone rubber amid the Great Supply Chain Disruption.
The chip’s descent into the supply chain void was neither swift nor straightforward. Its tumble began with the East Asian trade wars of the late 2010s (U.S.-China, 2018; Japan-Korea, 2019), which increased lead times, inflated pricing, and tightened constraints on raw materials. The U.S.-China dispute triggered semiconductor wafer hoarding in the Middle Kingdom while the Japan-Korea tussle sent manufacturers scrambling for chipmaking chemicals. Compounding the growing shortage were COVID-19 lockdowns and production interruptions from both extreme weather and factory fires.
A colossal miscalculation of anticipated demand, however, sealed the chip supply’s ultimate fate: Major buyers—fearing a severe global recession—scaled back their orders during the pandemic’s early days, leading to a manufacturing slowdown. But the recession never materialized; economic growth actually mushroomed after COVID-19’s initial shocks wore off, leaving the industry woefully unprepared to meet the planet’s surging appetite for telecommunications technology and other commodities.
“Demand for chips is high. It is getting higher,” U.S. Commerce Secretary Gina Raimondo said in January. “Five days of inventory. No room for error. That tells you how fragile this supply chain is. We aren’t even close to being out of the woods. The semiconductor supply chain is very fragile and it’s going to remain that way until we can increase chip manufacturing.”
Increasing manufacturing won’t be easy, though. Adding chip-making capacity is time-consuming and expensive (it can take up to two years and cost billions of dollars). The U.S. government is offering some financial help, providing $52 billion in funding to stateside semiconductor manufacturers, but the money is unlikely to immediately impact supply. Similarly, new factories planned by Intel, Samsung Electronics, and Texas Instruments are not expected to be operational before mid-2024 or 2025 at the earliest.
Increasing manufacturing at existing semiconductor plants is no less complicated. Russia’s war with Ukraine has hobbled sourcing of chip-making ingredients like krypton and neon, and COVID -19 outbreaks in Southeast Asia have stymied the industry’s lead frames stockpile.
The sourcing issues, production disruptions, skyrocketing demand, and international turmoil have caused lead times and chip prices to balloon, with lead times now stretching upwards of 40-50 weeks and costs running at least 10% to 20% above pre-pandemic levels.
“There’s no easy way to get around a short supply of semiconductors and rising costs when every company is in the same boat,” Jabil Global Procurement Vice President Scott Graham wrote in a blog earlier this year. “Having already taken blows from 2021 and 2022’s uncertainties (so far), the markets that rely most heavily on chips...are braced for more unknowns.”
And ugly truths. The chip shortage and other vexing supply chain disruptions have significantly eroded corporate profits this year, particularly in industries that depend on integrated circuits for digitizing components. The automotive industry has sustained the largest losses (an estimated $210 billion in 2021), but the consumer electronics, LED/lighting, power, and medtech sectors have all been affected as well.
While medtech’s financial suffering pales in comparison to automotive’s overall deficit, supply-related challenges have had a far graver impact on its end users, as evidenced by the long waits for life-saving CPAP machines.
Those waits basically resulted from too few chips and too much demand, courtesy of the global shortage and Royal Philips’ Class I recall of more than 5.5 million sleep apnea and ventilator devices in June 2021. Both challenges have made it difficult, if not impossible, to meet CPAP machine demand in a timely manner.
San Diego-based ResMed Inc. spent months scouring its supply chain for available stock, to no avail. The company eventually increased production in Q4 (ended June 30) by redesigning certain AirSense 10 CPAP and APAP machines without cellular communication chips. Rebranded as card-to-cloud devices, the revamped products lack some remote features and substitute automatic data transmission with an SD card-assisted manual upload.
“We’ve been able to mitigate some of the electronic component bottlenecks with the launch of our redesigned card-to-cloud AirSense 10 devices...” ResMed CEO Mick Farrell told investors during a Q4 earnings call in August.
“During the last month of the quarter, during June, we were able to allocate more products to our customers than in recent months and in recent quarters. The global supply chain environment remains very much in flux across multiple industries. We are starting to see indications that the macro environment is improving, particularly semiconductor availability. We’re not out of the woods yet, but the compass is pointing to true north and we are on top of it.”
ResMed’s production compass may indicate true north, but the firm’s supply chain struggles have prevented its fiscal magnetometer from achieving a precise directional match. A “very significant double-digit de-commit” from a semiconductor supplier cut ResMed’s anticipated recall windfall by $100 million; during a Q3 earnings call, Farrell adjusted the gain downward from $300 million-$350 million to $200 million-$250 million.
“...our supply chain allowed us to sort of take two steps forward and two steps back versus two steps forward and one step back,” Farrell said in April. “That didn’t allow us to achieve that extra $100 million of incremental revenue we thought we would achieve through fiscal ‘22 for the first half. So that’s going to be tougher and it moves things a little bit further back.”
ResMed was not alone on the two-step dance floor, though. Most major medical device firms boot-scooted their way to financial disappointment from this year’s supply chain troubles.
Medtronic, for example, posted an 8% sales loss in its first fiscal quarter (2023), Philips recorded a $53 million deficit in its second quarter (2022), and GE Healthcare failed to improve its year-over-year Q2 revenue despite a $160 million improvement over the previous three months. Baxter International, meanwhile, lowered its 2022 sales and earnings guidance after a subpar second-quarter performance. The company cut its projected sales growth from 23%-24% on a reported basis and 25%-26% on a constant currency basis to the high teens (reported) and the mid-20s (constant currency). Adjusted EPS fell to $3.60-$3.70 from $4.12-$4.20.
“We have been severely impacted by a lot of factors—the worldwide stress on the supply chain, the inability of our suppliers to supply—and that shows up all over the operations of our company,” Baxter chief financial officer Jay Saccaro told investors during a Q2 earnings call in July. “We’re continuing to navigate a dynamic and ever-changing macro environment. This near-term volatility has created certain challenges for our business, and led us to lowering our full-year outlook. It’s an incredibly volatile dynamic that we’re experiencing as we look at our supplier base.”
That volatility halved Smith+Nephew’s cash flow in the first six months of 2022 (compared to last year), and trimmed its trading profit margin by 0.4%. Although the latter reduction was minor, it nevertheless spawned skepticism among analysts over the comp- any’s ability to achieve its 21% trading profit margin in 2024.
Market instability also decimated NuVasive Inc.’s Q2 2022 net income in spite of a 5.3% sales hike. The company lost $893,000, or 2 cents per share, on $310.5 million in proceeds, compared with $1.79 million in profit, or 3 cents per share, on $294.8 million in Q2 2021 revenue. The loss is not expected to affect sales this year —a 6%-8% growth rate is still within range—but the firm has lowered its diluted EPS to 95 cents-$1.25 from $1.05-$1.35.
For some medtech companies, however, the fallout from prolonged supply chain chaos has been far less tangible. The instability has impacted on-time delivery service at Intuitive Surgical Inc. and delayed product shipments at Stryker Corp.
“I think the persistent thing we are seeing is because the supply chain has been so spotty,” Stryker chief financial officer Glenn Boehnlein said in July, “we are just—feeling inefficiencies in our processes and how we manage our manufacturing across the globe with...inconsistencies of when we will have raw materials available for teams to work on.”
Those raw materials could be available sooner rather than later, actually. Improvements in resin and semiconductor bottlenecks over the summer have given device executives reason to hope for a near-term end to the world’s supply chain drama.
“I am certainly hopeful that we see easing of electromechanical components, along with the normalization of freight lanes and freight times and the impact,” Baxter’s Saccaro said. “I’m optimistic that all of those things will occur...this situation that we’re in, I know it will resolve. I just can’t answer at this point how quickly that will occur.”
Unfortunately, nobody can.
Read more: bit.ly/3ylvOpV
More Cyber Insecurity
It’s been a difficult year for the Spoth family.Doctors in January diagnosed son Gavin with type 1 diabetes, a chronic condition that robs the pancreas of its insulin-making ability. Such a life-altering prognosis can be unsettling, worrisome, and even a bit frightening for those afflicted, especially children, who may be confused by their body’s betrayal.
Confusion was just one of the emotions coursing through the Spoth household after Gavin’s diagnosis. Despondency, anxiety, and astoundment were present too while the boy and his family gradually forged a treatment strategy based on the latest blood glucose measuring/monitoring technology.
Those feelings, however, eventually gave way to anger and frustration over (perceived) subpar diabetes management software and patient data security risks. “One thing that is abundantly clear over our first few months post-diagnosis is that, while the medical technology is for the most part wonderful and works the overwhelming majority of the time, the software behind that technology is highly lacking,” Eric Spoth told the U.S. Food and Drug Administration (FDA) in written testimony this past summer. “Integration with existing operating systems and devices is shoddy at best, if attempts are made by the companies at all. While the systems themselves are seemingly stable, we quickly realized we needed better integration with hardware than these companies provide.”
In his testimony, Spoth lauded the benefits of third-party software, noting these systems are easily integrated with current smart devices and thus allow for continuous blood glucose monitoring. Limiting access to these systems, he warned, will restrict consumer choice and potentially create software tech monopolies. He also advised against prohibiting diabetes patients from accessing their personal data.
“I am conscious of the cybersecurity concerns here, but there really should be a middle ground for those who use these systems not for administering insulin, but for collecting readings as part of an entire approach to care,” Spoth testified. “These systems are often better than these companies can offer and a lot of people rely on them so please I beg you try to be light-handed with your regulations.”
Spoth’s testimony was among the deluge of feedback the FDA received after releasing an updated medical device cybersecurity draft guidance in April. Most comments (1,870 total) came from diabetes patients and/or their caregivers concerned the revised regulations would considerably limit their ability to access their medical devices and (blood glucose) data.
“Do not lock patients out of their own medical data, or out of control of their own medical devices. That should be of paramount importance in every cybersecurity policy—companies cannot be allowed to hold patients hostage by holding vital data and treatment options in walled gardens where the company’s rules are more important than the patient’s health,” William Ray wrote in his comments to the FDA. “As a Type 1 diabetic, I rely on continuous glucose monitoring data to make adjustments to my insulin, and I rely on an insulin pump to manage delivery of that insulin in accordance to the adjustments I need. If I don’t continuously balance and rebalance those numbers, I will die. But as the rules stand today, I cannot connect those devices, I cannot automate routine adjustments, and I can’t even view all my data in one place because those devices will not work together. The American consumer deserves access to their own data. We deserve control of our own healthcare. Whatever cybersecurity options are discussed, it needs to be absolutely guaranteed that patients have total control over digital access, and not just the corporations who sell the devices.”
The FDA’s guidance proposes a total product lifecycle approach to device cybersecurity, recommending that security controls be baked into product design, addressed in premarket submissions, aligned with quality system regulations, and applied to older legacy equipment. The revised regulations would replace a 4-year-old document that updated FDA’s 2014 cybersecurity guidance.
The agency’s total lifecycle strategy aims to extend responsibility for software cybersecurity beyond specified departments to all divisions within a medtech organization. The guidance encourages device manufacturers to create and adopt a Secure Product Development Framework (SPDF), which the FDA describes as a set of processes that help reduce the number and severity of vulnerabilities throughout the product lifecycle. The guidance recommends that SPDFs encompass manufacturers’ risk management initiatives, security architecture for all devices, and cybersecurity testing details.
“The increasingly interconnected nature of medical devices has demonstrated the importance of addressing cybersecurity risks associated with device connectivity in device design because of the effects on safety and effectiveness. Cybersecurity risks that are introduced by threats directly to the medical device or to the larger medical device system can be reasonably controlled through using an SPDF,” the FDA guidance states. “The primary goal of using an SPDF is to manufacture and maintain safe and effective devices. The benefit of following an SPDF is that a device is more likely to be secure by design, such that the device is designed from the outset to be secure within its system and/or network of use.”
The SPDF is one of several notable changes included in the updated draft guidance. Another removes risk tiers (creating a process where documentation scales naturally with increasing cybersecurity risk) while a third adds Investigational Device Exemptions to the document’s overall scope. In addition, the guidance further clarifies the requirements for premarket submission documents.
One of the guidance’s key alterations, however, is the switch from a more comprehensive Cybersecurity Bill of Materials (CBOM) to a Software Bill of Materials (SBOM), which aligns the new directive with President Biden’s May 2021 executive order to bolster America’s cybersecurity posture. The FDA replaced the CBOM to alleviate some of the burden on device manufacturers, since most cybersecurity concerns lie within the software.
According to the guidance, the SBOM should provide various details of a product’s embedded software, including its name, version, manufacturer, level of support, end-of-support date, and any known vulnerabilities. The SBOM must be regularly updated to reflect any software changes, and it should support both 21 CFR 820.30 (Design History File) and 21 CFR 820.181 (Design Master Record) documentation.
Although industry representatives generally welcomed the addition of an SBOM, many were critical of its provisions. The Medical Device Manufacturers Association (MDMA), for instance, took issue with some terminology—specifically, the use of “any known vulnerabilities” and “end-of-support date.”
“We are concerned that ‘any known vulnerabilities’ may be overly burdensome [and] too broad...an improvement would be ‘Vulnerabilities that affect the product and represent a new or increased safety risk,’” MDMA president/CEO Mark B. Leahy wrote in a July 7 letter to the FDA. “Alternately, we recommend [the] item be removed entirely from the SBOM and instead FDA should rely on known defects to capture this information, recognizing that vulnerabilities will likely become out of date quickly and too much information could clutter the more important vulnerabilities. Additionally, the software component’s ‘end-of-support’ date is frequently unknown and can change due to acquisitions.”
Microsoft recommended that SBOMs be “top-down rather than bottom-up” and Connected Health Initiative suggested the SBOMs stay consistent with industry standards and the National Telecommunications and Information Administration specification of minimum SBOM elements.
Microsoft also advised the FDA to address the ways in which medical device manufacturers can use cloud services to conform to guidance expectations in multiple areas—including but not limited to security risk management, security architecture, cybersecurity testing, and cybersecurity transparency.
“The FDA correctly recognizes that medical device security is a shared responsibility among stakeholders throughout the use environment of the medical device system. The guidance, however, never explicitly identifies cloud service providers as potential key stakeholders despite [the] cloud’s explosive growth in recent years,” Kevin Reifsteck, director for Critical Infrastructure Protection, Customer Security and Trust, Corporate, External and Legal Affairs at Microsoft, wrote in a July 7 submission to the FDA. “Before issuing its final guidance, however, we recommend the FDA consider revising the document to explicitly address the use of cloud computing and incorporate more internationally recognized cybersecurity standards and best practices. We believe that making these revisions will strengthen medical device security, lower barriers to medical device innovation, and help reduce the cost of device development over the long-term.”
In the eight years since finalizing its first cybersecurity guidance, the FDA has progressively reinforced its efforts to fend off digital miscreants. It has developed an “internal playbook” to help agency staff address cybersecurity threats, signed memoranda of understanding with multiple stakeholders to create sharing analysis organizations, and last year, named its first-ever cybersecurity director.
Yet the threat persists, seemingly immune to any remedy the FDA or industry dishes out. The problem, in fact, appeared to snowball in 2022, with healthcare-related breaches spiking during the spring; Baxter International, BD, Fresenius Kabi, and Medtronic acknowledging security vulnerabilities in several of their products, and America’s second-largest hospital chain, CommonSpirit Health, falling victim to a massive ransomware attack.
Adding fuel to the growing conflagration was the Federal Bureau of Investigation’s (FBI) mid-September warning about the safety risks posed by unpatched and legacy medical devices. A notification from the FBI’s Cyber Division said the agency identified “an increasing number of vulnerabilities” from unpatched medical devices running on outdated software and products lacking adequate security features. The vulnerabilities exist in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. “Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health,” the notification read.
In its warning, the FBI noted that 53% of connected medical devices and other Internet of Things (IoT) hospital equipment have known vulnerabilities. Moreover, roughly one-third of healthcare IoT devices have an identified critical risk, which could potentially implicate devices’ technical operation and functions.
To reduce the possibility of a cyberattack, the FBI recommends health systems take various steps to better identify vulnerabilities and actively secure medical devices. The steps include endpoint protection (antivirus software), identity and access management (changing default passwords), asset management (using inventory results to identify critical medical devices), vulnerability management (routine vulnerability scans), and training (teaching employees to identify and report possible threats).
“Medical devices have known vulnerabilities that impact various machines used for healthcare purposes...” the FBI notification warned. “Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.”
And that’s just the tip of the iceberg.
Read more: bit.ly/3EFB7EQ
Medtech M&A: Down But Not Out
The maxim “figures don’t lie but liars do figure” has long been attributed to Mark Twain.Understandable, considering the superior quality of his work. But, truth be told, he was not actually the inventor of that axiom.
Twain was more of an editor than a creator in this case, likely paraphrasing the 1854 adage from its original form: “Figures won’t lie but men that draw up the tables may.”
Regardless of exact wording, the underlying message is clear—in their most basic form, figures (numbers, mathematical data) are factually truthful, but can be presented in misleading ways.
Case in point: medtech M&A in 2022. Activity was down compared to last year, as record high inflation, geopolitical unrest, global recession fears, and lingering supply chain troubles eroded investor confidence.
“What are some of the contributing factors...having [investors] pause a little bit? Inflation became real, it wasn’t transitory anymore, and the war in Europe—that was something we didn’t think about in 2021,” Dave Sheppard, managing director and COO of M&A advisory firm MedWorld Advisors, noted in an Oct. 6 webinar. “What we find is that buyers can deal with good news and they can deal with bad news, [but] where they become a little challenged in making decisions is [with] uncertainty.”
Such aversion to market ambiguity is evident in merger and acquisition activity this year. Deal value and volume fell considerably from 2021 levels, reflecting a shift in focus to integration and value-capture transactions, financial analysts claim.
Data from various industry sources confirm the decline in 2022 M&A activity, though each uses slightly different measuring tools. A PwC analysis, for example, found that semi-annualized deal value fell 85%, while J.P. Morgan statistics show a first half decline in venture capital investments. Financing for medtech diagnostics, digital therapeutics, and tools diminished 19.1% to $16.1 billion through June 30, the investment bank reported.
Deal volume was down as well. Stout’s healthcare and life science transaction totals posted double-digit decreases in the first half of 2022, falling 15.7% in Q1 to 438 deals and 36.8% in Q2 to 338 proceedings. While a weaker first half was expected given the bolus of transactions consummated late last year, the second-quarter decline was far greater than Stout analysts had anticipated.
The springtime slump makes sense in retrospect, as it coincided with worsening inflation, strict COVID-19 lockdowns in China, and escalating warfare between Russia and Ukraine (leading to higher gas prices and supply shortages). Yet the poor M&A showing tells only part of the story.
The other part (a very important one, incidentally) is the record level of M&A activity last year. “2021 was an incredible outlier year. It is by far the biggest year that M&A has ever seen,” MedWorld Advisors CEO and president Florence Joffroy-Black told webinar participants. “If you remember, things were kind of stopped in 2020, people waited, and in 2021, people started all over again. What’s interesting is we went up not only in the number of deals [in 2021] but also in the value of deals. 2021 will go down as a record year not only because of the value in deals but also because of the size of the mergers that took place.”
Transaction size was definitely a contributing factor to 2022’s downfall. The mega deals that helped bolster medtech M&A value last year (Thermo Fisher-PPD, $17.4 billion; Baxter-Hillrom, $12.4 billion; Steris-Cantel Medical, $4.6 billion) were missing in 2022.
In place of those larger acquisitions were smaller, capabilities-driven deals that helped enhance Beckman Coulter Diagnostics’ and Getinge’s Clinical Decision Support services (via StoCastic and FLUOPTICS, respectively); strengthen Frensenius Kabi’s IV drug offerings (courtesy of Ivenix); expand Becton Dickinson’s pharmacy technologies prowess (through Parata Systems and MedKeeper); and fortify Boston Scientific Corp.’s embolization proficiency (via Obsidio).
Some of the portfolio-enhancing deals were sizable, including BD and Parata Systems ($1.5 billion); ArchiMed and Natus Medical ($1.2 billion); ResMed and MEDIFOX DAN ($1 billion); Masimo and Sound United ($1 billion); Alcon and Aerie Pharmaceuticals ($770 million); and Sema4 and GeneDx ($623 million).
Not quite on par with last year’s activity.
Such a substandard performance, however, must be taken in context. Medtech M&A may indeed have been anemic this year compared with 2021 (an aberration, no doubt), but it nevertheless fared significantly better than in pre-pandemic years.
As Joffroy-Black agreed in the webinar, “Overall M&A activity in 2022 is still positive, even if the numbers tell a different story. There’s a lot of cash out there being used in deals. The level of cash used in M&A transactions has definitely gotten higher. If you look at healthcare...the deal count is down but it’s still a good number compared to 2020 or 2019. We are ahead of where we were then.”
Not a bad position to be in these days.
Read more: bit.ly/3TJvvOk