Home medical devices: Security and regulations

Home medical devices: Security and regulations

By Manuel Noben

Modern technology has brought about an evolution in medical devices, making them smaller, more accurate, and available for in-home use rather than being exclusive to clinics. Already the most advanced devices allow off-site monitoring of chronically ill patients. For instance, a patient with a history of heart failure was successfully treated recently for low blood pressure, which could have caused pulmonary edema, without any in-person visits to the doctor’s office simply by monitoring the patient’s health remotely.

It is expected that these technologies will allow patients and healthcare systems in the United States to save USD $200 billion over the next 25 years, mainly by preventing disease escalation in chronically ill patients. As recently covered by PreScouter, telemedicine is rapidly being expanded in the COVID-19 pandemic. Regulations are playing catch-up, leaving eager implementers to figure out where they are able to extend services and where they are not.

Data protection:

With new technologies come new concerns. One concern may be when using a device such as a smartwatch, many of which are now getting approval to be used as bona fide heart monitors. Integration of data from different providers into patient files is an obstacle. Within the United States, all these parties need to integrate data in a manner that is compliant with the Health Insurance Portability and Accountability Act (HIPAA).

Regulatory guidelines:

To streamline regulations, the US Federal Trade Commission (FTC) has a portal where health app developers can see which regulations from which agencies they have to adhere to. There are several agencies involved, depending on the security threat the app may pose and the type of consumer data being sent through the app.

HIPAA covers privacy concerns, setting rules for handling personal healthcare information. The US Food and Drug Administration (FDA) provides guidelines related to cybersecurity but does not actively test security. Instead, that is the responsibility of the developers and manufacturers, as well as the distributors.

Over the years, the FDA has taken advice from manufacturers and experts on how to improve the screening process. Additionally, the FDA keeps track of security breaches and developments and encourages users to stay informed regarding security breaches. A precertification process for software as a medical device (SaMD) is also in the works. The FDA chairs the SaMD workgroup, which consists of medical device regulators from around the globe and has issued guidelines for risk stratification, quality management, and clinical evaluation.

In March 2020, the International Medical Device Regulators Forum (IMDRF) released Principles and Practices for Medical Device Cybersecurity, a 46-page guiding document that gives recommendations to manufacturers ranging from development to manufacturing to post-marketing. The document also contains recommendations for regulators, healthcare providers, and users. At the core of these recommendations is that cybersecurity needs to be part of every step, from development to post-marketing. There need to be thorough responses to security threats throughout the lifetime of the product or software.

Data from personal devices:

As described in the 21st Century Cures Act, FDA regulations only apply to devices intended to diagnose, cure, or otherwise influence diseases. But advances in technology are rapidly expanding product functionality; for example, smart watches and phones are beginning to function as medical devices. As per regulations, manufacturers are certifying these devices accordingly.

In the near future, your smartwatch may be able to tell if you are coming down with the flu, COVID-19, or even Lyme disease. Such novel uses of technology hold promise to significantly improve users’ health and wellbeing, but it will be up to regulators, manufacturers, and healthcare providers to ensure that these products are adapted in a safe and efficacious manner.

Apart from security and regulations, we also have to make sure that these technologies are available to all social layers in society so that no group is underserved. Legislation dealing with reimbursement of medical devices needs to act proactively in this regard. Lastly, consumers also have a responsibility to make sure their device is secure from possible data leaks by putting in place extra measures such as two-factor login. Transmission of data to third parties is far from transparent. Big data companies are hungry for medical data, and consumers need to be aware of what they are sharing when using certain apps, as protection laws do not apply once a person uploads data to a consumer app.

European regulations:

In 2017, the European Union introduced new legislation regarding the Medical Device Regulations (MDR) and In-Vitro Diagnostic Medical Devices Regulations (IVDR) (EU 2017/745 and EU 2017/746, respectively). Due to the COVID-19 crisis, the deadline for adherence has been moved up by one year to May 2021 for MDR and remains May 2022 for IVDR. The European Union is also introducing a new database for registration of medical devices known as EUDAMED. The launch of its first module, a registration module, is almost ready but will be launched in 2021 when the new regulation takes effect. Additional modules, such as one that will assign unique device numbers, are expected to launch after May 2021. Upcoming medical device registrations will have to choose from a number of options and also be future-compliant.

As in the recommendations by IMDRF, under the new regulations, a manufacturer must analyze possible threats and assure appropriate mitigation of risk under normal circumstances and reasonably foreseeable misuse. The device must also be regularly updated to the state of the art with respect to operation and cybersecurity. For software/apps as a medical device, manufacturer certification is allowed for class I (low risk) products, whereas the higher-class products need to be certified by a Notified Body.

In general, new regulations require stricter reporting of clinical trial outcomes and drug toxicity. The application for European Union approval might have become more expensive due to extra safety regulations, but it may offset the cost by removing the need to apply to EU countries individually.

New regulations, new opportunities:

Given current trends such as rapid technological advances of connected medical devices and the rise of telemedicine, which has been accelerated during the current COVID-19 pandemic, there is a need for increased regulations, certification, and monitoring. The market is already responding and companies are being created to jump into the space, offering pathways to certification and ready-to-use solutions for device security.

Medical device manufacturers will have to perform a cost-benefit analysis and decide whether to implement regulations themselves or choose to outsource components of this process. All players in this space should be prepared for some degree of uncertainty as guidelines for new technologies are solidified and, ultimately, additional regulations on medical devices, particularly around usage of personal data, are introduced.

If you have any questions or would like to know if we can help your business with its innovation challenges, please leave your info here or contact Jeremy Schmerer, Healthcare & Life Sciences Lead, directly at jschmerer@prescouter.com or Linda Cohen, Strategic Accounts Manager at lcohen@prescouter.com.

Never miss an insight

Get insights delivered right to your inbox

More of Our Insights & Work