The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices

The paper reviews the main trends in the existing standards and regulatory landscape applicable to connected, intelligent medical devices (CIMDs) and captures critical challenges and potential gaps in this area. Based on interviews and a roundtable with key experts and practitioners in the field, the White Paper identifies several critical challenges that should inform the future development of standards and guidelines applicable to CIMDs, with a specific focus on artificial intelligence, cybersecurity, and data governance issue

Emerging Digital Technologies in Patient Care: Dealing with connected, intelligent medical device vulnerabilities and failures in the healthcare sector

The integration of the Internet of Medical Things (IoMT) and Artificial Intelligence (AI) into clinical routines is significantly impacting organisational preparedness at the point of care, raising concerns not only about the resilience of the healthcare infrastructure, but also about how physicians, clinicians, and healthcare professionals respond to, manage, and reduce new risks associated with connected and intelligent medical devices in the interest of patient safety and care. The following report summarises findings from the workshop entitled Emerging Digital Technologies in Patient Care: Dealing with Connected, Intelligent Medical Device Vulnerabilities and Failures in the Healthcare Sector, held on 23 February 2023 at Goodenough College, London. The workshop was organised by members of the Reg-MedTech project, funded by the PETRAS National Centre of Excellence in IoT Systems Cybersecurity (EPSRC grant number EP/S035362/1), in collaboration with project partners at the BSI, the UK’s National Standards Body. Since October 2021, the Reg-MedTech project has investigated the extent to which current regulatory frameworks and standards address the critical cybersecurity, data governance, and algorithmic integrity risks posed by connected and intelligent medical devices. A critical finding from its ongoing research has been the need to develop standards, regulations, and policies that are better informed by the experiences of physicians, clinicians, and healthcare professionals dealing with software-based medical devices or software as a medical device (SaMD) in their day-to-day practice

Extending SOUP to ML Models in Certified Medical Systems

Peer reviewe

Software as a Medical Device (SaMD): Useful or Useless Term?

Software as a medical device is a relatively new and expanding field in which patient safety must be a key concern. Regulation and standards regarding software as a medical device (subsequently referred to as “SaMD”) must incorporate all components that could potentially influence SaMD, both in its development and implementation. However, SaMD has been varyingly defined by organisations and individuals within the literature, therefore there is no clear boundary as to what is or is not SaMD, consequently, no clear definition of SaMD exists. Without a clear definition it therefore becomes impossible to create standards to regulate SaMD. Ultimately, this results in increased risks to patient safety. The purpose of this study was to identify SaMD concepts through a Scoping Review to establish the boundaries of SaMD. This has significant impact on new technology applications to support healthcare monitoring and healthcare service delivery. This will ultimately affect how new technology can be regulated in healthcare and will impact innovation and design in this field

Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This multifaceted problem must be viewed from a systemic perspective if adequate protection is to be put in place and patient safety concerns addressed. This requires technical controls, governance, resilience measures, consolidated reporting, context expertise, regulation, and standards. It is evident that a coordinated, proactive approach to address this complex challenge is essential. In the interim, patient safety is under threat

Risk Assessment and Classification of Medical Device Software for the Internet of Medical Things

Although the medical device industry operates within a stringent regulatory environment, the growing deployment of connected, intelligent medical devices (CIMDs) in the healthcare sector is challenging these established regulatory frameworks. CIMDs come in a variety of forms, from implantables, to specialist IoMT devices deployed at the point-of-care, to AI-based medical devices, and AI as a medical device (AIaMDs). These devices raise several cybersecurity, data management, and algorithmic integrity concerns for patient safety and the delivery of reliable, responsible healthcare. The purpose of this article is to focus on a particular characteristic of CIMDs: their changing risk profile, several times throughout their lifecycle, with limited awareness from users, manufacturers, and regulators. Looking at the implications of these often subtle yet meaningful software modifications for current medical device regulations and for critical stakeholders in the CIMD ecosystem, the article highlights three main challenges to: i) risk assessment, classification and management frameworks that underpin current medical device regulations; ii) current medical device compliance frameworks, especially the post-market surveillance of medical devices; and iii) the detection, categorization, and reporting of compromised devices that might not perform according to their intended purpose. The article brings empirical evidence from a qualitative research study conducted with critical stakeholders in the medical device sector

Threat Assessment and Risk Analysis (TARA) for Interoperable Medical Devices in the Operating Room Inspired by the Automotive Industry

Prevailing trends in the automotive and medical device industry, such as life cycle overarching configurability, connectivity, and automation, require an adaption of development processes, especially regarding the security and safety thereof. The changing requirements imply that interfaces are more exposed to the outside world, making them more vulnerable to cyberattacks or data leaks. Consequently, not only do development processes need to be revised but also cybersecurity countermeasures and a focus on safety, as well as privacy, have become vital. While vehicles are especially exposed to cybersecurity and safety risks, the medical devices industry faces similar issues. In the automotive industry, proposals and draft regulations exist for security-related risk assessment processes. The medical device industry, which has less experience in these topics and is more heterogeneous, may benefit from drawing inspiration from these efforts. We examined and compared current standards, processes, and methods in both the automotive and medical industries. Based on the requirements regarding safety and security for risk analysis in the medical device industry, we propose the adoption of methods already established in the automotive industry. Furthermore, we present an example based on an interoperable Operating Room table (OR table)