Plans for new UK medical device regulations have been announced by the Department of Health and Social Care (DHSC). The changes will broaden the definition of a medical device, and encompass regulation of novel and growing areas such as software and AI as a medical device (SaMD/AIaMD). But experts say the plans lack detail on data security, and could prioritise innovation over patient safety.
The DHSC says the package of reforms will improve how the Medicines and Healthcare products Regulatory Agency (MHRA) polices medical devices and in vitro diagnostic medical devices (IVDs). The new rules follow the UK’s exit from the European Union, and are designed to protect patient safety, it says. They follow an extensive consultation process, and the government’s consultation response outlines changes intended to boost innovation in medical devices, and access for patients.
What was the government’s plan for the future of medical device regulation?
According to health secretary Sajid Javid, the government will introduce “some of the most robust” safety measures across the world for medical devices, which will include software. This is to ensure patients are protected whenever they come into contact with a medical device or IVD.
“Now we have left the EU, these new changes will allow innovation to thrive and ensure UK patients are among the first to benefit from technological breakthroughs,” Javid said.
The consultation addressed a broad range of regulatory issues such as requirements for running clinical investigations, how devices are assessed before being placed on the market, import and distributor obligations and post-market safety monitoring.
Following its completion, the government has created a medical device regulatory framework, which is designed to address the needs of device developers and the healthcare sector, and is built on five pillars. These are: strengthening MHRA power; making the UK a focus for innovation; addressing health inequalities; proportionate regulation so it aligns with the EU and wider world; set world-leading standards.
How will the government define AIaMD?
As part of its response to the consultation, DHSC says that it will add the definition of “software” to the regulation, which will cover smartphone apps and AI. This definition will say: “A set of instructions that processes input data and creates output data”.
Respondents to the consultation were supportive of this definition, however, 51% felt that further refinement would be needed. Some were also concerned the definition was too vague.
On whether AI would have its own definition, respondents were supportive of a separate definition for the technology being put into legislation as well as design requirements for any AIaMD services or devices. However, the government has said that it does not intend to make AIaMD-specific requirements for legislative purposes.
Concerns cover SaMD cybersecurity
As part of the consultation, 88% of the respondents said that they were in favour of SaMD cybersecurity being put into legislation. The DHSC has said its policy position is to include cybersecurity as an “essential requirement” and will work closely with the Department for Digital, Culture, Media and Sport (DCMS), Information Commissioner’s Office, the National Data Guardian, and the Health Research Authority to ensure that patient data is protected.
However, while several respondents advocated the need for specific essential requirements and templates to be established as well as minimum requirements to be set out for SaMD cybersecurity, such as minimum safety standards and encryption, the DHSC has not been specific about what it will do to meet these requests.
“It remains the government’s intention that manufacturers of SaMD will be required to meet certain minimum requirements relating to security measures and protection against unauthorised access,” the response says. It goes on to say that the government intends to introduce a requirement similar to the EU’s equivalent rules, which also cover cybersecurity and associated requirements.
But more detail is required, particularly around encryption of data, argues Andrew Davies, CEO at RWG Mobile, developer of the iCare platform for doctors. “The response falls short of extending its regulation to the data connection used by these devices,” Davies says. “Without a secure, encrypted connection, many health organisations, particularly NHS trusts, would be unable to use medical devices to their full capacity.”
He notes that data security in itself is not a part of the government’s framework, and says it needs to be an “essential part of any framework relating to regulating medical devices”.
Safeguarding innovation and patient safety don’t go hand-in-hand
Philip Booth, co-founder of medConfidential, told Tech Monitor that the government’s response seems to ignore the patients and healthcare professionals who work and use medical devices. He believes the government is more concerned with putting the UK at the forefront of medical device innovation rather than protecting patients.
“If your intention is to both increase patient safety and not put sufficient safeguards around innovation then that’s a contradiction,” Booth says.
He goes on to say that the government not recommending a way for patients to report an “adverse incident” when using the app is worrying.
“In the pharmaceuticals market, there is the yellow card process; if there’s a yellow card process for drugs why is there not a yellow card process for devices?” Booth asks. He says that this particular absence within the government’s response makes him believe that they haven’t “thought about patients and doctors sufficiently”.