Regulatory and Standardization Challenges for Connected and Intelligent Medical Devices (REG-MEDTECH)

L I M

The REG-MEDTECH project investigates the critical cybersecurity, software, algorithmic decision-making challenges posed by connected, intelligent medical devices.

This project investigates a pressing, yet underexplored area, at the intersection of cybersecurity in IoT ecosystems (especially medical devices at the edge and software as medical device), law and regulation, and digital healthcare. In recent years, several policy and regulatory initiatives have been established to address the security, safety, and trust implications of connected, intelligent devices. However, a critical gap remains pertaining to the development of standards that underpin regulatory guidelines and requirements, updating design, risk management, and mitigation practices for key stakeholders: software developers, manufacturers, healthcare providers and regulators.

The project offers a unique and established partnership between UCL and BSI (UK national standards body), with a high-value network of collaborators across academia, industry, regulators, specialist agencies, and international organisations.

This interactive standards mapping tool comprises the main published and in development standards that apply to Connected, Intelligent Medical Devices (CIMDs).

It is primarily aimed at software developers, device manufacturers, and enterprises to inform the responsible development and marketing of their CIMDs, although it can be used more broadly by CIMD users willing to ensure the devices they purchase or utilise respect patient safety, security, and privacy, as well as the integrity and resilience of healthcare systems. Academic researchers are also very welcome to use the tool.

What are CIMDs? CIMDs are medical devices that incorporate Artificial Intelligence (AI) software and use communication technologies and networks to transfer, manage, store, and analyze health data. These devices can be wearable or implantable, collect physiological patient data and/or provide therapeutic options (e.g., neurostimulator). They can be software-based medical devices or standalone Software as Medical Device (SaMD) or AI as Medical Device (AIaMD). The devices themselves, the digital infrastructure that supports them, and the data collected are creating the Internet of Medical Things (IoMT) – a connected infrastructure of medical devices, software applications, and digital health systems and services.

What will I find in the map? We identified three critical areas of standardisation for CIMDs, pertaining to Artificial Intelligence (AI), Cybersecurity, and Data Governance. For each of these categories you will find three additional types of standards:

– Regulatory standards and guidance documents. These are documents that further specify regulatory requirements for medical devices and digital healthcare. They are generally used to demonstrate conformity to regulatory requirements and can be mandatory.

– Principles and guidelines. These are documents that set codes of best practice, principles and guidelines pertaining to medical devices and digital healthcare. They are generally voluntary.

– General standards. These are documents that provide baseline good practice and guidance on how to implement, test, or assess digital technologies and systems pertaining to the integrity of AI systems, cybersecurity, and data governance in general, and specifically in the healthcare sector. They are mostly horizontal standards.

Authors: The Standards Map for Connected, Intelligent Medical Devices was created by Dr Andrew Mkwashi and Dr Irina Brass of the REG-MEDTECH Project at UCL, funded by the PETRAS National Centre of Excellence in IoT Systems Cybersecurity (EPSRC), in partnership with BSI (UK National Standards Body). The project team is grateful for the guidance from colleagues in the healthcare sector at BSI.

© 2022 Andrew Mkwashi and Irina Brass.
The Kumu platform was used for visualisation.
To cite, please use:
Mkwashi, A. and Brass, I. (2022) Interactive Standards Map for Connected, Intelligent Medical Devices. PETRAS National Centre of Excellence for IoT Systems Cybersecurity. Available at: https://embed.kumu.io/c47c61c4bb98c35c541fd3d4c0d5d624#untitled-map?s=bm9kZS1tbUV0aGdrQw%3D%3D.

This White Paper, entitled “The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices”, reviews the main trends in the existing standards and regulatory landscape applicable to CIMDs. The White Paper has been produced in partnership with BSI, the UK National Standards Body.

Based on interviews and a roundtable with key experts and practitioners in the field, the White Paper identifies several critical challenges that should inform the future development of standards and guidelines applicable to CIMDs, with a specific focus on artificial intelligence, cybersecurity, and data governance issues. The Paper provides valuable insights to regulators, standards-making bodies, notified bodies, manufacturers, software developers, clinicians, and researchers regarding present gaps and potential loopholes that CIMDs create in current regulatory frameworks, concluding with recommendations for standards development and initiatives in the context of widespread adoption of CIMDs in the healthcare sector.

To cite, please use:
Mkwashi, A and I. Brass (2022) The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices. London: PETRAS National Centre of Excellent in IoT Systems Cybersecurity.

 

Dr Irina Brass featured in the Atlantic Council’s Cyber Statecraft Initiative “The 5×5 series” – 5 Experts x 5 Questions. In this article, Irina joins other experts in the field to assess the impact of the Internet of Things on national security and discuss potential solutions. You can read more about this discussion here.

As part of our Reg-MedTech project deliverables, Dr Mkwashi reflected on the main challenges raised by connected, intelligent medical devices and the importance of conducting this research during the BSI Standards Show, which aired on Tuesday 20 September 2022. In this podcast episode, the team promoted the Reg-MedTech project and communicated the key findings from its recent White Paper to a wider audience. This podcast can be found online here.

Our project partner, the British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

On 7 November 2022, the Reg-MedTech presented the paper entitled “Risk Assessment and Classification of Medical Device Software for the Internet of Medical Things: Challenges arising from connected, intelligent medical devices” in the STaR-IoT: 1st International Workshop on Socio-technical Cybersecurity and Resilience in the Internet of Things, part of the 12th International Conference of the Internet of Things at the Faculty of Industrial Design Engineering (IDE) at TU Delft.

The paper is published open access in the ACM Digital Library and can be accessed here. Please use the following reference to cite the paper: Irina Brass and Andrew Mkwashi. 2022. Risk Assessment and Classification of Medical Device Software for the Internet of Medical Things: Challenges arising from connected, intelligent medical devices. In Proceedings of the 12th International Conference on the Internet of Things (IoT ’22), November 07–10, 2022, Delft, Netherlands. ACM, New York, NY, USA, 8 pages. https: //doi.org/10.1145/3567445.3571104

The project has just published a report entitled “Emerging Digital Technologies in Patient Care: Dealing with connected, intelligent medical device vulnerabilities and failures in the healthcare sector”. The report summarises findings from the workshop entitled Emerging Digital Technologies in Patient Care: Dealing with Connected, Intelligent Medical Device Vulnerabilities and Failures in the Healthcare Sector, held on 23 February 2023 at Goodenough College, London. The workshop was organised by members of the Reg-MedTech project1, funded by the PETRAS National Centre of Excellence in IoT Systems Cybersecurity (EPSRC grant number EP/S035362/1), in collaboration with project partners at the BSI, the UK’s National Standards Body.

Since October 2021, the Reg-MedTech project has investigated the extent to which current regulatory frameworks and standards address the critical cybersecurity, data governance, and algorithmic integrity risks posed by connected and intelligent medical devices. A critical finding from its ongoing research has been the need to develop standards, regulations, and policies that are better informed by the experiences of physicians, clinicians, and healthcare professionals dealing with software-based medical devices or software as a medical device (SaMD) in their day-to-day practice.

The workshop was attended by fifty-two participants, with representation from clinicians and healthcare professionals, public bodies including regulatory agencies, device manufacturers, legal and regulatory consultants, standards makers, and researchers.

Please cite this report as:

Brass, I., Straw, I., Mkwashi, A., Charles, I., Soares, A., Steer, C. (2023) Emerging Digital Technologies in Patient Care: Dealing with connected, intelligent medical device vulnerabilities and failures in the healthcare sector. Workshop Report. London: PETRAS National Centre of Excellence in IoT Systems Cybersecurity. DOI: 10.5281/zenodo.8011139