Digital technologies have great potential to promote health and wellness, and to empower patients to manage chronic conditions. But which tools are safe and effective? Many digital health technologies fall into the scope of the EU medical device regulation (MDR) (2017/745) which takes effect from 26 May 2020. It intends to improve safety and transparency.Digital technologies have great potential to promote health and wellness, and to empower patients to manage chronic conditions. But which tools are safe and effective? Many digital health technologies fall into the scope of the EU medical device regulation (MDR) (2017/745) which takes effect from 26 May 2020. It intends to improve safety and transparency.
The new definition of a medical device includes software, which will require certification. Mobile health (mHealth) apps, machine learning, artificial intelligence (AI), big data analytics, and cloud computing are affected. The rules apply to any software installed or used in the EU. In contrast to the US Food and Drug Administration (FDA), prediction and prognosis are also covered by the EU definition – meaning predictive models, risk calculators, and big data analytics.
Developers and companies must determine if their software is a medical device according to the EU MDR. The definition incorporates software intended for a medical purpose – whether used alone or as an accessory. Software that creates or modifies new information with a medical purpose is also a medical device. However, software for pure lifestyle and well-being purposes is not a medical device. If it qualifies as a medical device, the software must then be classified as I, IIa, IIb, and III according to its intended purpose and inherent risks. In practice there will no longer be class I devices, and the majority will be IIa or IIb.
Post-market surveillance is needed for software that is a medical device. Manufactures need to set up a risk management system which considers cybersecurity. The software should be included in the European database on medical devices (EUDAMED), and standalone software requires a unique device identifier (UDI). Manufacturers must assess the potential impact of upgrades on function.
In the US, the FDA has introduced pre-certification for software used in low-risk devices to cut the time to market. Companies can become accredited as eligible digital health developers based on their ability to produce credible software. Another FDA innovation not yet considered in Europe is a recommendation to test machine learning software on independent datasets before approval.
Questions over cybersecurity, data protection, and informed consent triggered an ESC task force on cardiac implantable electronic devices (CIEDs) with the European Heart Rhythm Association (EHRA). CIEDs are monitored locally by a transceiver and transmitted via the internet to a server (usually run by the device company). The device company analyses the data and provides a report to the hospital or treating cardiologist. Companies do not encrypt data between the device and the local transceiver, making it vulnerable to outside access. Regarding legal responsibility under the EU general data protection regulation (GDPR), most companies define the data controller as the hospital. The ESC task force recommends increasing cybersecurity and defining device companies as data controllers. Patients should know how their data is transferred, stored, shared, and processed, and give informed consent before implantation.
EU citizens are willing partners: a survey shows that 90% want to access their health data, 80% will share their health data if privacy and security are ensured, and 80% would provide feedback on the quality of treatments. Access requires interoperable and quality health data. The European Commission is developing the eHealth Digital Service Infrastructure to enable exchange of patient data across borders. It has also recommended a European Electronic Health Record exchange format to enable cross border interoperability; this proposes common technical specifications for data transfer.
- The new medical device regulations will help ensure that apps and software are good quality. But what about existing apps and calculators already used to make decisions about potential treatment? Validated clinical risk scores should not require new studies but use the literature to prove their effectiveness for certification.
- ESC pocket guidelines contain validated risk scores and links to calculators on external websites. Are both medical devices? Risk calculators need certification, but a link does not.
- Our department is considering an app for heart failure patients to monitor their weight, with a daily alert to enter their weight and an alert if it rises by more than 2 kg. Is this a medical device? It would be a class IIa medical device because it is for patients, not healthy people.
- Post-market surveillance for imaging devices is required under the new regulations but do companies need to follow-up all uses? Manufacturers have to make proposals for post-market surveillance, for approval by the notified body. The ESC Regulatory Affairs Committee is establishing a task force with the European Association of Cardiovascular Imaging (EACVI) to look at the regulatory governance of diagnostic imaging.
- Is industry’s responsibility in assessing off-label use covered by the new regulations? No, but it has been suggested that one of the reasons for comprehensive post-market registries is to systematically collect data on off-label use.
- Evidence and performance data for health apps should be transparently available. Anecdotally, a Fitbit showed no sign of a life-threatening bradycardia. However, commercial software used by patients samples heart rate for short periods. Researchers can set a higher sampling rate.
- Regarding accountability for the AI black box, what are the European Commission’s expectations? Citizens want reassurance that someone beyond the manufacturer knows what’s going on, and that those interested can explore the connections.
- The first electronic prescription exchange across borders was in January 2019 between Estonia and Finland. From the EU perspective, how can we speed up this process? Resources and political will are two levers. Developing specifications for interoperability is slow work.
- Belgium has regulatory problems connecting different databases. Will the EU enforce or facilitate access to data for researchers in their own country? The European Commission does not have authority to act locally but can help users and owners of data come together and find their own solutions. It can also provide funding for infrastructure.
- Could the European Commission mandate minimum healthcare datasets that can be used by smaller companies for research? Minimum datasets would have big resource implications for countries. Anonymisation techniques and synthetic datasets may assist with data access.
- Are the European Commission’s initiatives coordinated with programmes in the US, Asia, and beyond? Not yet - the first priority is to bring together disparate health systems in the EU. The World Health Organization (WHO) has a global digital health strategy and one of its roles should be to increase awareness of projects around the world.
The forthcoming EU medical device regulation considers software and risk calculators medical devices, and developers/industry need to be aware of their responsibilities. Cybersecurity needs to be increased, and accountability for data protection must be defined. Patients and the public expect to be involved and deserve to know how their data is handled. More work is required on interoperability and data transfer to enable research and healthcare across borders.