Over the past decade, Internet-enabled medical devices have proliferated in the healthcare space bringing in new possibilities as well as challenges. One of the main characteristics of the Internet-enabled medical devices in healthcare world is the shared responsibility overlapping multiple stakeholders- the device manufacturer, the healthcare provider, and the IT infrastructure provider.
This blog briefly looks at two aspects in this context: the regulatory landscape and the approach to defining the responsibilities among different stakeholders.
Enhanced regulatory compliance requirements
Device manufacturers are required to demonstrate safety and effectiveness of their devices deployed in the market. In the United States, a series of Code of Federal Regulations (Title 21 CFRs) govern this. In Europe, it has been through the directives, now getting replaced by the Regulations 2017/746 and 2017/745. Canada manages it through Canadian Medical Device Conformity Assessment System (CMDCAS).
The Internet enablement brought in two additional dimensions – security and privacy. These compliance requirements are governed by an entirely different set of regulatory frameworks. In the United States, Health Insurance Portability and Accountability Act (HIPAA) has requirement on security and privacy in an Internet-enabled medical device system. HPB517 is a similar regulation in Japan. Europe’s upgraded General Data Protection Regulation (GDPR) has restrictions on sending personal data outside the EU, in addition to the requirements on privacy.
All these regulatory requirements on the Internet-enabled medical device give rise to questions on responsibilities.
Defining responsibilities among different stakeholders
IEC 80001 is a series of international standards and guidelines to address this concern. IEC 80001-1 defines the roles, responsibilities, and activities in the risk management for IT networks. The starting point of the risk management based approach is always the device manufacturer. The device manufacturer maintains a risk management program, which assesses the known risks associated with the use of the device in the connected environment.
The assessed residual risks, usually mitigated through instructions for use and maintenance, are delegated/ shared with the downstream stakeholders. The next stakeholder is typically the healthcare provider. The healthcare provider also maintains a risk management program. The provider constantly looks for new inputs to their risk management process, including the periodic updates from the device manufacturer.
For the device manufacturers, IEC 80001-1 implementation can be easily dovetailed into their existing ISO 14971 based risk management templates and processes with minimal tweaks to the quality management system.
IEC 80001-1 is an FDA recognized consensus standard, giving this approach a level of regulatory sanctity!