This article is an extract from GTDT Executive Compensation & Employee Benefits 2023. Click here for the full guide


The continued rise of digital health products

Digital health solutions have proliferated the sector in recent years, becoming a vital part of healthcare provision around the globe. The desire for remote deployment of healthcare, amplified by the covid-19 pandemic, has further accelerated this trend. As digital health applications have gained prominence and complexity, lawmakers and regulators are having to work hard to stay abreast of the latest technological advances. With the market for digital therapeutics and devices anticipated to continue expanding, this chapter provides a global overview of two key regulatory trends impacting the digital health space: first, the appropriate regulation of artificial intelligence (AI) technologies and, second, addressing increasing concerns around cybersecurity risks.

 

AI

The proposed EU AI regulation (Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence, 4 April 2021), which contains a comprehensive regime for the purposes of regulating AI in the European Union, is set to impact organisations around the world. As such, this legislation is poised to change the AI regulatory environment for healthcare technology and life sciences companies. It is expected that the proposed regulation will be enacted in 2024 or 2025. Once that happens, those that make AI available within the European Union, use AI within the European Union or whose outputs from AI affect people in the European Union will become subject to the regulations, wherever they are based.

In the United States, Congress is considering the American Data Privacy and Protection Act (HR 8152), which aims to create a comprehensive national data privacy and security framework by establishing standards on what types of data companies can gather from individuals and how that information can be used. Notably, a section of the pending bill seeks to take a significant step toward a federal enforcement mechanism over how businesses design and employ algorithms, and the underlying data used to support them. This is part of an emerging theme of increased attention to algorithms among policymakers. The Federal Trade Commission (FTC) has announced its intent to hold companies using discriminatory algorithms accountable under its existing authority. New proposals are gaining traction in Congress that would formalise such requirements and grant the FTC express jurisdiction to oversee and enforce penalties for violations. These issues have particular resonance in healthcare and life sciences as recognised high-risk areas where decisions may drive access to, and effectiveness and safety of, medical diagnoses and therapies.

Specific to the life sciences sector, the Center for Devices and Radiological Health (CDRH) under the US Food and Drug Administration (FDA) is considering a more flexible regulatory framework for AI-enabled software as a medical device. The traditional paradigm of medical device regulation is not suited to rapidly iterating software. The proposal is to move to an approach that would allow for modifications (eg, performance improvements) to be made from real-world learning and adaptation without necessarily having to complete another pre-market submission. The FDA published an action plan in 2021 setting out the proposed framework (Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, January 2021). As part of this proposal, the FDA outlined a predetermined change control plan (PCCP) process as a way to achieve this, which involves setting out anticipated modifications as part of the original product’s pre-market submission and pairing this front-end review with real-world post-market monitoring. There has been strong interest in PCCPs and the promise of further details from the FDA.

The CDRH’s list of proposed guidance for the 2022 fiscal year includes a proposed guidance document titled Marketing Submission Recommendations for A Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions. This is not prioritised guidance for 2022, so will only be published as and when FDA resources permit.

Other regulators are also considering embracing a change control plan approach to AI-enabled software in the sector. For example, the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) is in the process of updating medical device regulations post-Brexit and, earlier this year, published responses to its 2021 consultation on the future regulation of medical devices in the United Kingdom (the UK Consultation). The UK Consultation set out a proposal for the MHRA to implement PCCPs in relation to software as a medical device products and the 2022 response to the UK Consultation (Government Response to Consultation on the Future Regulation of Medical Devices in the United Kingdom, 26 June 2022) stated that the MHRA intends to enable PCCPs on a voluntary basis initially. Further, the response stated that the MHRA intends to work with international partners wherever possible in implementing its PCCP approach. This is reflective of a wider trend of international cooperation with respect to the regulation of medical devices with AI or machine learning capabilities.

Other recent examples of a global approach to regulating these cutting-edge devices include the draft guidance on AI key terms and definitions published by the International Medical Device Regulators Forum (IMDRF) AI Working Group (Machine Learning Enabled Medical Devices – a Subset of Artificial Intelligence: Key Terms and Definitions, 16 September 2021), and a document setting out guiding principles for good machine learning practice jointly published by the FDA, the MHRA and Health Canada (Good Machine Learning Practice for Medical Device Development: Guiding Principles, October 2021). With the expected proliferation of regulation in this area and the relative ease of deploying software globally (compared to physically distributing hardware), international harmonisation efforts are very welcome in this arena.

 

Cybersecurity

The need for strong cybersecurity controls in relation to digital health technologies has become vital in light of increasing interconnectivity and data exchange and the growing incidence and gravity of cybersecurity threats in the healthcare sector. Consequently, there has been a recent push in many jurisdictions to ensure that sufficient cybersecurity measures are in place with respect to digital health products. This movement seeks to protect against physical safety issues, such as those that could arise following intentional interference with a medical device or system, as well as the harms caused by personal data associated with digital health products being compromised.

In the United States, in April 2022, the FDA issued draft guidance on medical device cybersecurity in the context of premarket submissions (FDA draft guidance titled Cybersecurity in Medical Devices: Quality Systems Considerations and Content of Premarket Submissions, 8 April 2022). This draft guidance replaces the agency's prior 2018 draft guidance titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and, when finalised, will supersede the agency's final guidance from 2014. This latest piece of guidance is nearly 50 pages long and contains detailed recommendations for device makers in terms of the types of content that should be included in premarket submissions, how cybersecurity considerations should be incorporated into companies' quality management systems and how device labelling should address cybersecurity considerations. At the core of the guidance is that cybersecurity controls should be built in, rather than bolted on as an afterthought.

While the FDA felt it important to update its guidance in this area, there remains no express federal statutory requirement in the Federal Food, Drug, and Cosmetic Act (21 United States Code 9) for medical device makers to adopt cybersecurity requirements in the United States. In contrast, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Pub L No. 104-191) requires covered entities and business associates to implement administrative, physical and technical safeguards to protect the confidentiality, integrity and security of personal health information. In many cases, however, device manufacturers are not directly subject to HIPAA.

However, mandatory cybersecurity requirements for certain medical devices may be on the horizon with the recent introduction of the Protecting and Transforming Cyber Health Care Act (HR 7084) in both the US Senate and the House of Representatives. These bills, if passed, would amend the Food, Drug, and Cosmetic Act to require manufacturers of devices that include software or are intended to connect to the internet to implement certain cybersecurity requirements, such as having to:

  • monitor, identify and address post-market cybersecurity vulnerabilities;
  • provide a coordinated vulnerability disclosure as part of submissions to the FDA;
  • collect and maintain information as required by the FDA;
  • design, develop and maintain processes and procedures to make updates and patches available throughout the life cycle of the cyber device; and
  • maintain a software bill of materials for the device – including commercial, open-sourced and off-the-shelf software – that will be submitted to the FDA and provided to users.

 

Elsewhere in the world, regulators have been updating cybersecurity guidance. Australia’s Therapeutic Goods Administration revised its guidance on medical device cybersecurity (Medical Device Cyber Security Guidance for Industry, Version 1.1, March 2021), Japan’s Ministry of Health, Labour and Welfare issued an updated guidebook on medical device cybersecurity in December 2021 (Pharmaceutical Safety Notification 1224 No. 1, 24 December 2021), and China’s National Medical Products Administration published updated guidance on medical device cybersecurity within the 2022 revision to its Guidelines for Medical Device Software Registration Review.

While recently developed healthcare technologies benefit from robust cybersecurity considerations, there are many older products that were not designed with those same concerns in mind but are still in use today. Those legacy products may present risks to users that cannot be sufficiently defended against or mitigated, perhaps because legacy products may have no – or incompatible – security controls for upgrades or patches. Given the threat posed by such devices, the IMDRF’s Medical Device Cybersecurity Working Group held a consultation on proposed principles and practices for the cybersecurity of legacy medical devices guidance document, which closed in July 2022. Once finalised, this guidance is intended to provide clear ways of identifying potential legacy devices along with practical approaches for implementing cybersecurity on an international scale. The US Federal Bureau of Investigations (FBI) has also drawn attention to this issue, publishing a notification outlining the threats posed by unpatched and outdated medical devices along with recommendations to increase employee awareness, identify vulnerabilities and actively secure medical devices (FBI Cyber Division Private Industry Notification titled Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities, 12 September 2022).

 

Conclusion

As digital health solutions proliferate the life sciences space, it will be more and more important for industry and regulators alike to stay abreast of emerging technologies as well as the evolving expectations of healthcare professionals and patients. In particular, the rapid development of AI-driven products and systems, and the growing risks posed by cybersecurity threats, will continue to demand an increasing share of attention on the part of all participants in the life sciences ecosystem.