Software As A Medical Device

The Medicines & Healthcare products Regulatory Agency (“MHRA”) has published a “Consultation on the future regulation of medical devices in the United Kingdom” (the “Consultation”), which will run until 25 November 2021.  The consultation sets out proposed changes to the UK medical device regulatory framework with the aim to “develop a world-leading future regime for medical devices that prioritises patient safety while fostering innovation.

Separately, the MHRA has published a work programme on software and AI as a medical device to deliver a regulatory framework that makes sure that the UK is the home of responsible innovation for medical device software.  Any legislative change proposed by the work programme will build upon the wider reforms to medical device regulation being consulted upon as a part of the Consultation.

The MHRA intends that any amendments to the UK medical device framework will come into force in July 2023.  This aligns with the date when UKCA marking will become mandatory in the UK and when EU CE marks will no longer be recognized.  The MHRA has made clear that it will provide adequate transition periods before adopting any new requirements.

All interested parties are encouraged to contribute to shaping the future regulation of medical devices in the UK by responding to the MHRA’s consultation before the deadline (25 November 2021).Continue Reading Consultation on the Future Regulation of Medical Devices in the UK, including Work Programme for Software and AI Medical Devices

France’s medicines regulator, the Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), has released draft guidelines, currently subject to a public consultation, setting out recommendations for manufacturers designed to help prevent cybersecurity attacks to medical devices. Notably, the draft guidelines are the first instance of recommendations released by a national regulator in Europe that apply cybersecurity considerations specifically to medical devices. The full ANSM draft guidelines, ‘Cybersécurité des dispositifs médicaux intégrant du logiciel au cours de leur cycle de vie’ (‘Cybersecurity of medical devices integrating software during their life cycle’) published 19 July 2019, is available in French here, and in English here.

The draft guidelines note that while the European regulatory framework (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746) has been modified “in line with technological developments” (e.g. “data exchange, monitoring, risk prediction and control software”) to include software within the definition of a medical device, and accompanying security and performance requirements specific to such medical devices incorporating software, the “[medical device and in vitro diagnostic medical device r]egulations do not explicitly refer to or elaborate on the notion of cybersecurity”. For the purposes of the guidelines, ‘cybersecurity’ is described as “the full set of technical or organisational measures set up to ensure the integrity and availability of a [medical device] and the confidentiality of the information held on or output by this [medical device] against the risk of targeted attacks.” 
Continue Reading French medicines regulator produces first in Europe medical devices cybersecurity guidelines

 This post originally appeared on our sister blog, InsideMedicalDevices.

The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.

The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.
Continue Reading UK Data Protection Regulator Surveys Use Of Smart Medical Devices