Amid growing digitisation, medical device makers want clear guidelines that ensure patient safety without stifling business growth Late last month, India's drug regulator came out with a draft guidance document to regulate “medical device software” — this move, the medical device industry agrees, could not have come sooner. 

The medical device landscape is increasingly digitally connected, making it more convenient for remote monitoring of healthcare, for example. 

But that also makes it vulnerable to non-state actors who may hack into the system or device, for reasons including ransom payments.

Between the benefit and security tussle, the medical device industry is looking to the government to outline pathways to ensure patient safety, without stifling industry growth, say industry insiders.

 Making the distinction between ‘software as a medical device' (SaMD) and ‘software in a medical device' (SiMD), the Central Drugs Standard Control Organisation (CDSCO) document sets out to provide clarity for medical device companies when they seek permissions under the Medical Device Rules (2017). On the proliferation of digital applications that make health claims, Pavan Choudary, Chairman, Medical Technology Association of India (MTaI), says, “The app game has become extremely, extremely… frayed. And anybody is making any kind of claim.” But the flood of innovations is yet to come, he says, adding, “AI is the elephant in the room”. 

Security is a challenge, says Choudary, if the software/ device comes from a “hostile” country. They can export compromised devices, “which have a malware embedded in it… And, at a future time, they can activate this bug”, affecting the patient, he says. “So without firing a single bullet, you can create a very hostile act,” he says, calling for monitoring to avoid such destabilising acts. Algorithmic updates need to be continuously provided, he says, so these devices are monitored. And there should be data privacy and protection, so patient information does not go to insurance companies, for example, he points out. 

Technology can be used to tackle technology transgressions, he says, in cases where software and devices are bundled together from multiple regions. MTaI calls for policy initiatives to include the creation of “national certification labs for medical software, collaborative threat intelligence for healthcare, and legal mandates for domestic data localisation and encryption in medical technologies”. Rajiv Nath of the Association of Indian Medical Device Industry (AiMeD) points out that quality management system (QMS) requirements do not adequately address information security. AiMeD recommends incorporating ISO 27001, in line with global best practices in cybersecurity. Software has been around for a while, only now it has evolved to become a medical device in itself, says BPL Medical Technologies Managing Director Shravan Subramanyam. 

While software embedded in devices is reaching a level of maturity, so are connected medical devices, he says, pointing to an ICU where multiple equipment are individually powered by software. “So, it could be a ventilator.... an infusion pump.. a cardiac monitor”... they can be connected to provide intelligence to a clinician, he says, adding that AI brings predictive outcomes. The focus should be on safety and efficacy, and the guidelines framed with insights from industry, ensuring transparency and patient safety, without stifling industry, he says. Further, as technology constantly evolves, guidelines need to be nimble-footed to keep pace. Arbinder Singal, Head–Preventive and Remote healthcare business, PB Health, explains that software required to run devices — an insulin pump, MRI machine or a CT scan machine, for example — gets into hospital integration and hospital information systems.

 But software as a medical device is set to proliferate, as it has in the US, and become an independent business class by itself, he adds. Software that is “patient invasive” — influencing diagnosis or a body function — is categorised under Class A, he says. For example, an auto-dosing device. Fitterfly is Class B certified SaMD used for improving outcomes for people with diabetes. It uses data from medical-grade devices, blood tests and user symptoms to chart therapy for sustainably lowering blood sugars. PB Healthcare (from PB Fintech, parent of Policybazaar) had acquired Fitterfly earlier this month. Singal was a co-founder. Batting for standardisation and guidelines for medical software is Himanshu Baid, Managing Director of Poly Medicure. Data generated in India should stay in India, he says, flagging privacy concerns. The challenge, though, is compliance, he says, calling for more manpower at the CDSCO, which has on its plate pharmaceuticals, biologics, medical devices, and now software.

The Hindu Business Line