Smart, connected devices are an increasing reality of daily life. It is estimated that by 2020, there will be 33 billion internet devices in the world—enough for 4 connected devices per person, according to research by Strategy Analytics, Inc. This growth will inevitably lead to an increase in connected medical devices and mobile health (mHealth) applications. Yet this new frontier presents many challenges for the industry, as there is often a lack of clarity as to how to design, develop, and follow regulatory requirements for products. Instead, it is up to the industry to determine best practices for developing safe, secure products that will fulfill a need. When it comes to the future of connected medical devices, consider two things: protecting patients and following regulations. (See Figure 1)
Protecting Patient Safety and Security
Patient safety and essential performance are important to keep in mind when designing connected devices. This could include shape, weight, or the materials used in its creation. There may also be concerns about chemicals or other materials in a device, and environmental aspects, such as reactions to vibrations, climate issues, or repeated use, may also come into play. Additionally, a product’s scope of use may go beyond its original intention in the real world, being used in settings you didn’t intend or plan for.
Once the basic design is set, any medical electrical device must be tested for electromagnetic compatibility (EMC) to IEC 60601-1-2 or an equivalent national standard. It is inevitable that these devices will be used in settings with other medical equipment, so it’s essential to ensure that the electromagnetic (EM) emissions from the device do not interfere with other equipment. On the other hand, it’s also important to make sure that the device isn’t susceptible to EM fields being given off by other devices, like monitors, WiFi signals, phones, or other radio-frequency identification (RFID) devices in the area. This type of testing is called wireless coexistence testing.
Security is also a major concern for connected devices, as patients (and health care providers) seek peace of mind that personal data and sensitive medical information like health readings, monitoring information, diagnoses, medications, and vital statistics remain protected. The security of a device or app itself must be considered. Where is information stored? How is it protected? How might it be compromised by other devices that interact with it? For example, if a device is Bluetooth enabled, how do you ensure that a second Bluetooth device can’t somehow take control or syphon information? Whether through PINs, passwords, timeout features, or firewalls, it is imperative that methods are employed to balance the need for user control, security, and interaction.
Rules and Regulations
Medical devices are subject to standards and regulations from several organizations, including the U.S. Food and Drug Administration (FDA), the International Electrotechnical Commission (IEC), and the American National Standards Institute (ANSI), to name a few. Apps may be subject to the FDA and the Federal Trade Commission (FTC). If the device includes a transmitter or wireless charger, the Federal Communications Commission (FCC) and other spectrum regulators in target markets will get involved. Products that are diagnostic in nature have different requirements than ones that simply store data or are used for treatment. The types of regulations in place depend on the specific device or app in question.
In general, there is not a lot of FDA-specific guidance or official standards surrounding wireless devices. The FDA does not have specific requirements for coexistence testing. The organization has only issued guidance for staff of healthcare facilities to ensure the safety of devices they use and reduce EMI as well as a general guidance document titled, “Radio Frequency Wireless Technology in Medical Devices”, issued August 14, 2013. Manufacturers should be prepared to test to IEC 60601-1-2 standards and when radios are incorporated into medical devices coexistence and cybersecurity may need to be addressed, but specific guidance on how to perform the testing and specific test requirements is sparse. ANSI is still developing standards for wireless devices under ANSI C63.27.
Outside of the EMI safety issue, devices may be subject to chemical restrictions, certification criteria for electronic devices, or certain performance and safety protocols for any electronic wireless devices. Additionally, any diagnostic tools must get FDA 510(k) clearance and devices used in treatment may be subject to clinical trials and other standards and regulations.
While the FDA has published some guidelines for mHealth apps, the recommendations cover many areas and can be difficult to implement. The guidance includes references to ISO guidance as well as AAMI and several others; these are necessarily complimentary documents and would likely require existing software to be re-built to follow the recommended standards. So far the FDA has become most proactive with apps that play a diagnostic role, which classifies an app and its related materials, such as test strips or other devices, into a medical care class. As such, the app must adhere and be evaluated to the FDA’s 510(k) process. The 510(k) clearance process typically requires third-party studies and data, as well as documentation on how the app shows substantial equivalence to a current medical device. Mobile health apps also must comply with security protocols required of any other mobile applications, as well as with the Health Insurance Portability and Accountability Act (HIPAA), in regard to privacy protection. In all likelihood, app developers will need to account for HIPAA requirements as they submit apps to the FDA and FTC for clearance. (See Figure 2)
Manufacturers also need to consider the rules and regulations of different geographies, should they intend to take a device or software to other countries or continents. Frequency bands are not universal, which must be a consideration as you design and test a product. Regulatory requirements can vary as far as coexistence testing, chemical restrictions, obligations for a product’s end-of-life, privacy laws, and security controls. Some countries will accept the reports or approvals from other regions; some will not.
There are several things designers and manufacturers can do to help mitigate concerns and risks related to safety and security of connected medical devices.
Identify/reduce potential risks early: Thinking through all possible scenarios and planning against them can save manufacturers from serious issues further down the road. With devices, think about the possible EMI, relative safety of the materials used to create a device, and overall design implications (rough edges, sharp corners, etc.). When it comes to apps, it’s essential to plan for usability issues. Apps of every kind often present users and developers with surprises. So, be prepared to address concerns, should they come up.
Educate yourself: Tap your connections and resources to know what kinds of developments are happening in the industry, whether it is products coming to market, regulatory debates, rule creations/changes, legal developments, or new data or research. Know what other technology is out there and how it may interact with or complement your device or application. All of this can help you plan and test accordingly, saving time, money, and hassle in the long run.
EMC testing: Confirming EMC compliance for connected devices will increase the likelihood that they are safe around other medical equipment and that they can’t be compromised. In addition to the default IEC 60601-1-2 medical device EMC testing, wireless co-existence testing evaluates devices in real-world settings to identify potential sources of interference and how products will react with each other. Such scenarios consider how emissions from cell phones, WiFi, Bluetooth, MRI machines, and other radio-frequency identification (RFID) objects interact with a new device. (See Figure 3)
Other testing: Be prepared to test devices for more than just medical EMC, but also for chemical composition, overall safety and performance, and any regulatory requirements that may be required based on the nature of the device (i.e. FDA 510(k) for diagnostic devices or radio spectrum testing for devices which incorporate a wireless device). Test apps for safety and security as well as general functionality, performance, and regulatory requirements.
In order to navigate the changing waters of regulation for connected medical devices, knowledge is critical. Staying abreast of developments in the industry is essential as new guidance is issued and new rules and regulations ultimately are set. Tapping into experts who know the space can also be beneficial in developing connected devices and mHealth apps. Product testing provides peace of mind to patients, caregivers, and health care providers by giving assurance that products are safe, function correctly, and that their privacy is secure and protected.
Testing safety, security, and performance can add additional costs to product development; however, it provides manufacturers with a clear regulatory pathway with the FDA and provides valuable intelligence, product development, and marketing claims to assist in selling smart devices.
This article was written by Nicholas Abbondante, EMC Chief Engineer, and Delmar Howard, mHealth Program Manager, Intertek, Chicago, IL. For more information, Click Here .