One of the most transformative changes in healthcare today is the increasing digitization of nearly all facets of care delivery. Medical devices are no exception: it is rare to hear about new device technology that does not incorporate software in some way. Some devices rely on software for support—for example, a wi-fi enabled pacemaker monitor in a patient’s home. Other devices rely on software in such an essential way that it is not an exaggeration to say that software is the device. A device that receives a blood sugar level as input and then calculates and algorithmically recommends an insulin dose for a patient with type 1 diabetes is one such example. Software is truly poised to touch all aspects of medical device technology, with far-reaching implications for patients, providers, payers, and regulators.
Regulatory agencies have long recognized the importance of software in medical device technology, and in this article, we outline some key historical events surrounding regulation of software in medical devices in the United States, dating back to the early 1980s. More recently, regulators have focused on “digital health.” The FDA released a Digital Health Innovation Action Plan in 2017 to outline regulatory direction in this area. One of the core components of this plan is a pre-certification program, which aims to streamline product review by focusing on software-development organizations and processes, as opposed to specific products. The pilot launched in 2019 with nine pilot organizations – a mix of traditional health care and technology companies, including Apple, Johnson & Johnson, Samsung, Roche, and Verily.
In this paper, Professor Stern and I argue that software-driven medical devices (SdMDs) present many opportunities to improve care, but also involve a new set of safety, effectiveness, privacy, and monitoring concerns that are not shared with those of traditional medical devices. We break this down into four main areas. First is the dynamic software-development lifecycle. The iterative nature of software development requires (and allows for) regular updates that are simply not possible in a traditional medical device. A smartphone arrhythmia detector’s algorithm can be updated instantaneously by the manufacturer; it is much more complicated (and quite invasive!) to update a mechanical aortic valve. A second major area of importance is around product safety and security, and here SdMDs also have benefits—quicker updates and faster distribution for example—and drawbacks, like cybersecurity vulnerabilities, those same updates introducing new bugs, and reliance on third-party components which may be poorly documented or out-of-date. Data collection and privacy is a third critical consideration: SdMDs allow for remarkable levels of data collection, which has the potential to drive innovation and knowledge discovery. Yet it is unclear if we have the security and privacy infrastructure (particularly in the US) to handle this proliferation of data. Our policies lag behind our technological capabilities.
Finally, many aspects of SdMDs are simply unknown. The space is rapidly evolving, and how new efforts dock into existing efforts, like the FDA’s Sentinel Initiative, remains to be seen. SdMDs require the same level of evidential rigor as traditional devices, and healthcare payment models will also need to evolve to support novel interventions. Balancing patient safety with device innovation is no easy feat but will be paramount for effective SdMD regulation.
We feel that this is just the beginning—SdMDs will only continue to expand in importance and functionality, and SdMDs—like all medical devices—will have the greatest impact if we can balance effectiveness and safety. We hope that our paper outlines the key considerations as this field evolves, and helps set direction for innovators, regulators, payers, providers, and ultimately, patients.