Richard Poate, senior manager at TÜV SÜD, a global product testing and certification organisation, discusses how health apps can be regulated, and offers best practice advice to manufacturers.
As well as medical device apps becoming a growth area in healthcare management in hospital and community settings, the role of apps used as part of fitness regimes and for social care situations is also expanding.
IEC 82304-1:2016 - Health software – Part 1: General requirements for product safety – applies to the safety and security of health software products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware. To be used by manufacturers, it covers the entire lifecycle including design, development, validation, installation, maintenance, and disposal of health software products.
However, now more than four years old, this standard does not completely cover the significant rise of health and wellbeing apps. Currently under development, future technical specification ISO/TS 82304-2 - Health software – Part 2: Health and wellness apps – Quality and reliability - is intended be used alongside Part 1 to provide confidence in health software products such as apps.
In the EU, standalone software and apps that meet the definition of a medical device are still required to be CE marked in line with the EU Medical Device Regulation. Following Brexit CE marking will be recognised in GB (England, Scotland and Wales) until 30 June 2023, after which UKCA requirements will apply in full. This is intended to ensure they are regulated as being acceptably safe to use and perform in the way the manufacturer or developer intends them to.
As the healthcare app industry grows, so too will the potential risks. When patient safety is involved, the risks become much more personal - ranging from a slight inconvenience to having to call the emergency services. For example, if an app for medication dosage gets it wrong by putting the decimal point in the wrong place the effect can be fatal.
The regulatory landscape can be very confusing for digital health providers as ‘old’ regulations and standards are being ‘adapted’ to meet the very different scenarios that these solutions throw up. Healthcare regulators globally are wrestling with how to provide a suitable regulatory regime for these innovative products and services. Consequently, software developers and users are struggling to understand whether apps qualify as medical devices.
As the healthcare app market develops and manufacturers tussle to get products to the market, there is real industry concern about how these apps will be controlled. There is a fine line between a medical/wellness app and a medical device. Consequently, manufacturers and developers are not classing some apps as medical devices when they should be. This is often because software developers are not necessarily aware of the regulations or rules that relate to bringing healthcare or wellness apps to market, resulting in them designing apps that should be classified as medical devices.
The Medical Device Regulation (MDR) defines a medical device as “any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for specific medical purposes including diagnosis, prevention, prognosis, treatment or alleviation of disease”. Quite an all-encompassing definition and if your app does fall within the jurisdiction of the MDR, that involves significant time, effort and money. Also, beware - if at first your health app doesn’t fall within the MDR’s scope, as it is improved and later iterations released, it may then apply.
Beyond the MDR there are issues to consider relating to data privacy as health apps can have access to highly detailed, personally identifiable and clinical information about the user. For example, NHS Digital has focussed its Digital Assessment around security on compliance with OWASP best practice guidelines for apps and web-based solutions. Whilst existing accreditation regimes such as Cyber Essentials and ISO27001 are relevant, the need to demonstrate ‘security by design’ and suitable vulnerability testing is also becoming key.
When ISO/TS 82304-2 is published, together with Part 1 it will provide requirements for the development of health and wellness apps designed to meet the needs of healthcare professionals, patients, caregivers and the wider public. It will contain a set of quality criteria and cover the app project’s life cycle through the development, testing, release and updating of an app, including native, hybrid and web-based apps, apps associated with wearable and other health equipment and apps that are linked to other IT Systems.