Over the past decade, Internet-enabled medical devices have proliferated in the healthcare space bringing in new possibilities as well as challenges. One of the main characteristics of the Internet-enabled medical devices in healthcare world is the shared responsibility overlapping multiple stakeholders- the device manufacturer, the healthcare provider, and the IT infrastructure provider.
This blog briefly looks at two aspects in this context: the regulatory landscape and the approach to defining the responsibilities among different stakeholders.
Enhanced regulatory compliance requirements
Device manufacturers are required to demonstrate safety and effectiveness of their devices deployed in the market. In the United States, a series of Code of Federal Regulations (Title 21 CFRs) govern this. In Europe, it has been through the directives, now getting replaced by the Regulations 2017/746 and 2017/745. Canada manages it through Canadian Medical Device Conformity Assessment System (CMDCAS).
The Internet enablement brought in two additional dimensions – security and privacy. These compliance requirements are governed by an entirely different set of regulatory frameworks. In the United States, Health Insurance Portability and Accountability Act (HIPAA) has requirement on security and privacy in an Internet-enabled medical device system. HPB517 is a similar regulation in Japan. Europe’s upgraded General Data Protection Regulation (GDPR) has restrictions on sending personal data outside the EU, in addition to the requirements on privacy.
All these regulatory requirements on the Internet-enabled medical device give rise to questions on responsibilities.
Defining responsibilities among different stakeholders
IEC 80001 is a series of international standards and guidelines to address this concern. IEC 80001-1 defines the roles, responsibilities, and activities in the risk management for IT networks. The starting point of the risk management based approach is always the device manufacturer. The device manufacturer maintains a risk management program, which assesses the known risks associated with the use of the device in the connected environment.
The assessed residual risks, usually mitigated through instructions for use and maintenance, are delegated/ shared with the downstream stakeholders. The next stakeholder is typically the healthcare provider. The healthcare provider also maintains a risk management program. The provider constantly looks for new inputs to their risk management process, including the periodic updates from the device manufacturer.
For the device manufacturers, IEC 80001-1 implementation can be easily dovetailed into their existing ISO 14971 based risk management templates and processes with minimal tweaks to the quality management system.
IEC 80001-1 is an FDA recognized consensus standard, giving this approach a level of regulatory sanctity!
We are Quest Global. We’re in the business of engineering, but what we’re really building is a brighter future. It’s not just what we do, but why we do it that makes us different. We believe engineering has the unique opportunity to solve the problems of today that stand in the way of tomorrow. For more than 25 years, we have strived to be the most trusted partner for the world’s hardest engineering problems. As a global organization headquartered in Singapore, we live and work in 18 countries, with 78 global delivery centers and offices, driven by 20,000+ extraordinary employees who make the impossible possible every day.
Quest Global delivers world-class end-to-end engineering solutions by leveraging our deep industry knowledge and digital expertise. By bringing together technologies and industries, alongside the contributions of diverse individuals and their areas of expertise, we are able to solve problems better, faster. This multi-dimensional approach enables us to solve the most critical and large-scale challenges across the aerospace & defence, automotive, energy, hi-tech, healthcare, medical devices, rail and semiconductor industries.
It has come to our attention that scammers have tried to mislead people by fictitiously claiming to be employees of Quest Global or posing as authorized recruitment partners. These entities are misguiding job-seekers by promising well-placed roles with our company and asking candidates to pay for a certification course with a promise of reimbursement once they have joined. Kindly note, Quest Global conducts a formal interview process in our search for extraordinary people. We would NEVER ask candidates to pay for certifications at any stage of the recruitment process.
If you have questions or concerns, please email us at [email protected].