Risk Assessment and Classification of Medical Device Software for the Internet of Medical Things: Challenges arising from connected, intelligent medical devices

Abstract

Although the medical device industry operates within a stringent regulatory environment, the growing deployment of connected, intelligent medical devices (CIMDs) in the healthcare sector is challenging these established regulatory frameworks. CIMDs come in a variety of forms, from implantables, to specialist IoMT devices deployed at the point-of-care, to AI-based medical devices, and AI as a medical device (AIaMDs). These devices raise several cybersecurity, data management, and algorithmic integrity concerns for patient safety and the delivery of reliable, responsible healthcare. The purpose of this article is to focus on a particular characteristic of CIMDs: their changing risk profile, several times throughout their lifecycle, with limited awareness from users, manufacturers, and regulators. Looking at the implications of these often subtle yet meaningful software modifications for current medical device regulations and for critical stakeholders in the CIMD ecosystem, the article highlights three main challenges to: i) risk assessment, classification and management frameworks that underpin current medical device regulations; ii) current medical device compliance frameworks, especially the post-market surveillance of medical devices; and iii) the detection, categorization, and reporting of compromised devices that might not perform according to their intended purpose. The article brings empirical evidence from a qualitative research study conducted with critical stakeholders in the medical device sector.