Why Privacy and Security are Essential in SaMD
Digital health technologies such as wearables, connected medical devices, and Software as a Medical Device (SaMD) are massively transforming healthcare. Significant innovations in IoT sensors, smart devices, and other small communication devices are driving the development of next gen med tech devices that generate data into integrated care or clinical pathways, which improves patient outcomes, improves efficiency, and lowers costs (for both the provider and the consumer). Consumers are excited about using these devices to help manage their own health. Connected medical devices are empowering patients to be better informed and involved in their own health conditions. However, these increasingly more connected devices mean that privacy and security must be built in up front. Here, we’ll talk about why privacy and security are essential in one of the newest areas of medtech – SaMD.
What is SaMD?
First, let’s define what is Software as a Medical Device, or SaMD.
Medical device software comes in four primary subclasses:
- Software as a Medical Device (SaMD), according to the definition by the International Medical Device Regulators Forum (IMDRF), is “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device”
- Software in a medical device (SiMD) is software that’s part of a medical product, such as implanted software in medical equipment
- Software as an accessory to a medical device
- General purpose software that is not a medical product by itself
SaMD performs medical functions without a need for actual hardware. It is typically used alongside non-medical computing platforms, which may be connected to virtual networks, traditional medical devices or other general-use hardware.
What challenges does SaMD bring?
While the benefits of connected devices and SaMD for consumer are obvious, there are many challenges that developers and manufacturers should understand. SaMD means more software, more connectivity, more interdependence and more data being consumed and generated. Much of this also involves the growing areas of AI and ML. All of this is moving forward faster than regulation can keep up, even though the FDA started to lay groundwork a decade ago. Recently the FDA has expanded its Digital Health Unit and developed a Software Precertification Program specifically to address SaMD. Developers of SaMD will need to think about how they can innovate faster feedback loops for patient and healthcare system while also ensuring patient privacy and safety.
SaMD and Privacy
One particular challenge for SaMD is the privacy of health data that is captured and potentially shared by these devices. Certain patient data such as confidential information, family history, and sensitive medical history could be at stake in a data breach. Healthcare data breaches have been a serious issue for many years and have seen massive increases in recent months. So far this year, more than 400 breaches have been reported to HHS by entities that are covered by HIPAA. And while some medical device manufacturers may have thought they were exempt, this is changing. The U.S. Federal Trade Commission issued a policy brief on September 16 clarifying when healthcare apps would be subject to the Health Breach Notification Rule that requires entities not covered by HIPAA to notify consumers if private health information is compromised. The FTC said that developers of health apps and connected devices are considered healthcare providers, and if they disclose sensitive information without authorization that would be considered a breach.
What does HIPAA privacy cover?
The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” Originally more focused on patient medical records and health plans, with consumer wearable medical devices, personal information expends much further.
SaMD and Cybersecurity
The other major challenge for SaMD is cybersecurity. In the past, security for medical devices was viewed simply as a matter of HIPAA compliance. Most medical device companies have not been proactively building security into into the devices themselves and SaMD is not much different. But it becomes a lot more challenging to build in security after a device has been launched. Yet the ultimate goal is to make patient care safe and secure so ensuring that SaMD cannot be hacked or breached is important and needs to be built in by design.
In August 2021, the FDA put out an announcement about cybersecurity vulnerabilities with Blackberry QNX. As medical devices are increasingly connected to the Internet, hospital networks and other medical devices, this increases the risk of potential cybersecurity risks. While SaMD has no “device” per se, it’s connected nature makes it a target and a risk.
When is the best time to implement privacy and security measures in SaMD?
The best time to lay the foundation for privacy and/or security in SaMD is during development, by building in privacy and security by design from the start. With connected software, connectivity is elevated and thus increases the risk factors. It is critical to be proactive and preventative rather than reactive. Work with developers and partners who understand privacy and security by design during the development cycle.
Read more Advantu articles about why Software as a Medical Device is a Game Changer.
How Advantu can help with SaMD Privacy and Security
Advantu brings decades of experience in SaMD, privacy, cybersecurity, AI, ML and how to bring all the latest technology to the FDA approval process. Chat live with our experts today, or fill out our form below to schedule a time to talk.