Technology Roundup –Augmented Intelligence, Cybersecurity, Augmented Reality 

Our last technology check-in from 2022 focused on artificial intelligence and machine learning in medical devices. Since then, there have been many updates in the healthcare field with respect to regulatory oversight of SaMD, cybersecurity, and medical device implementation of artificial intelligence. There has been an increasing shift toward advanced regulation in an attempt to keep up with advancements in technology. This includes the addition of cybersecurity measures for medical devices in the appropriations bill passed by congress in late 2022, the recognition of the first AI standard by the FDA (AAMI CR34971:2022, Guidance on the Application of ISO 14971 to Artificial Intelligence and Machine Learning), and the final guidance issued by the FDA on Clinical Decision Support Software in September of 2022. 

• AI – Augmented versus artificial intelligence. Experts in this field have shifted focus to the term "augmented intelligence" when describing AI-enabled devices, since the end goal of the relationship between healthcare and AI is to provide an enhanced user experience or improve patient outcomes. 

• Important concepts to consider for augmented intelligence implementation in medical devices is the explainability and transparency of the AI involved. Explainability is essential for end users to be able to determine whether a device is effective for them and their needs, whereas transparency is needed to ensure accuracy of AI when applied to a given dataset and to ensure scalability when increasing the data pool.  

• Regulatory guidance for AI-enabled devices is still needed in the healthcare and medical device space. Key areas for improvements include establishing a set procedure for change controls and the transferability or cost-effective scalability of transferring to upgraded or updated products. The FDA did recently acknowledge the first known AI standard (AAMI CR34971:2022) of a consensus report (CR). Consensus reports are based on the collective expertise of subject matter experts in the field and are not as involved as a technical information report (TIR). The AAMI AI committee has indicated the consensus report will provide the bases for the forthcoming publication of TIR34971 in 2023. 

• The Marketing Submission Recommendations for a Predetermined Change Control Plan for AI/ML-Enabled Device Software Functions draft guidance (April 2023) acknowledges the frequency of required software function updates. To facilitate these updates, a robust pre-determined change control plan (PCCP) should be reviewed with the FDA to align on data management, model re-training processes, how the software functions will be monitored for performance, and how system updates will be implemented. 

• As of April 2023, the UK published the Software and Artificial Intelligence (AI) as a Medical Device guidance, which offers insights on classification of medical devices in addition to highlighting the importance of post market vigilance and methods for incident reporting.  

• The ANSI/AAMI SW96:2023 Standard for Medical Device Security – Security Risk Management of Device Manufacturers (not yet recognized by FDA) emphasizes that the existence of the overlap between cybersecurity risks and safety risks does not mean they should be treated in one category. Cybersecurity risks should be evaluated as standalone, but certain aspects of cybersecurity should inform use-related safety risk documentation as well. 

• The March 2023 issuance of the National Cybersecurity Strategy for the United States [1] highlighted the FTC is focused on advances regarding 1) Single points of failure (outages from a single cloud computing provider may have widespread impact across industries), and 2) Cloud computing security (questions around ownership of data security between cloud providers), market practices, and competition (i.e., service providers). 

• The cybersecurity measures in the appropriations bill passed in late 2022 dictate that any connected medical device obtain pre-market approval prior to public release. The submission must also include the SBOM (software bill of materials) and a plan to monitor device vulnerabilities and implement any necessary software patches or updates for those devices. Importantly, predicates must also meet these current cybersecurity requirements, and cybersecurity standards will be applied to any product going through resubmission even if the resubmission does not pertain to software functions within the device. 

• The ‘Refuse to Accept’ guidance (March 2023) outlines additional requirements such as post-market surveillance plans, procedures to ensure cybersecurity is met and processes for addressing identifies vulnerabilities, and SBOM (software bill of materials – including commercial, open-source, and off-the-shelf software components) for pre-market submissions. 

• The concept of augmented reality (AR) in medical devices poses improvements and challenges for those companies looking to implement this tool.  While physicians are more optimistic and trusting of AR than patients, the FDA should require clinical validation before AR products are marketed, the end user should have a voice in the development of AR technologies, attention must be given to what type of training should be provided for end users of AR systems, and policies & regulations for AR in healthcare and medical devices is behind.  

• The concept of AR, a hybrid reality between the real world and a virtual world, introduces an entirely new area for human factors. This bridging of realities presents a unique user interface and will require engagement with end users to ensure augmented reality environments are built to serve user needs. 

Clinical Decision Support Software 

The issuance of the final guidance on Clinical Decision Support Software[2] provided thorough explanation of which software programs are or are not considered to provide ‘clinical decision support’, or “CDS”. FDA recognizes that the term “clinical decision support” or “CDS” is used broadly and in different ways, depending on the context. The FDASIA Health IT Report of 2014 defines CDS as ‘a variety of tools including, but not limited to computerized alerts and reminders for providers and patients; clinical guidelines; condition-specific order sets; focused patient data reports and summaries; documentation templates; diagnostic support; and contextually relevant reference information’.  

Regulatory authorities have indicated guidance and regulation in these technical spaces is expected and necessary to combat cyberattacks and prevent bias in medical care. The FDA’s A-List priorities in this area include a Final Guidance titled ‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. The AAMI issuance of TIR34971 in 2023 will provide additional information and expand on the AAMI CR34971:2022 publication. Please reach out to the Agilis (by Kymanox) team if you have concerns about the human factors considerations required for connected medical devices!  

References:

1. “Increasing global cybersecurity regulation of private companies on the near horizon.” JDSUPRA Legal News, by Allen & Overy, Apr 25 2023, https://www.jdsupra.com/legalnews/increasing-global-cybersecurity-2465749/

2. “Clinical Decision Support Software.” FDA Guidance, Sept 28, 2022, https://www.fda.gov/media/109618/download 

About the Author:
Lauren Horn, PhD

Dr. Lauren Jensen, PhD, is a Biomedical Engineer and Sr. Human Factors Consultant with Agilis by Kymanox since 2019. Lauren is experienced in applying human factors principles to the design, evaluation and validation of medical devices and products. Prior to joining Agilis by Kymanox Lauren worked in the startup space in Austin, TX engineering wearable medical products, and competed as a top ten finalist for the NASA iTech Cycle III for innovative technologies. During her PhD at Tulane University School of Medicine, Lauren developed and validated a therapeutic wearable to reduce surgeon tremor and fatigue in the OR.