MDR: the impact of the new regulation on your choice of cloud provider

The new Medical Device Regulation (MDR) comes fully into force in the EU as of 21st May 2021, with the new IVDR (In Vitro Diagnostic Medical Device Regulations) on 26th May 2022. 

The MDR introduces changes to the classification of medical software products, including the introduction of a high risk software class; this covers software that can cause ‘death or an irreversible deterioration of a person’s state of health’.

Furthermore, for the first time, standalone software is classified in its own right as a medical device if the software fulfils a medical purpose. This applies whether the software is being used in a clinical setting or not. 

Consequently, to market your app in the EU, you must gain certification of compliance with the MDR. This places significant requirements on your cloud provision - specifically, that a suitable quality management system is in place throughout the product life cycle (currently for medical devices this is ISO 13485:2016 and IEC 62304:2006), and that the technologies are GDPR-compliant.

In this article we look at some of the key aspects of the new regulation, and how these impact upon choice of cloud supplier.

Software is regarded as a medical device under the MDR if it is used to treat or diagnose, to drive clinical management, or to inform treatment. The determining question is how the data is being used, as opposed to whether you’re hosting a specific type of data.

So, for example, if your app simply displays usage of a device, such as an inhaler, this does not fall under the MDR. But if the intended use of data includes interpretation and analysis – for example, if the app delivers dosage recommendations based on individual data analysed on the platform – then the software qualifies as a medical device and is regulated under MDR.

Or to take another example: If a doctor reviews the raw patient data collected via a wearable device and makes a clinical decision based on that data, that is an unregulated use. However, if the wearable incorporates a Software as a Medical Device (SaMD) algorithm that analyses data on the platform and makes clinical recommendations, that is a regulated use case.

ISO 13485:2016 is the acknowledged quality management standard for medical devices, and goes much further than ISO 9001 in its focus on safety. ISO 13485:2016 places a strong emphasis on managing risk throughout the product life cycle, and on anticipating possible problems and having a fix in place before they occur. 

Compliance therefore means you need to document everything, and ensure traceability from design and development through all aspects and periods of usage. 

In addition, importantly, compliance with ISO 13485:2016 requires that you ensure all your critical providers are also compliant. So, when using cloud for MDR, you need to ensure:

• that the platform delivers a suitable service for digital health
• that there is a suitable quality management system in place, equivalent to ISO 13485:2016
• that you will be kept informed of any service changes over time
• that you have a plan for dealing with provider failure

Essentially, GDPR applies to any company holding or processing personal data in the EU. Accordingly, if your app falls under the MDR, and collects personal data, it also falls under the GDPR. 

GDPR compliance is therefore a prerequisite for MDR compliance, and will require:

• the availability of pseudonymization, so that personal information and data are stored separately
• the use of encryption at record-level, with each user’s data secured via a unique key
• a legally-valid audit trail, so that you can track and prove all actions taken
• user consent management, tracking each user’s consent to process their data

As outlined above, compliance with MDR is not a straightforward matter, and will involve considerable effort both during the software development phase and throughout the product life cycle.

Of particular relevance is that compliance with ISO 13485:2016 requires that you ensure all your providers - including your cloud service - are also compliant.

It is not mandatory to use an ISO 13485:2016 certified cloud supplier, but if you decide to use a standard, unregulated supplier (for example AWS, Google, Microsoft Azure, etc.), you have to take on all the responsibility for ensuring compliance with MDR. Measures will include:

• Checking that the supplier can deliver the required service, including verifying that their SLAs ensure compliance with all the regulated processes
• Using the supplier’s ISO 9001 and 27001 certification reports to verify they have suitable procedures in place to manage software quality and mitigate security threats
• Carrying out ongoing audits and monitoring your supplier’s news feeds to ensure any changes or updates do not affect your compliance
• Carrying out risk analysis and putting measures in place to mitigate failure of the service 
  

All these requirements can add significantly to development time, as well as requiring you to maintain an ongoing audit to ensure all aspects of your cloud service remain in compliance.

By contrast, if you use a cloud supplier who is ISO 13485:2016 certified, many of these tasks are already taken care of. Procedures for documenting changes, responding to any issues, notifying you of updates, and more, are already in place. 

Through their certification, the supplier is demonstrating, to you and your certification body, that their platform and quality management systems are suitable for a medical device. 

Further, with a certified quality management system and many of the technical MDR and GDPR requirements already in place, using a regulated cloud supplier can typically reduce time to market for new app development by 6-9 months.

At the earliest stages of product development, when you’re thinking perhaps of only developing a simple companion app, a habit tracker, say, that simply logs device usage, it can be tempting to opt for an unregulated cloud platform. 

However, it’s important to remember that, as the companion app gains users, you are likely to want to build on this and make more use of the data you collect - for example, to improve patient engagement by delivering notifications or dosing recommendations.

At this point the software will need to comply with the MDR, and be supported by a regulated infrastructure, suitable quality system, full documentation, and more. 

You are then faced with the cost and upheaval of having to move all your existing data to a regulated platform. Or, alternatively, continuing to use an unregulated supplier and taking on the burden and continuing responsibility to ensure compliance with MDR.

It is likely to be much more cost-effective and efficient to plan your app roadmap and from the start put in place the type of regulatory strategy you need to support your digital health solutions into maturity.

Extra Horizon provides a fully customizable, medically compliant cloud platform certified to ISO 13485:2016 (as well as ISO 27001:2017 and ISO 27001:2019, relating to PII processing - read more here).

This enables creators of digital health products and technologies to take advantage of the full power of cloud connectivity - with the assurance that the administrative burden and investment risk of guaranteeing MDR regulatory compliance of the platform is taken care of, including:

• Verification that we provide the required service, including the SLAs you need for a medical device
• Having a suitable ISO 13845:2016 certificate and able to provide the necessary quality agreements
• The necessary documentation and procedures in place to enable quality assurance
• Notification of any service changes with the licensed modules

In the complex medical device landscape, this has numerous advantages. It ensures full security, privacy and regulatory compliance. It greatly accelerates time-to-market and, most importantly, it ensures technology companies can focus their efforts and resources on their product - where their IP resides - rather than the surrounding infrastructure.