Navigating the Unique Regulatory Challenges of Digital Health Technologies
By Phyllis Meng
The realm of digital health has long been dominated by health and wellness apps. These applications typically focus on helping users monitor various health metrics, like blood pressure and blood glucose levels, and providing reminders for medication schedules. However, their functionalities are limited to tracking and informing without offering diagnostic or treatment decisions, making them exempt from stringent regulatory oversight by authorities such as the FDA in the United States or the Therapeutic Goods Administration in Australia.
Since they don’t fall under the classification of medical devices and are not subject to regulatory scrutiny, health and wellness apps enjoy significantly simpler development and market entry processes, contributing to their widespread availability and global adoption. With minimal regulatory barriers, developers can expedite product development cycles, allowing for quicker market launches and widespread consumer access. However, developers of health products need to be aware that market pressures may eventually lead to initial product designs being classified into new regulatory categories.
Regulatory Variability and Product Evolution
Market demands and technological advancements can prompt developers to enhance the functionalities of their apps beyond basic data tracking. The growing demand for personalized, remote health care has led to the advancement of telemedicine, defined as the use of electronic information and communications technologies to deliver and support health care across distances. In recent years, the use of wearables in telemedicine has notably surged, bringing numerous advantages to the health care value chain and evolving to offer enhanced medical personalization, early diagnosis, improved decision-making, and effective patient monitoring.
Digital health products may advance from merely supporting diagnosis to actively diagnosing medical conditions—a progression that often results in reclassification into higher regulatory categories, for instance, from Class II to Class III in the US regulatory framework. An app that may have initially been designed for fitness monitoring might evolve to incorporate features that support clinical decision-making or health diagnosis. Such expansions in functionality could trigger reclassification under more stringent regulatory categories, such as Software as a Medical Device classifications in the United States. With the increasing use of AI-powered technologies in health and wellness devices and apps, it is expected that regulations will soon catch up.
Although mapping out regulatory requirements for health and wellness applications may seem straightforward, given that they often don’t require stringent compliance, it’s essential to address these requirements during the product’s initial design phase. Developers must not only comply with existing regulations but also anticipate potential shifts in regulatory frameworks as their products evolve.
Tackling this without a plan is not an efficient approach. Foresight is essential for integrating new features or functionalities that may transition the product from a nonregulated status to a more heavily regulated category, as in the previously mentioned example of a fitness app evolving to accommodate health diagnosis.
Navigating Country-Specific Regulatory Demands Amidst Cybersecurity Risks
Complicating things further, the regulatory classification of these products varies from market to market around the world. For example, while the FDA applies a risk-based approach to software as a medical device, which resultantly excludes many apps from regulation and oversight, Europe follows a function-based approach based on the device’s intended purpose, regardless of outcomes. Therefore, it’s extremely important that digital health product developers lay out the country-by-country medical device-related regulatory requirements with which their products will need to comply.
Moreover, global regulators have intensified their security and expectations regarding data protection in response to the rise in cybersecurity threats in recent years. This makes ensuring compliance with privacy and security standards essential for any digital health regulatory roadmap. The fact that regulatory bodies now mandate that device companies integrate security-by-design principles throughout the entire lifecycle of digital health products reflects this reality. This includes conducting thorough risk assessments and implementing threat modeling to proactively address potential vulnerabilities. In the United States, this also involves creating and maintaining a comprehensive and up-to-date software bill of materials, as mandated by the 2023 US Consolidated Appropriations Act.
Most digital health technologies will incorporate some form of protected health information to provide personalized and effective services, including accurate diagnosis, continuous patient monitoring, and so on. This large demand for health care data is accompanied by equally substantial vulnerabilities. Stricter regulations do not come as a surprise when statistics reveal that nearly 1,000 security vulnerabilities were found across 966 tested medical devices, which is a 59% year-over-year increase from 2022. Needless to say, protecting the privacy of collected personal information is critical from a regulatory point of view.
Balancing Convenience With Regulation
The advancements in digital health technologies have made health care convenient for many, including those who don’t have easy access to on-site health care solutions. The general public, for instance, has been encouraged to use wearables to promote a healthier lifestyle. And digital health technologies have become popular among older populations by offering real-time monitoring of potential problems, giving them the confidence to carry on independently with reassurance. When digital health technologies are designed with considerations for regulatory compliance, security, and privacy, they not only avoid potential market obstacles but also maximize benefits for users.
— Phyllis Meng, cofounder and CEO of Pure Global, brings a diverse data analytics and technology background to her role. With experience gained from positions as a key data expert at Citadel Securities and technical team leader at Google, she blends artificial intelligence and biomedical engineering to develop innovative platforms for regulatory and compliance professionals.