Interconnectedness of medical devices can be a huge benefit to society. For instance, the MRI machine used to scan a patient’s back can instantly transmit the images to the practitioner in their office, for immediate analysis and diagnosis. A connected heart-rate monitor can provide tremendous value to a practitioner, through capture and detection of transient conditions that might not be apparent from a single EKG scan. A connected glucose monitor can continuously track a patient’s blood sugar level and connect with an insulin delivery device. A mood/depression monitor can be used to trace the fluctuating physical states that can be used to interpret ongoing mental state.
Envisioned growth areas for IoMT (Internet of Medical Things) include connected inhalers, digestible sensors, connected contact lenses, and robotic surgery. According to a report by Fortune Business Insights, the IoMT market was almost $72B in 2020. Emerging popularity of remote patient monitoring and smart wearables is expected to drive the IoMT market to $176B by 2026 and to $446B by 2028.
Hazards Introduced by IoMT
As defined in ISO 14971, harm is injury or damage to the health of people or damage to property or the environment, and a hazard is a potential source of harm. IoMT presents a new set of hazards. Any IoMT device that can impart an effect on a user/patient, such as introduction of energy (e.g., pacemaker) or chemical transfer (e.g., insulin delivery), carries the risk of a rogue agent taking control of the device, with potential direct impact on the physical well-being of the user/patient.
A more insidious risk is the possibility that a rogue agent could gain access to a device or to a medical software system (such as an electronic health record system) and retrieve sensitive patient data, such as medical or financial data. Because the ultimate harm may be to a patient’s finances or medical records, the risk of bodily harm is much lower. However, the insidiousness lies in the potential time discontinuity between the breach and the effect as well as the potential for attacks on many victims.
Mitigating IoMT Hazards with Risk Management
The hazards presented by IoMT products must be mitigated by an effective risk management process. Because IoMT products will necessarily incorporate software, applicable risk management processes are a reflection of the software safety classification. Per IEC 62304, all software within medical devices is assigned a classification, based on the severity of the harm that can be inflicted owing to failure of software to perform as specified. The most stringent classification, Class C, is assigned to software that can result in death or serious injury, and Class C is the default classification until otherwise justified.
One method of reducing the software classification, and in turn reducing the associated documentation and risk management load, is to reduce the likelihood of occurrence through implementation of a hardware risk measure. Unfortunately, because of the multi-level software stack structure utilized for internet communication, implementation of a hardware risk measure to reduce the risk in IoMT is quite difficult, if at all possible. As a result, developers of IoMT products must be prepared to perform software risk management commensurate with Class C software classification.
Mitigating Risk in IoMT Product Development
Medical device manufacturers can minimize risk through the following:
- Risk Management Planning: Developing a risk management plan that defines the risks being managed and the process by which they are being managed. Planning usually occurs in advance of product design, concurrent with development of product requirements.
- Risk Assessment: Employing various methods for risk assessment, including failure mode and effects analysis (FMEA); failure mode, effects, and criticality analysis (FMECA); hazard analysis; fault tree analysis; event tree analysis; and root cause analysis. Data compiled during the risk assessment process is stored in a dedicated database, ensuring traceability and completeness. The culmination of each risk assessment cycle is a summary report, identifying the most critical risks.
- Risk Mitigation and Monitoring: At each iteration of risk assessment, applying mitigation strategies to the most significant risks. Crucial to the risk management process is documentation of risk assessment and resultant mitigation strategy, captured as formal risk management reports.
As medical devices, IoMT products require effective risk management (per ISO 14971) and a quality management system (per ISO 13485), and they will also likely need a fully documented software development process for Class C (per IEC 62304). The complexities of these standards may pose a daunting challenge, and there are specialists available with the background and experience to assist in navigating these standards, providing guidance and advice for executing the necessary processes and developing high-quality documentation that meets regulatory needs.