Software in Medical Devices, by MD101 Consulting

Network connection

The major difference between a mobile app and an application running on a desktop PC (or a laptop in an office) is the connection to the network, be it an intranet or the internet.
Most of fixed PCs are connected through a wire to the network (usually to access data of a health care centre). Some may be connected with a wireless connection, but they are a minority.
On the contrary, all mobile platforms are connected to the network through wireless connections.

Wireless connections

These connections can be split in two categories:

• Wifi connections provided inside the health care centres,
• Public connections (Wifi or cellular) for general use provided by telecom operators.

The former probably offer a better reliability than the latter, since they are designed for use inside health care centres. But both present the same potential failures.
Moreover, a user may switch from one connection to another in the same working session. All mobile OS platform have the ability to switch to the (supposedly) best connection, given the location of the user.

Risk Assessment

These characteristics of wireless connections form a set of input data for the risk assessment activities. They are subject to possible failures than may present a risk:

• Connection lost,
• Data lost,
• Data corrupted,
• Data transmitted twice,
• Data transmitted with a delay,
• Security failure,
• Loss of privacy.

These types of failures are also relevant for wired connection. But the probability of occurrence of these failures is more important in wireless connections. On top of that, there may be situations where there is no connection at all!
All of these characteristics have an impact at least on the design of the mobile app, for example:

• use of buffers, cached data,
• use of encrypted connections, anonymization of data,
• verification in real conditions (outdoor, with poor wifi), security intrusion tests...

They even may have an impact on the intended use of the mobile app, for example:

• App designed to be a simple viewer of data provided by a remote server,
• Use restricted to clinical cases where the failure of the mobile app present no or minor risks for the patient.

Guidances and standards

The literature about mobile medical apps is expanding very quickly. There are however few "official" documents provided by regulatory agencies and standardization organisms. As usual the FDA gives the tone in information technologies.

FDA guidance

We saw in the first post of this series that the FDA released a guidance on mobile medical apps. But it doesn't contain relevant information about wireless connections.

Another guidance on RF wireless technologies gives a few clues about wireless network connections, even if it is more dedicated to short-range RF technologies. Considerations on quality of service, Security of wireless signals and data, and Risk-based approach to verification and validation are fairly useful for wireless network connections.

Recognized standards

The FDA also recognizes a set of standards that can be interesting in the design and maintenance of wireless connections:

• IEC/TR 80001-2: Application Of Risk Management For IT Networks Incorporating Medical Devices. Especially part 2-3: Guidance For Wireless Networks,
• IEC/TR 80002-1: Medical Device Software - Part 1: Guidance On The Application Of ISO 14971 To Medical Device Software.

Note: Both standards are reserved to expert readers, who already know IEC 62304 and ISO 14971 standards.

Conclusion

Despite the commercial promises of telecommunications operators, wireless connections are by essence not secure and not reliable. Mobile medical apps exclusively use wireless connections. The design and maintenance of these apps shall be made with proper risk analysis process, to mitigate the risks related to failures of wireless connections and their security.

Next time we'll see human factors engineering in the context of use of mobile medical apps.