Software in Medical Devices, by MD101 Consulting

Health IT is florishing, so are the regulations

The health IT industry is very active and launches new IT systems offering new services at a tremendous pace. It is encouraged by the health sector, which sees the benefits of "IT-zation". It is fostered by the government, which settles regularly new legal frames to authorize the use of IT to manipulate critical health data. But at the same time, this legal frame, built in successive layers, multiplies the rules and distributes the control to different agencies.
If one wants to obtain the precious certificates, it has to deal with agencies with poetic names like: ASIP, CNAMTS, CNIL, ANAP, ARS, ENRS, DGCIS. Adding to the confusion, some agencies depend on the ministry of health, some don't.
At the end, the time and money spent to get the certifications may be too high and lead to the opposite of the initial goal. Instead of fostering the deployment of health IT, it may slow it down eventually.

A unique agency and common route

The principle of a common route and a unique agency is copied from the CE mark, which is controlled in France by the Afssaps. (See here for a brief history of the CE mark.).
Like the CE mark, a set of common rules and a common route would be gathered in a unique law. A unique agency would control the good application of the law. To go further (and limit the number of civil servants in this agency), private companies, like the notified bodies for the CE mark, would be delegated by the agency to audit health IT manufacturers and deliver the certificate.

What common rules?

What would be these common rules to follow, to obtain the certification? The big issues are well-known, they are those of IT systems manipulating critical data and demanding a high level of disponibility. They may be a mix of organisational requirements found in ISO standards for medical devices (ISO 1385, ISO 14971) and technical requirements specific to IT.
I cast below a set of domains on which rules shall be defined. Not exhautive, of course!

Technical rules

• State-of-the-art design
• Ease of use
• Interoperability
• Data Security
• Cyber Security
• Availability
• Redundancy
• Maintenability

Organisational rules

• Viligance
• CAPA
• Training
• Support
• Maintenance

Scope of the rules

Achieving a set of common rules for all these subjects is perhaps a too big deal. Some rules may be set easily, like organisational rules, some other not, like interoperability of all systems. For interoperability, the wisdom tells to remain humble and begin with a minimal set of data.
Compared to CE mark, the common rule would be much more specific. The CE mark of medical devices covers a wide range of products, from the simple plaster to the high-tech surgery robot. The rules found in CE mark are very generic. Building rules for IT systems allows to be more specific and focused on IT concerns.

How long?

With an industrial will, well supported by political relays, such an evolution should take 5 years. That's a minimum delay, when governmental agencies have to discuss together with industrials and politicians. The process is just beginning.

In the US

I don't have information about other countries. But I think that it would be interesting to see if one has achieved such a system. The HIPAA voted in 1996 in the United States reached partially this goal. It focuses on data exchange but is silent about all other aspects of IT.

In Europe

And to go even further, the unique law could be voted at the european level. But this will remain a dream a long time. Because all european countries should have to get on with one another, to let their system be interoperable. The initial condition to have interoperable systems is to have the need to interconnect them. This kind of work may last a long time!