Safe by design

Imagine a world where mobile devices allow continuous monitoring of diabetic patients’ blood sugar, cystic fibrosis patients’ breathing, and post-surgical patients’ vital signs – enabling continuous treatment adjustments and alerts to clinicians when emergencies arise. Among the benefits would be better, more personalised, treatment and improved clinical outcomes, with fewer clinic visits and greater independence for patients.

Many mobile, or mHealth, devices needed to bring such dreams to life already exist or are in development, and are rapidly entering wider service. These include connected wearables and other mobile sensors, smartphone apps and smart drug delivery devices.

When networked with electronic health records (EHR), advanced analytics, call centres and telemedicine technologies, mHealth devices provide the real-world patient data and instant communications that make possible a complete redesign of patient care that we call the continuous safety monitoring paradigm.

The continuous safety monitoring model shifts the focus of patient assessment and treatment out of the hospital and clinic, and into patients’ homes, schools, offices and playgrounds. It enables not just better patient convenience, but better patient care by:

  • Assessing patient symptoms and progress based on his or her actual ongoing experience in the real world rather than the results of sporadic, artificial office tests
  • Adjusting treatments in real time rather than at office visits that may be weeks or months apart
  • Empowering patients to care for themselves with information that helps them understand their condition, and prompts them to take or adjust therapy or daily living activities
  • Alerting clinicians immediately to complications or exacerbations requiring intervention

As this emerging approach takes hold and shows long-term results, it is likely to become the standard of care for many serious and chronic conditions. It also will profoundly influence the design and development of medical devices.

Already payers and regulators increasingly require device developers to demonstrate the benefits of their products in terms of how they improve patients’ lives, and their effect on patients’ need for other services. For example, they might ask for evidence that a mobile network-connected spirometer not only accurately measures lung capacity, but also that its use helps improve COPD or CF patients’ ability to do daily tasks like walking to the grocery store, or that it reduces the need for emergency room or hospital treatment.

In response, mobile device and app developers must think of their products in terms of how they can promote positive patient outcomes alone, and in combination with systems that enable continuous safety monitoring. And while the intent is simple, designing and developing integrated solutions that clearly meet patient needs is complex and technical.

For example, safe mHealth design requires developing and validating new outcome measures. It’s not enough to arbitrarily set, say, walking 1,000 steps daily as an outcome for a COPD or heart failure therapy. Showing that walking a specific distance daily makes patients more independent in activities of daily living, or keeps them out of the emergency room, is also required.

Moreover, the accuracy of the device or app in measuring the target outcome under real-world conditions must be demonstrated, and this, too, is technically challenging.

Partnering with a CRO experienced in developing and validating new patient-centred outcome measures – and meeting other emerging regulatory, payer, practitioner and patient needs – can help. ICON has this experience and expertise. Together we can make new devices and apps, and patient care overall, safer by design.

Cybersecurity and safety

Many mHealth devices and apps depend heavily on electronic communication – between mobile sensors and apps; apps and central servers; servers and EHR systems; and among physician offices and support centres, and patients’ apps and devices. Safety requires that these communication channels are secure at every step from known and emerging cybersecurity threats.

Among these are:

  • Ransomware, in which hackers threaten to interrupt a device or app’s function unless a ransom is paid
  • General malware, such as viruses or bots for launching denial-of-service attacks, interfering with device or app function
  • Privacy breaches, in which protected patient data is exposed
  • Device takeovers, in which a cardiac pacemaker or other device is taken over
  • Financial blackmail, in which the vulnerability of a device is exposed by parties trying to manipulate stock prices

Protections against these threats must be built in from the earliest design stage and updated for the life of the device or app as part of an overall risk management approach. This, too, requires considerable technical expertise and experience.

Protection begins with developing devices and applications using secure coding and privacy design practices, data encryption, and restricting data access to qualified users. Safety measures including public and private encryption keys, strong authentication, positive user identification, user access tracing and timeouts should be designed from the outset.

Biometric protection, such as fingerprint readers and facial recognition, are emerging as methods that are secure and convenient. Adaptive security controls can be included to employ additional safety measure controls based on risk factors such as a new geographic location that might expose a device to attacks from unprotected networks.

In addition to the device itself, the security of any server, application and web service, or other device it connects to, along with any intermediary device, must be addressed. Cell phone and internet connections, as well as the receiving server, also should be encrypted and protected against unauthorised use.

Moreover, human factors must be addressed. Requiring strong, unique passwords and designing workflows and security procedures that ensure data remain protected – such as not sharing passwords – are additional protection layers. And, physical security, such as keeping servers in a locked room, helps protect devices and data.

Since cybersecurity threats evolve quickly and continuously, manufacturers must continually monitor for new vulnerabilities, and update software and take other steps to mitigate potential and actual vulnerabilities for as long as a device or app remains in service.

Achieving all these ends is beyond the capabilities of even the biggest medical device and app developers. It requires collaboration with other manufacturers, experienced programmers, and commercial virus and malware monitoring and protection services. Partnering with a CRO, such as ICON, with significant experience and connections with industry cybersecurity and monitoring and response coalitions can help keep your devices safe by design.

For more information contact ICON’s Medical Device and Diagnostic Research group leaders.