Future shock: What happens when medical device technology moves faster than regulation governing it?

People worry about getting their bank account hacked, and so they should, attorney Peter Levy said. But, the life science lawyer posits that, in the health care technology space, such issues will soon become — quite literally — much more life-or-death.

“When you think about the convergence between software, cloud computing and medical devices … what happens if you’re wearing a pacemaker that’s running on software that’s able to be hacked remotely?” he said. “What if lives depend on a product that could get hacked?”

Levy, partner and chair of the Life Sciences and Emerging Technologies practice groups at Roseland-based Mandelbaum Barrett P.C., said the digital connectedness of medical devices is introducing new questions that, so far, regulators have shed little light on.

The conversation centers around a new class of biomedical innovations defined as “Software-as-a-Medical Device,” or SaMD. Over the past two years, the Food & Drug Administration, which is tasked with approving drugs and medical devices based on their safety profile, has come to grips with the necessity of regulating this new space — given the tremendous amount of money that’s being invested into web-connected medical tools.

“The integration of technology and medicine has now come to a significant crossroads, which perhaps was always anticipated as a future trend but, with the pandemic, has accelerated,” he said. “Like happens so often, the technology and the science has gotten ahead of the regulations.”

Levy, who spent several years at the helm of a pharmaceutical company working on FDA approvals, said that, so far, all that’s available from regulators is drafts, principles and guidance. None of it adds up to an approved rule-set for how the risks of these products will be handled.

On a basic level, federal regulars split medical devices into three classes, Levy explained: Low-risk, “why even regulate it,” devices such as bed pans and bandages; intermediate-risk products such as contact lenses and catheters; and the high-risk pacemakers, cochlear implants and other more invasive or life-sustaining instruments. Each comes with an increased degree of scrutiny and reporting requirements for FDA approval.

Where does software and connected devices with medical applications fit into that picture?

Decisions with the force of regulation haven’t been made on that question yet.

But, Levy said, it’s clear there’s an awareness that the risks are there.

“There was a survey done by the FDA of biotech companies that revealed that, for the past 13 quarters, software issues were the No. 1 cause of medical device recalls,” he said.

One of the touted breakthroughs in medical diagnosis and treatment — and, for that matter, medical devices — is the use of artificial intelligence to assist clinicians. Analytics can enhance decision making on critical medical needs without the need for face-to-face contact with medical professionals, Levy said.

On the other hand, AI lacks what Levy calls “practical doctor logic,” a human component essential for mitigating certain risks in a health care setting. And the collection of volumes of data for analysis might introduce privacy and security vulnerabilities — not to mention, Levy adds, a slew of new liability questions.

“It’s difficult to assess who’s exactly liable if something goes wrong (in the course of using a software-connected device),” he said. “Could it be the doctor who gave you the technology that’s maybe responsible that’s keeping you alive? Or the technology manufacturer? The hospital that relied on it?”

Levy finds an easy analogy in another emerging technology: Think of all the questions of liability involved in the AI decision-making of self-driving cars.

And it doesn’t have to be next-generation AI, either. There’s simpler data-collection sensors and apps patients are using today to monitor particular conditions, to provide health reminders for themselves or to check in on their progress as clinical trial participants.

That all might involve protected health information vulnerabilities or the potential for inaccurate data readings. And, so, it all potentially comes with more risk than a bed pan classified as a low-risk medical device.

Simply put, Levy said there’s going to need to be a more clear-cut regulatory reckoning with the safety profiles of current-day health technologies. He sees a lot of talk of accountability down the road.

Levy drew on the experience of vehicle manufacturers and drivers at the turn of the century, when the Model T came with few — and mostly optional — safety features.

“It’s no different today,” he said. “The companies that can produce all of this tremendous technology, they’re well ahead of the regulators.”