Medical device post market surveillance: Updates and trends

Post-market surveillance (PMS) is a critical part of pharmacovigilance, the science that focuses on the detection, evaluation, monitoring, and prevention of the unwanted effects of pharmaceutical products. It is vital in ensuring the safety and effectiveness of medical devices.

With the crucial role PMS plays in the healthcare industry, it merits the attention of patients, device manufacturers, and regulators. There have been developments involving or affecting post-market surveillance that needs to be highlighted because of their far-reaching consequences.

Expanded authority of the US FDA

The passing of the 2023 Omnibus Bill marked the expansion of the authority of the United States Food and Drug Administration (FDA) over the cybersecurity of medical devices. The US Congress granted additional funding and statutory powers to the FDA in a game-changing move for healthcare cybersecurity.

The expanded authority allows the FDA to require medical device makers to implement a secure product development framework that ingrains security into their devices. This requirement covers all devices that have software/firmware in them, those that are capable of connecting to the internet, and those that can become vulnerable to cyber threats.

Medical product applications submitted for FDA approval must include in their application details on how manufacturers secure their products. The first two requirements here are directly related to post-market surveillance.

• A plan for monitoring, identifying, and addressing post-market vulnerabilities. The development of the plan should ensure that threat identification and mitigation efforts are undertaken in a timely manner. It is also important to have coordinated vulnerability disclosure.
• Details on processes and procedures implemented to ensure the security of devices and related systems. This includes the guarantee of post-market security patches and firmware updates.
• Software bill of materials. Comprehensive details about the software components should be submitted. These include information on the use of open-source, commercial, and other third-party software components.
• Cybersecurity certification. The new FDA powers also provide legal authority for the agency to oversee the compliance of medical device makers to certain regulations that help demonstrate their products’ cybersecurity.

Another important highlight of the FDA’s expanded powers is that the agency may not only target newly released devices. It can also impose its new requirements on devices that are already in the market, which have already been cleared or approved by the FDA prior to the passing of the 2023 Omnibus Bill. This makes it necessary for manufacturers to invest in a reliable system of postmarket oversight.

The FDA issues orders that require device makers to submit post-market surveillance plans, detailing and explaining how they can comply with regulatory impositions. The plans should include details on what the product is about, its regulatory history, approved purposes, PMS study design and objectives, primary and secondary endpoints, follow-up plans, evaluation procedures, data collection processes, statistical analysis procedures and guidelines, and schedules for interim and final report submissions. The FDA may order specific companies to submit PMS in response to recently reported adverse events concerning specific medical products.

IoT security labeling

The Biden administration intends to implement an IoT security labeling program in 2023. This program is similar to the Energy Star stickers, which indicate the energy efficiency of household appliances and other electronic devices. Instead of reflecting energy efficiency, the proposed IoT labeling system focuses on the cybersecurity of the products available on the market.

The labeling program seeks to promote the use of secure devices by informing customers which products are secure and which ones are not. In a White House statement, National Security Council spokesperson Adrienne Watson said that "a labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards and retailers to market secure devices."

Many IoT devices are used in the medical setting. These include remote patient monitoring gadgets, glucose level monitors, heart rate monitors, and connected inhalers. IoT security labeling establishes a system that encourages device makers to continuously monitor their products to attain and maintain favorable labels.

These labels may not immediately remove non-secure devices from the market, but they create an inhospitable environment for devices that do not comply with cybersecurity regulations. They gradually drive out run-of-the-mill products that never took cybersecurity into account in their development.

To avoid the notoriety of being labeled non-secure, device manufacturers are forced to take steps that improve their ability to secure their products including post-market surveillance. IoT security labeling is not just a one-off action that carries on for the rest of the lifecycle of a device. It can be revoked or modified depending on new developments on the ground. Newly discovered vulnerabilities that were not detected before will be reflected in label updates.

EU Medical Device Regulation

In the European Union, EU 2017/745 or the Medical Device Regulation (MDR) includes a provision that asks medical device manufacturers to include a PMS plan in their requisite technical documentation. Companies may be required to submit a post-market surveillance report (PMSR) or a periodic safety update report (PSUR) depending on the class or category of device they are producing.

Compared to the FDA authority updates and proposed IoT cybersecurity labeling in the United States, the EU MDR has been in place for quite some time. Its core policies are already years old. However, there have been recent updates worth noting. These include the publication of MDCG 2022-21, which sets guidelines on PSUR based on the EU 2017/745 regulation. The manual on borderline and classification under EU 2017/745 and EU 2017/746 as well as the MDCG 2022-4 Rev 1 guidance have also been updated in December 2022.

Trends and prospects

New regulations and updates on existing ones show that there is a push toward better post-market medical device surveillance. Regulators and governments in the world’s leading economies acknowledge the growing threats affecting the healthcare sector. Recent cyber attacks on the medical industry make it necessary to put in place better security mechanisms and to empower device makers and end users.

Medical device manufacturers have been responding positively to regulatory changes. In particular, they have been improving their data sources with steps like using real-world data (RWD) and real-world evidence (RWE) as they monitor the effectiveness, safety, and security of their products. There is also a growing emphasis on patient-reported outcomes (PROs) in post-market surveillance. These PROs provide patient-generated data that help make PMS reports more reflective of what patients and end users experience on the ground.

In summary, post-market surveillance plays a crucial role in the safety and effectiveness of medical devices. It is a welcome development that there have been efforts to make it better. Recent regulatory updates depict the need to keep up with the cyber threats hounding the healthcare industry. The systems for undertaking PMS have also been enhanced with the use of better data, particularly reflecting real-time developments, evidence-based information, and patient-generated reports. Even cybersecurity providers are stepping up with solutions to help improve PMS processes. All of these benefit patients or end users of medical devices as well as the healthcare industry in general.

Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.