I’m on my way today to an interesting meeting being held at FDA offices in Rockville, MD. The regulatory groups ISO TC210 and IEC SC62A are convening a formal study group to look at safety requirements relating to installation, configuration and maintenance of networkable medical devices. This is a two day meeting and I’ll be providing updates as we go.

For you non-regulatory policy wonks, TC210 deals with medical device design and manufacture, while SC62A is concerned with the safety impacts of electromagnetic interference (EMI) on medical devices. Neither of these regulatory bodies [standards development organizations] has previously ventured beyond the point of sale of medical devices. In his email invitation to the meeting, Brian Fitzgerald of the FDA described the intent of the meeting:

The advent and maturation of computer controlled medical devices has begun to challenge this historically useful but nevertheless arbitrary risk model. [Regulating medical device vendors up to, but not beyond the point of sale.] We know that the safety of these devices is dependent increasingly on the mutual collaboration between the device manufacturer, his vendor base and the user/operator organization.

Now my first reaction to increasing the regulatory burden (and subsequent cost) on health care is absolutely not, unless there is a clear and compelling need (more on this later). When I read the above the first thing I thought of was not devices, but clinical information systems like CPOE, where implementation and configuration decisions (not to mention product features and usability) can clearly impact patient safety. Perhaps the deployment and use of these increasingly automated and complex systems might warrant new regulatory hoops for hospitals (and vendors). Regulations will have to balance the regulatory burden against potentially poorly understood hazards that could become another barrier to adoption, depriving patients of potentially safer hospital care. Of course, lives lost to hazards will be easier to document then lives lost from that absence of greater levels of patient safety.

Medical device connectivity does increase the after sale interaction between vendor and customer. For example, general purpose computing products have short lifecycles (6 to 18 months), forcing vendors and/or customers to replace failed system components with new models that did not exist when the system was released, not to mention installed. Embedded systems, regulated servers, and client devices running “popular” operating systems can become infected with malicious code and must be “cleaned up” and patched. Good practice requires security vulnerabilities be proactively patched when found. The hospital’s network environment – performance and support – impact connected systems. To date, all of these interactions between customers and vendors concerning networked devices have occurred within existing regulatory frameworks. Certainly levels of customer satisfaction have varied from one incident to another, and between vendors. I’m not aware of any study that’s been published quantifying the patient safety risk.

Here is a high level description of a possible regulatory solution:

Such a standard would require manufacturers, hospitals and any third parties charged by the hospital with designing their network and integrating products into it, to cooperate in assessing, evaluating and controlling possible risks resulting from the combination of products that make up the network.

The above sounds reasonable, prudent, and pretty benign – of course one could accurately describe the FDA’s QSR with similar brevity. But, after reading the 30+ pages of background info that was distributed prior to the meeting, the regulatory imperative is not clear.

Its almost time to board my flight; more later. (These are the posts for day1 and day 2.)