App regulation one week on: MHRA, MDD and NHS in the spotlight

So it’s been a week since we published our document Regulation of health apps: a practical guide alongside the news that the Mersey Burns app has been released – the first app manufactured and CE marked as a Class I Medical Device in the UK.

And what a week it’s been.  On the whole our report garnered some positive press and the report has been downloaded over 500 times already – thanks to some great coverage on TechCrunch, MobiHealthNews, GPonline, PharmaPhorum and PMlive to name just a few.

But what we didn’t anticipate two separate but somewhat related stories occurring immediately afterwards.

What is the role of the MHRA, and does the MDD go far enough?

The PIP breast implant scandal, which has been rumbling some time now, has turned to focus on the role of the MHRA under the EU Medical Devices Directive.  For more see the Lancet (A serious regulatory failure, with urgent implications and The scandal of device regulation in the UK), the Telegraph (Breast implant scandal ‘inevitable’ due to MHRA failings: Lancet) or listen to yesterday’s Today program on BBC Radio 4 (Medical device rules ‘not fit for purpose’).

The avenues for discontent with the current state of affairs can be summarised as follows:

  1. The UK’s Medical Devices Agency (a pre-cursor to the MHRA) should never have been disbanded in the first place
  2. The delegation of certifying Class II and above medical devices from a Competent Authority to Notified Bodies has proven unsatisfactory
  3. The Medical Device Directive results in regulation that is too reactive in approach (i.e. intervene only when problems with medical devices are reported), rather than proactive (i.e. intervene when potential problems with medical devices are identified).  The FDA certainly wields power in the latter form – the Mobile MIM app is a good case in point.

It will be very interesting to see how the MHRA and the Department of Health respond given the power of the PIP story – watch this space for a knee-jerk reaction.

Data security and information governance

Our mission at d4 is to improve patient care by placing modern technology in the hands of doctors, nurses and health professionals.  We recognise that data security and information governance are critical topics in IT – placing this in the context of healthcare and mobile raises the importance further.  One of the aspects of this is therefore how organisations manage risk – our latest report looks at the risks presented by apps in particular and provides ways to mitigate these.

Therefore you can understand why last week’s headline in the Guardian (NHS warns staff over tablet security risks) caught our eye.  According to the article, NHS Connecting for Health have advised staff that “these devices are inherently less secure than more traditional technology.” The ‘Good Practice Guidance’ lays out various considerations according to the article – we’re asked the CfH for a copy so that we can understand the guidance in full, but are yet to receive a reply.

All very well, until you recognise that in the very same week Brighton and Sussex University Hospitals Trust are fined £375,000 by the the Information Commissioner’s Office for failing to destroy hard drives containing sensitive patient data.  It’s hard to take the NHS seriously on preaching information governance standards for personal devices when it can’t even get the basics right.

Updated guidance on standalone software under the MDD

We referenced in our report that new formal guidelines (a MEDDEV) are expected soon.  The BSi have now confirmed this, but the document itself is yet to be formally named, numbered and published.  We’ll keep you posted. [Hat tip to Erik Vollebregt at the medicaldeviceslegal blog.]


This entry was posted in News and tagged , , , , , , , , . Bookmark the permalink.