Tag Archives: medical devices

National Medical Devices Promotion Council under the Department of Industrial Policy and Promotion (DIPP)

The Union Minister of Commerce and Industry and Civil Aviation, Suresh Prabhu, on 14 December 2018, announced the setting up of a National Medical Devices Promotion Council (“Council”). Though the medical devices industry has been growing steadily, it is primarily import driven. Thus, the setting up of the Council would perhaps spur domestic manufacture in the sector.

This is an announcement and we look forward to information / notification when the Council is  set up and the processes announced are implemented.

The Council would be headed by the Secretary of the DIPP. Further, it would have representatives from the health care industry and quality control institutions. Institutions such as Andhra Pradesh MedTech Zone, Visakhapatnam would provide technical support to the Council.

The Council will have the following objectives:

  • Act as a facilitation, promotion and developmental body for the Indian medical device industry.
  • Hold periodic seminars, workshops to garner views of the industry and understand the best global practices in the sector.
  • Simplify the approval processes for the medical device industry.
  • Enable the entry of emerging interventions and support certificates for manufacturers to reach levels of global trade norms and facilitate India to become an export driven market.
  • Support the dissemination and documentation of international norms and standards for medical devices by capturing the best practices in the global industry.
  • Drive a robust and dynamic Preferential Market Access (PMA) policy by identifying the strengths of the domestic manufactures and discouraging unfair trade practices in imports.
  • Undertake validation of Limited Liability Partnerships (LLPs) and such other entities within MDI sector which would add value to the industry strengths in manufacturing to gain foothold for new entrants.
  • Make recommendations to government based on industry feedback and global practices.

Available at: http://pib.nic.in/newsite/PrintRelease.aspx?relid=186385

SaMD- Need for Regulation.

SaMD – Need for Regulation


The tectonic shifts in technology are transforming human life in ways unfathomable just a few years ago.  Health-tech and med-tech are touching our lives continuously through a number of ways –  from simple wearable devices to complex invasive devices; simple AI software which can predict and sense to complex AI software which can diagnose; sensors and other hardware devices including the mobile phone with ever-increasing computing power.

Some of these have made human lives so dependable on these devices, gadgets, software and in some cases, these are dumbing human intelligence.

We witnessed software wherein by looking at a camera on the mobile phone, the software can predict the heart rate and many other vitals. What if human intelligence gave way in believing the reading as true? The software or the camera is not a medical device and hence outside the purview of regulations usually applicable for medical devices. Can we ignore the risks? If so, should software be treated as a medical device?

Software as Medical Device (SaMD)

A broadly accepted definition of a SaMD is the one issued by the International Medical Devices Regulation Forum (“IMDRF”), currently, Australia, Brazil, Canada, China, Europe, Japan, Russia, Singapore and the United States of America are member countries to this Forum. This definition has been adopted by the Food and Drugs Administration (FDA) in the United States, The Medical Device Directive adopted in the European Union in 2010, and in major countries such as Australia, Canada and Japan.

The term “Software as a Medical Device” is defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device. It includes an in vitro diagnostic medical device. It must be capable or running on a computer platform that is not of a medical purpose, and should not need a hardware medical device to achieve its purpose. It can be interfaced or used in a combination with other devices, but cannot be used to drive a hardware device. Mobile applications meeting this definition are also considered as SaMDs. [1]

The ‘medical purpose’ that it must intend to serve can be diagnostic, preventive, investigative, life-sustaining, for treatment of disease or injury, disinfection, control of conception or purely informative. In some jurisdictions, aids for persons with disabilities, devices for assisted reproduction and devices incorporating animal and/or human tissues are also recognized. A SaMD can also be a means to suggest mitigation of a disease or provide aid to diagnosis. [2]

There are further guidelines on the definition of changes to SaMDs- they can be adaptive, corrective or preventive in nature. The manufacturer of SaMD would be a natural or legal person who has the intention for the software to be used under his/its name. It would not include a distributor or the manufacturer of an accessory. The final legal responsibility lies with the manufacturer unless it is specifically imposed on another party by the country’s regulatory authority. [3]

Putting them to use

SaMDs are now available in abundance in the Indian market. Both foreign manufacturers, as well as Indian manufacturers, are introducing so many forms of SaMDs. This includes use of artificial intelligence, IoT, general software etc. Interesting, many SaMDs are enjoying high adoption rates not only by early users but continued users.

The glaring point is that there is no legislative framework or guidance policy which works as a guiding principle for the SaMD manufacturers or at least as a self-regulating piece of legislation, in India.

The Medical Devices Rules, 2017 which will come into effect from January 1, 2018, has now defined medical devices and has made a clear distinction between drugs and medical devices, but still this definition does not include SaMDs or software as a medical device.

Interestingly, the draft Medical Devices Rules, 2016 on basis of which the Medical Devices Rules, 2017 have been formalized included software in the definition of medical device. With the market being flooded with AI, IoT, general software, wearable, and wellness and customized medical devices, software as a medical device as a whole should be considered with equal importance in the sector. Curiously, the definition of medical devices under Foreign Direct Investment policy includes software.


The IMDRF has worked extensively in setting guiding principles for governing SaMD and has put in place a regulatory structure for how the SaMDs shall be governed, regulated, clinically evaluated and how the data shall be evaluated and then used by the SaMD.[4]

While India has not yet included any software or apps in its regulation purview, countries like USA, Singapore, Australia, EU and Japan has issued guidance documents to make the app developers aware of what might be subjected to regulation. The common theme that determines the classification is the level of risk that these apps pose to the consumers.

For example, let’s take an app which allows a user to take ECG test by putting their fingers on an external device which is connected wirelessly to the smartphone. It checks the electrical activity of the heart. Such apps may be considered as risk and be subject to regulation since the belief is that any incorrect analysis may hamper a user’s treatment. However, the Government authorities need to strike a balance while assessing these risks so that not all apps need to be certified under the law so that innovation is not hampered. It is indeed a very fine balance.

General wellness apps or products such as apps tracking and assisting in maintaining healthy body weight, or products are generally kept out of the purview of law versus apps which tracks and assists in say monitoring blood sugar or other vitals or treats specific health issues or provides guidance for treatment of specific illnesses.

The whole purpose to bring these apps under regulation is that there is a certain amount of rigour before the apps are released to the market and there are onus and responsibility on these makers. It should enable the app developers to be mindful of how is the product or app is advertised, claims as well. To protect consumers, certain jurisdictions, like Singapore, have mandated the manufacturers/ app developers to put a clarification statement on their product or on their apps. This statement should clearly state that this app or product is not intended to be used in a diagnosis, monitoring, management or treatment of any disease.

Keeping all the innovation in health-tech space, India should provide guidance on SaMDs. The regulatory framework in India for medical devices is by the Central Drugs Standards Organization widely known as CDSCO. The new Medical Devices Rules, 2017 are comprehensive and now comprehensively covers almost 351 medical devices and about 247 in-vitro medical devices it still does not cover SaMDs.

Given the increased use of mobile technology and awareness, guidelines on SaMDs could contribute to improving the affordability and availability of healthcare, including rural India, which has a huge user base. Gradual rigour in legislation will allow India to meet increased need, according to when resources for monitoring and enforcement become more available. India already follows the IMDRF regulations with respect to clinical trials and the clinical evaluation of medical devices, with respect to documents, licensing and safety standards. [5]


It is important for the legislation to allow the industry to grow and achieve its potential, especially in a country like India where there is a need for a better point of care medical solutions but at the same time provide unambiguous guidance. A good starting point would be a self-regulating mechanism with a set of standards, methods and procedures, clinical evaluation process. Such guidance would help improve innovation as well and guide the nascent Indian SaMD industry.

Author: Manas Ingle


[2] Ibid.

[3] Ibid.

[4] http://www.imdrf.org/docs/imdrf/final/consultations/imdrf-cons-samd-ce.pdf

[5]NadimpalliRadhadevi  et al., Regulatory guidelines for medical devices in India: An Overview, Department of Pharmaceutics, JSS College of Pharmacy, Asian Journal of Pharmaceutics, January- March 2012.


Medical devices have seen quantum leaps in terms of functionality, intelligence, and usefulness in the last decade. Improved design, better and cheaper production materials, and more sophisticated software, and have all contributed to this improvement. However, perhaps the biggest recent development that has greatly enhanced the ability and uses of medical devices, is the use of technology to connect medical devices (including those implanted in humans) to the internet, to hospital systems, and to other devices. This makes it possible to make these devices smarter, to control them remotely if required, to monitor their activity and functioning, and to pause or alter their operation without having to remove them from the human body.

However, like all devices that come with internet connectivity, these connected medical devices come with one major potential harm – the vulnerability to hacking, malware, and/or viruses. Potentially, this could create havoc for health care providers and patients, as third-parties may be able to break into and dictate the functioning of medical devices such as drips or other implanted devices. This problem is not new either. Since 2012, the Food and Drug Administration of the USA (the “FDA”) has been increasing security infrastructure standards for all connected medical devices, and has been constantly warning manufacturers of potential threats.

Sure enough, a short while ago, the first major medical device manufacturer in the USA suffered from the threat of security breaches. On August, 30, 2017, the FDA announced the recall of approximately 465,000 pacemakers manufactured by Abbot (previously St. Jude Medical), due to the fear of security vulnerabilities being exploited by hackers. As per the FDA, if the vulnerabilities were left unremedied, hackers could reprogram the pacemakers to alter the heart rate of the patient and/or to drain the batteries quickly. Both scenarios could have potentially catastrophic effects.

Fortunately for Abbot, the vulnerabilities could be fixed via a firmware update that could be installed by health care providers in just 3 minutes. The pacemakers did not need to be removed from the patients’ bodies, as the update could be installed wirelessly. Further, Abbot was able to report that there had been no incidents of a security breach/hack before the firmware update was rolled out. Yet, this should not detract from the seriousness of the situation and the extent of the harm that could have been suffered by both the manufacturer and the patients. In light of this, we find it pertinent to take a deeper look at the different minds of medical devices available today, and the potential harm that can be caused through them if the current security infrastructure is not in place.

Medical Devices and Their Potential Harms

Medical devices, apart from being controlled remotely, are also great repositories of data. In order to be able to automatically adjust their own functionality, alert users/controllers at times of low battery, and to be able to provide efficient statistics as to the health of a patient, they have to constantly collect, monitor and analyse data from the patient’s body. This means that they contain sensitive personal information regarding patients’ medical conditions, bringing in the important aspect of data privacy.

Medical devices have been used for a variety of purposes – from diagnosis of multiple diseases, to studying patient’s conditions during treatment of diseases, and to ensuring patient adherence to a prescribed treatment plan. Perhaps, given the wide range of uses for connected medical devices, it will be easier to understand the problems that they may face, by taking a few examples:

  1. OpenAPS – Closed loop insulin delivery – This software, which can be used along with standard medical devices, allows patients to track data from their CGM (continuous glucose monitor), and use it to control/trigger their insulin pump whenever glucose levels demand the same. The patients PII is not owned by any third party here, but if hacked, this system could not only give hackers access to this information, but could also allow hackers to alter the trigger mechanism/program that controls when insulin is released to
  2. Activity trackers during cancer treatment – These devices are used to gather lifestyle data regarding patients, during their treatment from various forms of cancer. These are wearable devices (like many other activity trackers/smart watches), but they track the patient’s energy levels, fatigue, and appetite automatically. The data generated via these devices is usually accessible and analysed by doctors and other health care providers. In a disease where the treatment is actively changed depending on the patient’s reaction to the ongoing medication/therapy, such a device is extremely important. Additionally, it aids doctors to keep track of a patient’s lifestyle, to ensure that patients are taking care of themselves appropriately. Thus, this device places data privacy and security restrictions on doctors etc., with respect to the PII that they hold. Additionally, there is a responsibility on the manufacturers of such devices to ensure that the security infrastructure of the device is strong enough to protect it against hacks/malware. If hacked, not only will the critical data regarding a patient’s current condition be available to the hacker, but they can also alter the functioning of the device to change the readings. This could potentially prevent a cancer patient from receiving the correct follow-on treatment, which is critical to their health.
  • Connected inhalers – Devices like Propeller’s Breezhaler connect wirelessly to a digital platform available on the patient’s mobile phones and with the doctors as well. This helps in tracking the usage of the inhaler, sending reminders to the patient in case of sporadic usage, and ensuring patient adherence to a treatment plan. If such systems are hacked, patients and doctors could stop receiving accurate data regarding inhaler usage, potentially leading to non-adherence to treatment plans and a worsening of existing breathing problems.
  1. Parkinson’s – Pfizer and IBM have collaborated on Project Blue Sky, a planned clinical trial involving the use of a system of sensors, mobile devices, and machine learning to provide round-the-clock monitoring of the symptoms, development and progression of Parkinson’s in patients. Though more research oriented, such a system could potentially be extremely important in discovering a cure for Parkinson’s.

The above are only a few examples of connected medical devices available today. Yet some common themes run through all of them – (a) they all record and store sensitive personal information regarding patients in order to function; (b) they are all accessible remotely; and (c) this makes them vulnerable to hacking/malware etc. Considering the nature of the information stored on the devices, it becomes even more important for the manufacturers to ensure data security of the devices, and for the doctors/other entities storing and analysing the data to ensure its privacy and non-disclosure. No data security infrastructure is fool proof or completely protected from hackers. However, increased standards and more robust protection techniques could help in ensuring that these devices remain protected in the near future.

Author: Madhav Rangrass is an Associate with NovoJuris Legal.


InnoHealth 2017

Innovation in healthcare, medical technology, bio technology, pharmaceuticals, diagnostics, hospital management and many other sectors in health care are seeing tremendous innovations across the world.

India is drawing attention from such innovators who are viewing India as a large market, co-creation, collaborations, joint ventures etc.

In our humble way, we are enabling some of those entrepreneurial ambitions.

NovoJuris Legal along with InnovatioCuris is organizing InnoHealth 2017 at Bangalore. Many interesting companies from Finland, Sweden, Estonia, Latvia and other European countries are gathering to understand the healthcare industry landscape, how distribution works in India, the investment scene, regulatory framework for doing business in healthcare and many others.

Our amazing supporters are Honorary Consul of The Republic of Estonia, Bengaluru Chamber of Industry and Commerce, Karnataka Drugs and Pharmaceuticals Manufacturer’s Association.

This is on 21 September 2017. It is an exclusive, closed door discussion. If you are in distribution of healthcare products and wish to be part of this august gathering, do ping us – relationships@novojuris.com

You can read more here http://innohealth.in/innohealth-2017-bengaluru-session/