This article is the second in our "Trends in digital health" series.
Digital health partnerships between Technology and Life Sciences companies come in many forms, including health app development projects, drug discovery using AI, drug device combination products (such as e-enabled inhalers), and the use of SaaS, cloud and outsourcing.
Traditionally, the Life Sciences sector has seen lower engagement levels with technology services compared to other sectors. Recently, the sector has become more technology driven but barriers remain and negotiations can often become fraught. This is often due to how the Life Sciences sector adopts and deploys technology and the perception that regulatory requirements constrain the use of technology and outsourcing. The cultural differences between the two sectors are also often cited as a serious impediment.
Medical devices, diagnostics and pharmaceuticals are heavily regulated, covering everything from development through to manufacturing, marketing, distribution and vigilance. To assist compliance and raise standards, various “good practices” known as “GxP Standards” have been developed and mandated.
These requirements are increasing. Part of the revolution posed by the new European Medical Devices Regulation (“MDR”), which came into force in May 2021, is an increased focus on the conduct of all “economic operators” involved in the importation and distribution of medical devices. Such economic operators may well include suppliers of technology and outsourcing services that underpin the regulated Life Sciences entity’s core products and services.
Regulatory implications when deploying “healthtech”
Increased regulation and the application of technology in providing healthcare (i.e. “healthtech”), e.g. app-based health platforms like “GP On Demand”, AI algorithms like those used by Google (DeepMind) and diagnostic tools like vital signs detection systems, mean that it is common for technology services to be subject to healthcare regulation.
Companies that offer healthtech solutions may unknowingly be releasing unauthorised medical devices. This can be common in diagnostic healthtech, given an app or system that makes a prediction, prognosis or suggests responses may be considered “diagnostic” (and therefore regulated). For example, modifying an existing product to add the functionality of an electronic data capture system to add a suggestion that the user “Check with your Doctor” in response to a data input would likely cross the regulatory line.
For tech firms, this risk is more likely to arise on application development projects for healthcare providers (e.g. NHS Trusts or NHS Digital) or producers of diagnostic tools, particularly when the tech firm’s use of proprietary systems coupled with bespoke “green field” development is used by its customer to operate a healthcare service. Suppliers may find that its solutions (or modifications) are classified as a medical device and subject to complex regulatory approval processes and ongoing post-market surveillance which leads to increased costs and governance.
Given the danger of putting unauthorised medical devices on the market (which is an offence), suppliers designing and implementing healthtech systems should carefully consider whether their product may constitute a medical device. If unsure about internal compliance procedures, suppliers should seek specific advice at an early stage to avoid non-compliance, ensure they can seek appropriate certifications and comply with the applicable medical device laws.
For further information on this topic, you can watch a recording of our webinar, "Is my health app illegal?", here.
Technology & outsourcing in Life Sciences
Pharmaceutical and medical device companies are increasingly reliant on technology solutions for the development, manufacture, distribution and monitoring of their products. Such systems and infrastructure must enable them to meet their regulatory requirements and this includes validating all changes before implementation. If it becomes clear (e.g. in an audit) that a Life Sciences company or a particular product relies on an IT system that is not adequate, the consequences can be profound, including recalls, suspension of sales whilst new approval is obtained, or the deployment of a fix with inevitable downtime for customers and patients. This could even be as “minor” as a concern as regards the integrity of relevant clinical data.
With the consequences of non-compliance being severe (and costly), Life Sciences companies increasingly ask technology providers to provide their products and services in accordance with regulatory standards and guidelines. For example, a customer may require the supplier to ensure (via contractual warranties) that the services are provided “in accordance with GxP standards”. Often, this approach is not acceptable for a supplier, while for the customer this (very high-level) approach will often not ensure compliance. Instead, the way for customers to comply is more nuanced. It requires more thought as to the applicability of the services in question and, if relevant, a considered flow-through of appropriate terms and rights into the contract.
For example, an IT supplier may provide hosting and support services for a Life Sciences customer, and the suite of hosted applications and data may support the customer’s GxP compliance. GxP standards may require the customer to have readily available access to its data systems that handle regulated data (e.g. clinical trials or patient data). The supplier may propose its standard solution that works in other industries, but the Life Sciences customer will need to conduct a gap analysis to ascertain whether the proposed solution/functionality meets its regulatory obligations for data access and integrity. If not, the customer may need to set out specific technical requirements that meet its regulatory need. In the case of data access, it could be that the service needs to allow the customer to extract its data at any time, which may require a different system architecture and more tailored solution (e.g. APIs and extraction tools). The supplier will understand the technical requirement and will usually be able to design it into a tailored solution for the customer.
Another example that is increasingly relevant to Life Sciences companies is the subject of cybersecurity. In January 2020, the European Commission issued Guidance on Cybersecurity for medical devices, introducing the cybersecurity by design concept for medical device companies. The guidance applies to all medical devices currently on the market and imposes specific cybersecurity obligations on organisations in the Life Sciences sector. It also requires companies to verify and validate that their IT supplier’s cybersecurity approach complies with the guidance. Where the customer is an NHS entity, it is likely to ask the supplier to comply with a wide array of regulations and guidance. These should be carefully considered and in many instances, new regulatory requirements should be the subject of contractual change control. Following the European Commission’s guidance, the NHS has published a wide array of tools, such as the NHSX Digital Health Technology Standard and the NHS Data Security and Protection Toolkit to promote and encourage compliance.
These examples show it is not sufficient for the customer, nor appealing to the supplier, to include broad high-level compliance requirements, e.g. to “comply with GxP standards”. Instead of IT suppliers taking on broader (and more onerous) contractual obligations to address regulatory problems, both parties need to better understand these issues to focus on how compliance can be implemented (e.g. solution design, delivery requirements) rather than simply allocating the risk of non-compliance, so that the end solution is more likely to comply with medical device, pharma product or healthcare regulation.
It is often unclear how Life Sciences regulation may apply to a technology system or outsourced service. Traditionally, this has meant that the approach to addressing regulatory compliance at the convergence of Life Sciences and Technology has been highly challenging. Moving forward, it is vital that the Life Sciences and Technology sectors engage with each other more to understand the regulatory hurdles in healthtech. Only then will these sectors be able to leverage opportunities promised by the range of healthtech, IT and outsourcing solutions available in the market.