Late last month, India’s drug regulator unveiled a draft guidance document aimed at regulating “medical device software.” Industry stakeholders have expressed that this move is timely, given the increasingly digital landscape of medical devices, which facilitate remote patient monitoring but also heighten vulnerability to cyber threats.
As healthcare becomes more interconnected, the medical device sector is advocating for clear government pathways that balance patient safety with industry growth. The Central Drugs Standard Control Organisation (CDSCO) document differentiates between ‘software as a medical device’ (SaMD) and ‘software in a medical device’ (SiMD). This distinction provides clarity for companies seeking permissions under the Medical Device Rules of 2017.
Pavan Choudary, Chairman of the Medical Technology Association of India (MTaI), highlighted the chaos within health-related applications, stating, “The app game has become extremely, extremely… frayed. And anybody is making any kind of claim.” However, he believes that innovations are just beginning, adding, “AI is the elephant in the room.”
Choudary also pointed out security concerns, particularly regarding devices imported from “hostile” nations where compromised products could be exported with embedded malware. “So without firing a single bullet, you can create a very hostile act,” he noted, emphasizing the need for ongoing monitoring and algorithm updates to mitigate risks.
He stressed the importance of data privacy, warning against the potential mishandling of patient information by insurance companies. To address cybersecurity challenges, MTaI advocates for national certification labs for medical software, collaborative threat intelligence in healthcare, and legal requirements for domestic data localization and encryption.
Rajiv Nath of the Association of Indian Medical Device Industry (AiMeD) added that existing quality management system (QMS) requirements do not sufficiently address information security. AiMeD recommends adopting ISO 27001 standards to align with global cybersecurity best practices.
There is growing recognition that software, once merely a component of medical devices, has evolved into a standalone medical device category. Shravan Subramanyam, Managing Director of BPL Medical Technologies, noted that while software embedded in devices is achieving maturity, the integration of connected medical devices offers significant advancements. He stated that systems like ICU equipment can collectively provide critical intelligence to clinicians.
Singal stressed that the guidelines must focus on safety and efficacy, reflecting industry insights while ensuring transparency and patient safety without hampering innovation. He noted that the guidelines should remain adaptable to the rapid evolution of technology.
Arbinder Singal, Head of Preventive and Remote Healthcare at PB Health, elaborated on how software that operates various medical devices integrates into hospital information systems. He highlighted the expected proliferation of SaMD as an independent business class, similar to trends in the US. In his view, “patient invasive” software that impacts diagnosis or bodily functions is categorized under Class A, while Class B includes products like Fitterfly, which focuses on diabetes management through integrated data.
Himanshu Baid, Managing Director of Poly Medicure, underscored the necessity for standardized guidelines for medical software while raising concerns about data privacy, advocating that the data generated in India remain within the country. He called for increased resources at CDSCO, which is tasked with overseeing pharmaceuticals, biologics, medical devices, and now software.
The ongoing evolution of medical device software regulation reflects the complexities of balancing innovation with patient safety and cybersecurity in a rapidly advancing technological landscape.
