Sex Differences in Clinical Trial Recruiting

The following article investigates several systematic reviews into sex and gender representation in individual clinical trial patient populations. In these studies sex ratios are assessed and evaluated by various factors such as clinical trial phase, disease type under investigation and disease burden in the population. Sex differences in the reporting of safety and efficacy outcomes are also investigated. In many cases safety and efficacy outcomes are pooled, rather than reported individually for each sex, which can be problematic when findings are generalised to the wider population. In order to get the dosage right for different body compositions and avoid unforeseen outcomes in off label use or when a novel therapeutic first reaches the market, it is important to report sex differences in clinical trials. Due to the unique nuances of disease types and clinical trial phases it is important to realise that a 50-50 ratio of male to female is not always the ideal or even appropriate in every clinical study design. Having the right sex balance in your clinical trial population will improve the efficiency and cost-effectiveness of your study. Based upon the collective findings a set of principles are put forth to guide the researcher in determining the appropriate sex ratio for their clinical trial design.

Sex difference by clinical trial phase

  • variation in sex enrolment ratios for clinical trial phases
  • females less likely to participate in early phases, due to increased risk of adverse events
  • under-representation of women in phase III when looking at disease prevalence

It has been argued that female representation in clinical trials is lacking, despite recent efforts to mitigate the gap. US data from 2000-2020 suggests that trial phase has the greatest variation in enrolment when compared to other factors, with median female enrolment being 42.9%, 44.8%, 51.7%, and 51.1% for phases I, I/II to II, II/III to III, and IV4. This shows that median female enrolment gradually increases as trials progress, with the difference in female enrolment between the final phases II/III to III and IV being <1%. Additional US data on FDA approved drugs including trials from as early as 1993 report that female participation in clinical trials is 22%, 48%, and 49% for trial phases I, II, and III respectively2. While the numbers for participating sexes are almost equal in phases II and III, women make up only approximately one fifth of phase I trial populations in this dataset2. The difference in reported participation for phase I trials between the datasets could be due to an increase in female participation in more recent years. The aim of a phase I trial is to evaluate safety and dosage, so it comes as no surprise that women, especially those of childbearing age, are often excluded due to potential risks posed to foetal development.

In theory, women can be included to a greater extent as trial phases progress and the potential risk of severe adverse events decreases. By the time a trial reaches phase III, it should ideally reflect the real-world disease population as much as possible. European data for phase III trials from 2011-2015 report 41% of participants being female1, which is slightly lower than female enrolment in US based trials. 26% of FDA approved drugs have a >20% difference between the proportion of women in phase II & III clinical trials and the prevalence of women in the US with the disease2, and only one of these drugs shows an over-representation of women.

Reporting of safety and efficacy by sex difference

  • Both safety and efficacy results tend to differ by sex.
  • Reporting these differences is inconsistent and often absent
  • Higher rates of adverse events in women are possibly caused by less involvement or non stratification in dose finding and safety studies.
  • There is a need to enforce analysis and reporting of sex differences in safety and efficacy data

Sex differences in response to treatment regarding both efficacy and safety have been widely reported. Gender subgroup analyses regarding efficacy can reveal whether a drug is more or less effective in one sex than the other. Gender subgroup analyses for efficacy are available for 71% of FDA approved drugs, and of these 11% were found to be more efficacious in men and 7% in women2. Alternatively, only 2 of 22 European Medicines Agency approved drugs examined were found to have efficacy differences between the sexes1. Nonetheless, it is important to study the efficacy of a new drug on all potential population subgroups that may end up taking that drug.

The safety of a treatment also differs between the sexes, with women having a slightly higher percentage (p<0.001) of reported adverse events (AE) than men for both treatment and placebo groups in clinical trials1. Gender subgroup analyses regarding safety can offer insights into the potential risks that women are subjected to during treatment. Despite this, gender specific safety analyses are available for only 45% of FDA approved drugs, with 53% of these reporting more side effects in women2. On average, women are at a 34% increased risk of severe toxicity for each cancer treatment domain, with the greatest increased risk being for immunotherapy (66%). Moreover, the risk of AE is greater in women across all AE types, including patient-reported symptomatic (female 33.3%, male 27.9%), haematologic (female 45.2%, male 39.1%) and objective non-haematologic (female 30.9%, male 29.0%)3. These findings highlight the importance of gender specific safety analyses and the fact that more gender subgroup safety reporting is needed. More reporting will increase our understanding of sex-related AE and could potentially allow for sex-specific interventions in the future.

Sex differences by disease type and burden

  • Several disease categories have recently been associated with lower female enrolment
  • Men are under-represented as often as women when comparing enrolment to disease burden proportions
  • There is a need for trial participants to be recruited on a case-by-case basis, depending on the disease.

Sex differences by disease type

When broken down by disease type, the sex ratio of clinical trial participation shows a more nuanced picture. Several disease categories have recently been associated with lower female enrolment, compared to other factors including trial phase, funding, blinding, etc4. Women comprised the smallest proportions of participants in US-based trials between 2000-2020 for cardiology (41.4%), sex-non-specific nephrology and genitourinary (41.7%), and haematology (41.7%) clinical trials4. Despite women being

proportionately represented in European phase III clinical studies between 2011-2015 for depression, epilepsy, thrombosis, and diabetes, they were significantly under-represented for hepatitis C, HIV, schizophrenia, hypercholesterolaemia, and heart failure and were not found to be overrepresented in trials for any of the disease categories examined1. This shows that the gap in gender representation exists even in later clinical trial phases when surveying disease prevalence, albeit to a lesser extent. Examining disease burden shows that the gap is even bigger than anticipated and includes the under-representation of both sexes.

Sex Differences by Disease Burden

It is not until the burden of disease is considered that men are shown to be under-represented as often as women. Including burden of disease can depict proportionality relative to the variety of disease manifestations between men and women. It can be measured as disability-adjusted life years (DALYs), which represent the number of healthy years of life lost due to the disease. Despite the sexes each making up approximately half of clinical trial participants overall in US-based trials between 2000-2020, all disease categories showed an under-representation of either women or men relative to disease burden, except for infectious disease and dermatologic clinical trials4. Women were under-represented in 7 of 17 disease categories, with the greatest under-representation being in oncology trials, where the difference between the number of female trial participants and corresponding DALYs is 3.6%. Men were under-represented compared with their disease burden in 8 of 17 disease categories, with the greatest difference being 11.3% for musculoskeletal disease and trauma trials.4 Men were found to be under-represented to a similar extent to women, suggesting that the under-representation of either sex could be by coincidence. Alternatively, male under-representation could potentially be due to the assumption of female under-representation leading to overcorrection in the opposite direction. It should be noted that these findings would benefit from statistical validation, although they illustrate the need for clinical trial participants to be recruited on a case-by-case basis, depending on the disease.

Takeaways to improve your patient sample in clinical trial recruiting:

  1. Know the disease burden/DALYs of your demographics for that disease.
  2. Try to balance the ratio of disease burden to the appropriate demographics for your disease
  3. Aim to recruit patients based on these proportions
  4. Stratify clinical trial data by the relevant demographics in your analysis. For example: toxicity, efficacy, adverse events etc should always be analyses separately for male and female to come up wit the respective estimates.
  5. Efficacy /toxicity etc should always be reported separately for male and female. reporting difference by ethnicity is also important as many diseases differentially affect certain ethnicity and the corresponding therapeutics can show differing degrees of efficacy and adverse events.

The end goal of these is that medication can be more personalised and any treatment given is more likely to help and less likely to harm the individual patient.

Conclusions

There is room for improvement in the proportional representation of both sexes in clinical trials and knowing a disease demographic is vital to planning a representative trial. Assuming the under-representation is on the side of female rather than male may lead to incorrect conclusions and actions to redress the balance. Taking demographic differences in disease burden into account when recruiting trial participants is needed. Trial populations that more accurately depict the real-world populations will allow a therapeutic to be tailored to the patient.

Efficacy and safety findings highlight the need for clinical study data to be stratified by sex, so that respective estimates can be determined. This enables more accurate, sex/age appropriate dosing that will maximise treatment efficacy and patient safety, as well as minimise the chance of adverse events. This also reduces the risks associated with later off label use of drugs and may avoid modern day tragedies resembling the thalidomide tragedy. Moreover, efficacy and adverse events should always be reported separately for men and women, as the evidence shows their distinct differences in response to therapeutics.

References:

1. Dekker M, de Vries S, Versantvoort C, Drost-van Velze E, Bhatt M, van Meer P et al. Sex Proportionality in Pre-clinical and Clinical Trials: An Evaluation of 22 Marketing Authorization Application Dossiers Submitted to the European Medicines Agency. Frontiers in Medicine. 2021;8.

2. Labots G, Jones A, de Visser S, Rissmann R, Burggraaf J. Gender differences in clinical registration trials: is there a real problem?. British Journal of Clinical Pharmacology. 2018;84(4):700-707.

3. Unger J, Vaidya R, Albain K, LeBlanc M, Minasian L, Gotay C et al. Sex Differences in Risk of Severe Adverse Events in Patients Receiving Immunotherapy, Targeted Therapy, or Chemotherapy in Cancer Clinical Trials. Journal of Clinical Oncology. 2022;40(13):1474-1486.

4. Steinberg J, Turner B, Weeks B, Magnani C, Wong B, Rodriguez F et al. Analysis of Female Enrollment and Participant Sex by Burden of Disease in US Clinical Trials Between 2000 and 2020. JAMA Network Open. 2021;4(6):e2113749.

Medical Device Categorisation, Classification and Regulation in the United Kingdom

Contributor: Sana Shaikh

In this article

  • Overview of medical device categorisations and classifications for regulatory purposes in the United Kingdom
  • Summary of medical devices categorisations based on type, usage and risk potential during use as specified in the MDR and IVDR.
  • The class of medical device and its purpose determines the criteria required to meet regulatory approval. All medical devices in the UK must have a UKCA or CE marking depending on the legislation the device has been certified under.
  • Explanation of risk classifications for general medical devices and active implantable devices
  • Explanation of risk classifications for in vitro diagnostics

In the UK and EU medical devices are regulated under the Medical Devices Regulation (MDR) or In Vitro Diagnostics Regulation (IVDR) depending upon which category they fall under. In the UK it is the Medicines and Healthcare Products Regulatory Agency (MHRA) that is responsible for new product approval and market surveillance activities related to medical devices and other therapeutics, such as pharmaceuticals, intended for use in patients within the UK. The equivalent regulatory agency in the EU is the European Regulatory Agency (EMA). The MHRA also manages the Early Access to Medicines Scheme (EAMS) to enable patients access to pre-market therapeutics that are yet to receive regulatory approval where their medical needs are currently unmet by existing options. To qualify for EAMS a medicine must be designated as a Promising Innovative Medicine (PIM) based on early clinical data.

Having a thorough understanding of the classification and class of your medical device is vital for it to undergo the appropriate assessment route and be approved and ready for market. While the scope of medical devices is incredibly broad, for regulatory purposes they tend to be classified based on device type, duration of use and level of risk. Which risk class a device falls into will be determined in a large part by device type and duration of use, as both of these factors influence the level of risk to the patient. All medical devices in the UK must be designated a category and a risk classification in order to undertake the regulatory approval process.

Category (type) of Medical Device

The MHRA categorises medical devices into the following 5 categories:

  • Non-invasive – Devices which do not enter the body
  • Invasive – Devices which in whole or part are inserted into the body’s orifices (including the external eyeball surface) or through the surface or the body such as the skin.
  • Surgically invasive – Devices used or inserted surgically that penetrate the body through the surface of the body, such as through the skin.
  • Active – Devices requiring an external source of power, including stand-alone software.
  • Implantable – Devices intended to be totally or partially introduced into the human body (including to replace an epithelial surface or the surface of the eye) by surgical intervention and to remain in place for a period of time.

Duration of use category

Medical devices are then further categorised based upon their intended duration of use under normal circumstances.

  • Transient – intended for less than 60 minutes of continuous use.
  • Short term – intended for between 60 minutes to 30 days of continuous use.
  • Long term – intended for more than 30 days continuous use.

More information to aid accurate medical device categorisation in the UK and EU can be downloaded here: Medical devices: how to comply with the legal requirements in Great Britain – GOV.UK (www.gov.uk)

UKCA Mark & Conformity Assessment

Further to these use, duration and risk categories the HPRA designates 3 additional categories for the purposes of UKCA Mark and conformity assessment. These categories for the are:

  • General medical devices – most medical devices fall into this category.
  • Active implantable devices – devices powered by implants or partial implants intended to remain in the human body after a procedure.
  • In vitro diagnostics medical devices (IVDs) – equipment or system used in vitro to examine specimens from the human body.

UKCA mark and conformity assessment and subsequent labelling is a crucial procedure for a device to enter the UK market for use by patients. It should be noted that the UKCA mark is not recognised in the EU or Northern Ireland, who instead recognise the CE mark. Great Britain will not recognise the CE mark after 30 June 2023, thus it will be important to have both the UKCA and CE mark for widespread distribution of a medical device. These incompatibilities seem to have arisen largely as a result of Brexit.

Risk classification categories for general medical devices and active implantable devices

In The UK and EU there are 4 official risk-related classes for medical devices. These classes apply to both general medical devices and active implantable devices. As noted previously, the class a device falls into is largely informed by the category and the intended duration of use for the device.

  • Class I , which includes the subclasses Class Is (sterile no measuring function), Class Im (measuring function), and Class Ir (devices to be reprocessed or reused). Low risk of illness/injury resulting from use. Only self-assessment required to meet regulatory approval.
  • Class IIa Low to medium risk of illness/injury resulting from use. Notified Body approval required.
  • Class IIb Medium to high risk of illness/injury resulting from use. Notified Body approval required.
  • Class III high potential risk of illness/injury resulting from use. Notified Body approval required.

More details on these classes can be found below.

In Vitro Diagnostic Medical Devices (IVDs)

The IVDR categorise IVDs in to the following categories for the purpose of obtaining regulatory approval in Great Britain. IVDs do not harm patients directly in the same way that other medical devices can and are thus subject to different risk assessment.

  • General IVD medical devices
  • IVDs for self-testing – intended to be using by an individual at home.
  • IVDs stated in Part IV of the UK MDR 2002, Annex II List B
  • IVDs stated in Part IV of the UK MDR 2002, Annex II List A

A more detailed explanation of these categories can be found towards the end of this article.

The EU and Northern Ireland has moved away from this list style of classification and has recently implemented the following risk classes. There are 4 IVDR risk classes outlined in Annex VIII. It seems likely that Great Britain may follow this in future.

Risk Classes for IVDs

  • Class A – Laboratory devices, instruments and receptacles.
  • Class B – All devices not covered in the other classes.
  • Class C – High risk devices presenting a lower direct risk to the patient population. Includes diagnostic devices where failure to accurately diagnose could be life-threatening. Covers companion diagnostics, genetic screening and some self-testing.
  • Class D – Devices that pose a high direct risk to the patient population, and in some cases the wider population, relating to life threatening conditions, transmissible agents in blood, biological materials for transplantation in to the human body and other similar materials.

Risk categories for general medical devices and active implantable medical devices in detail

Class I devices

These are generally regarded as low risk devices and pose little risk of illness and injury. Such devices have minimal contact with patients and the lowest impact on patient health outcomes. To self-certify your product, you must confirm that it is a class I device1,3. This may involve carrying out clinical evaluations, notifying the Medicines and Healthcare products Regulatory Agency (MHRA) of proposals to perform clinical investigations, preparing technical documentation and drawing up a declaration of conformity1. In cases where the device includes sterile products or measuring functions, approval from a UK Approved Body may still be necessary3. Devices in this category include thermometers, stethoscopes, bandages and surgical masks.

Class IIa & IIb devices

Class IIa devices are generally regarded as medium risk devices and pose moderate risk of illness and injury. Both class IIa and IIb devices must be declared as such by applying to a UK Approved Body and performing a conformity assessment3, 4. For class IIa and IIb devices, there are several assessments. These include examining and testing the product or a homogenous batch of products, auditing the production quality assurance system, auditing the final inspection and testing or auditing the full quality assurance system3. include dental fillings, surgical clamps and tracheotomy tubes4 Class IIb devices include lung ventilators and bone fixation plates4.

Class III devices

These are considered high risk devices and pose substantial risk of illness and injury. Devices in this category are essential for sustaining human life and Due to the high-risk associated with class III devices, they are subject to the strictest regulations. In addition to the class IIa and IIb assessments, class III devices require a design dossier examination3. include pacemakers, ventilators, drug-coated stents and spinal disc cages.

Risk Categories for In Vitro Diagnostics in detail

These include but are not limited to reagents, instruments, software and systems intended for in vitro examination of specimens such as tissue donations and blood4. Most IVDs do not require intervention from a UK Approved Body5. However, for IVDs that are considered essential to health, involvement of a UK Approved Body is necessary5. The specific conformity assessment procedure depends on the category of IVD concerned5.

General IVDs

These are considered a low risk to patients and include clinical chemistry analysers, specimen receptacles and prepared selective culture media4. For general IVDs, involvement from a UK Approved Body is not required5. Instead, relevant provisions in the UK MDR 2002 must be met and self-declared prior to adding a UKCA mark to the device5,6.

IVDs for self-testing

These represent a low-to-medium risk to patients and include pregnancy self-testing, urine test strips and cholesterol self-testing4. In addition to conforming to requirements for general IVDs, applications for IVDs involved in self-testing must be sent to a UK Approved Body5. This enables examination of the design of the device, such as how suitable it is for non-professional users5.

IVDs stated in Part IV of the UK MDR 2002, Annex II List B

These represent medium-to-high risk to patients and include blood glucose self-testing, PSA screening and HLA typing4. Applications for devices in this category must be sent to a UK Approved Body5. This can enable auditing of technical documentation and the quality management system6.

IVDs stated in Part IV of the UK MDR 2002, Annex II List A.

These represent the highest risk to patients and include Hepatitis B blood-donor screening, ABO blood grouping and HIV blood diagnostic tests4. Due to the high risk associated with IVDs in this category, applications for devices in this category must be sent to a UK Approved Body5. By doing so, an audit of the quality management system can be performed as well as a design dossier review6. In addition, the UK Approved Body must verify each product or batch of products prior to being placed on the market5,6.

Proposed updates to medical device categories in the UK

Due to the quickly evolving state of medical technology, many items that did not previously count as a medical device, such as software and AI, are now needing to be considered as such. New proposals have been put forward as potential amendments to the existing regulations and risk classifications to accommodate newer technologies and devices. Among other proposed changes the following list of novel devices has been recommended for upgrade to the classification of highest risk Class III.

  • Active implantable medical devices and their accessories
  • in vitro fertilisation (IVF) and Assisted reproduction technologies (ART)
  • Surgical meshes
  • total or partial joint replacements
  • spinal disc replacements and other medical devices that come into contact with the spinal column
  • medical devices containing nano-materials
  • medical devices containing substances that will be introduced to the human body by one of various methods of absorption in order to achieve their intended function.
  • Active therapeutic devices with an integrated diagnostic function determining patient management such as closed loop or automated systems.

With the shift to a higher risk classification will come increased demand of clinical evidence and clinical testing, including clinical trials, in order for these devices to meet regulatory approval and reach the market. While an increased burden for the manufacturer this will be to the benefit patient safety and satisfaction for the end users. A full list of the proposed changes, including those outside of Class III, can be found here: Chapter 2: Classification – GOV.UK (www.gov.uk)

Medical devices are incredibly heterogenous, ranging from therapeutics and surgical tools to diagnostics and medical imaging software including machine learning and AI. Accordingly, medical device research and development often requires an interdisciplinary approach. During R&D, it is important to consider for whom the device is intended, how it will be used, and under what circumstances. Similarly, it is crucial to understand the risk status of the device. By considering these attributes, the device can be successfully assessed through the appropriate regulatory approval pathway.

References

Factsheet: medical devices overview – GOV.UK (www.gov.uk)

[1] https://www.gov.uk/government/collections/guidance-on-class-1-medical-devices

[2] https://www.gov.uk/guidance/medical-devices-how-to-comply-with-the-legal-requirements

[3] https://www.gov.uk/guidance/medical-devices-conformity-assessment-and-the-ukca-mark

[4] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/640404/MDR_IVDR_guidance_Print_13.pdf[5] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/946260/IVDD_legislation_guidance_-_PDF.pdf

[5] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/946260/IVDD_legislation_guidance_-_PDF.pdf

[6] https://www.bsigroup.com/meddev/LocalFiles/en-IN/Technologies/BSI-md-ivd-diagnostic-directive-guide-brochure-UK-EN.pdf

Regulation of Connected Medical Devices and IOmT

Collection and transmission of personal biologic and health information via IOmT connected medical devices requires regulatory oversight and has cybersecurity implications.

Connected medical devices (CMDs) can produce and transmitting patient data, allowing their condition to be monitored by healthcare professionals. They are often used in decentralised clinical trials (DCTs) outside of the clinical trial site, allowing for participants who wouldn’t usually be able to attend. CMDs have led to the Internet of Medical things, a connected network of systems and which produce, transmit and analyse patient data.

CMDs and IoMT have countless applications in the healthcare and medical technology (Medtech) industries, however these devices are susceptible to cyber-attacks and data leaks. These attacks include stealing and selling private patient data to third parties, denial of service (DOS) attacks, and altering medical data which can lead to improper diagnoses and treatments.

It has been suggested by multiple authors that CMDs and other wearable activity trackers are prone to cyber-attack is that data security and privacy issues are often not considered during their development (1). Regulations for the development of CMDs in the UK fall under two categories: regulations concerning medical devices in general, and regulations concerning IoMT including data protection and cybersecurity. Medtech companies must follow both types of regulations if they wish to sell CMDs in the UK and abroad. Here we discuss the current regulations for CMDs in the UK, how they may change in response to these security issues, and how this will impact clinical trials and the approval of CMDs.

Current Device Regulations

Regulations for medical devices in the UK need to be updated to better cover the risks associated with CMDs, as many of these devices can enter the UK market with little-to-no regulatory approval especially in terms of data security. Manufacturers currently need only a Conformité Européenne (CE) mark to be sold in the EU (1). With CE marking, devices are classified according to risk from lowest (Class I) to highest (Class III), with class I devices allowed to enter the market without prior data regarding their safety in the US, EU and Japan. Devices placed in class IIb or III must carry out an audit of the whole quality assurance system or undergo an “Annex III” examination which can include examination of each product/batch, audit of the final inspection, or an audit of the production quality assurance system (2). Clinical trials to evaluate the conformity of CMDs to medical device regulations will have at least one of the following aims: (a) to verify that under normal usage, the device achieves the performance intended by the manufacturer, (b) to establish its clinical benefit as specified by the manufacturer, and (c) to establish its clinical safety (3). Many wearable devices e.g. smartwatches and activity trackers can skip regulatory approval as they aren’t currently classed as CMDs, however to be utilised in DCTs, they will need to be approved as medical devices (4).

In the UK and EU, the General Data Protection Regulation (GDPR) covers the use of medical data, as well as the Data Protection Act 2018 (DPA) in the UK as of 1 January 2021 (5). These regulations prohibit the disclosure of private data to third parties without the patient’s consent and can only be used without consent in the case of direct care and healthcare quality improvement projects. On the 24th of November 2021, the UK government issued the Product Security and Telecommunications Infrastructure (PSTI) Bill to place increased cybersecurity standards on technology companies (6). Requirements of PSTI include banning default and weak passwords, investigation of compliance failures and being transparent about fixes to security issues, with hefty fines in place if these rules aren’t followed. These regulations will force Medtech companies to constantly update devices and software found to be at risk of cyber-attack, as well as keeping the public informed on the updates. In addition, NHS-contracted organisations need to follow the NHS Code of Confidentiality and Code of Practice (5). Medtech companies hoping to sell in the UK should ensure their device meets these NHS requirements, and the NHS Data Security and Protection Toolkit 2021 states that healthcare organisations must keep an inventory of CMDs in their network (7). While these regulations prevent CMD developers from directly releasing data to third parties, they will not prevent cyber-attacks.

On the 26th of June 2022, the UK Government had a press release in which they discussed future regulatory changes regarding CMDs and data security (8). As of the 30th of June 2023, CMDs will need to carry a UK Conformity Assessed (UKCA) marking to be sold in the UK instead of the current CE markings. The UKCA marking is not recognised by the EU market as it only complies to the UK Supply of Machinery (Safety) Regulations 2008 (9), meaning Medtech companies hoping to enter both markets will need to follow the regulations of both markings. In addition, the government intends to introduce pre-market regulations similar to the EU MDR General Safety and Performance Requirement (GSPR) 17.4 regarding cyber security for medical devices. Following this regulation, hardware, IT networks and security measures must meet minimum requirements including protection against unauthorised access needed to allow the software to run efficiently (10).

Potential future intersection between regulations for cybersecurity & medical devices.

Where regulation may fall short of innovation in the changing landscape and possible solutions

Currently, medical device regulations such as the Conformité Européenne (CE) and UKCA markings don’t intersect with cybersecurity and data protection regulations, meaning CMDs can currently be sold in the UK despite being susceptible to data leaks. There is no evidence to suggest that this will change soon, however possible future rules to combine these types of regulation may include classing data security as a component of patient safety in clinical trials. In addition, pre-market trials of CMD cybersecurity could be performed using simulated malware to test for vulnerabilities in CMDs, including software and AI networks (1). These regulations will force Medtech companies to consider the cybersecurity of their devices more strongly during the design and production stages of development, preventing cyber-attacks instead of retroactive changes following data leaks.

CMDs have revolutionised modern healthcare, however IoMT is still in its infancy and cybersecurity risks and subsequent regulatory changes are to be expected. These changes will likely stall the development and sale of CMDs due to increased care during development and stricter pre-market trials, however regulations are necessary to ensure patient data remains private for the safety and security of the public.

References:

1)     Hernández-Álvarez L, Bullón Pérez JJ, Batista FK, Queiruga-Dios A. Security Threats and Cryptographic Protocols for Medical Wearables. Mathematics. 2022 Mar 10;10(6):886. – Available from: https://doi.org/10.3390/math10060886

2)     CE Marking – Medical Devices Class III [Internet] 2021 – Available from: http://www.ce-marking.com/medical-devices-class-iii.html

3)     Reuschlaw – Need for clinical trials in accordance with the MDR [Internet] 2021 – Available from: https://www.reuschlaw.de/en/news/need-for-clinical-trials-in-accordance-with-the-mdr/

4)     Sato T, Ishimaru H, Takata T, Sasaki H, Shikano M. Application of Internet of Medical/Health Things to Decentralized Clinical Trials: Development Status and Regulatory Considerations. Frontiers in Medicine. 2022;9. doi: 10.3389/fmed.2022.903188

5)     TaylorWessing – Medical devices in the UK – the data protection angle [Internet] 2020 – Available from: https://globaldatahub.taylorwessing.com/article/medical-devices-in-the-uk-the-data-protection-angle

6)     Info Security Magazine – UK Introduces New Cybersecurity Legislation for IoT Devices [Internet] 2021 – Available from: https://www.infosecurity-magazine.com/news/uk-cybersecurity-legislation-iot/

7)     Core to Cloud – New mandatory cybersecurity requirements for medical devices [Internet] 2021 – Available from: https://www.coretocloud.co.uk/new-mandatory-cybersecurity-requirements-for-medical-devices/

8)     UK Government press release – UK to strengthen regulation of medical devices to protect patients [Internet] 2022 – Available from: https://www.gov.uk/government/news/uk-to-strengthen-regulation-of-medical-devices-to-protect-patients

9)     Make UK – CE Marking vs UKCA Marking – What does it mean? [Internet] 2020 – Available from: https://www.makeuk.org/insights/blogs/ce-marking-vs-ukca-marking

10)  EU Medical Device Regulation – ANNEX I – General safety and performance requirements [Internet] 2019 – Available from: https://www.medical-device-regulation.eu/2019/07/23/annex-i-general-safety-and-performance-requirements/

Cybersecurity Considerations for Connected Medical Devices and the “Internet of Medical Things”

Cybersecurity for IOmT connected medical devices.

Advancements in technology of the past few decades has led to the development of devices capable of connecting to one another via networks such as Wi-Fi and Bluetooth, allowing them to create, transmit and receive data between one another. Medical technology (Medtech) companies have utilised these features to develop connected medical devices. These devices can transmit patient data such as heart rate, blood glucose levels and sleep patterns, which can be monitored by healthcare professionals and clinical trials companies, allowing for accurate remote oversight of a patient’s condition for quick and accurate diagnoses and treatment from anywhere.

The existence of connected medical devices has led to the Internet of Medical Things (IoMT), the connected network of health systems and services able to produce, transmit and analyse clinical data, which is changing the shape of healthcare and clinical trials globally.

Despite the clear potential of IoMTs in the healthcare system, there are several factors affecting the development of connected medical devices and their uptake by the public. Worries regarding the security of their private clinical data in the light of cybersecurity attacks over the past decade, and subsequent data protection regulations put in place to prevent further leaks and their potential impact on future innovations in the medtech industry.

Connected Medical Devices and the Internet of Medical Things (IoMT)

There are over 500,000 connected medical devices (CMDs) currently on the market (1), which can be split into three key groups; stationary medical devices typically found in hospitals such as CT and MRI scanners, implanted medical devices such as pacemakers and defibrillators to monitor a patient’s condition more closely, and wearable medical devices such as smartwatches that track patient activity and insulin pumps (1). Many technology companies, including those which wouldn’t be classified as Medtech (Apple, Nike, Huawei) produce smart devices which produce data surrounding user activity such as exercise, heart rate and quality of sleep. In November 2021, the FDA authorised the first prescription-use VR system for chronic lower back pain, further highlighting the increasing opportunities for CMDs in healthcare (2). Artificial intelligence (AI) and machine learning (ML) algorithms can also be classed under CMDs, capable of automated learning using neural networks to search and analyse data much faster (3). These AI are commonly used to search for novel patterns in data, diagnoses and predicting outcomes, and optimising patient treatments and are commonly used in clinical trials (3).

These devices, the data they produce and the development of software capable of compiling and analysing this data has led to the creation of the Internet of Medical Things (IoMT), which has the potential to revolutionise healthcare (1). IoMT allows healthcare professionals to monitor patients in real time from anywhere, increasing the speed and accuracy of diagnoses and treatment. General uptake of IoMT in healthcare may improve disease and drug management, leading to better patient outcomes and decreased costs to healthcare providers.

Medical Devices and Clinical Trials

CMDs have allowed for hybrid and decentralised clinical trials (DCTs), in which trials take place remotely from patient’s homes and during their daily lives instead of on a trial site. The prevalence of DCTs have increased significantly since the start of the COVID-19 pandemic, in which patient access to clinical trials was reduced by 80% and monthly trial starts decreased by 50% (4).

DCTs allow patients to take part who would usually be unable to participate due to geographical or time limitations, while reducing time spent on-site. According to a study by CISCRP, 60% of patients see the location and time spent in a clinical site as important factors when considering clinical trials (5). CMDs can include telemedicines, smart phone apps and AI capable of analysing patient data. As a result of this, there has been ~34% annual compound growth of CMD use in clinical trials (6).These benefits are best portrayed by the significant growth in the IoMT market, which is expected to grow from ~$31 billion in 2021 to a predicted ~$188 billion in 2028 (7), with CMDs and wearable smart devices increasingly used in the home as well as healthcare institutions.

Cybersecurity Issues

Despite the advantages of the IoMT, the adoption of CMDs is hampered by concerns regarding the security of clinical data stored in the cloud, instead of traditional medical records stored on paper or in internal servers which are less susceptible to being leaked. IoMT devices are vulnerable to many types of attack which can interfere with patient monitoring and care. Examples of these include eavesdropping, in which an attacker gains access to private medical records which can then be used to unlock the CMD, gaining further access to unauthorised data and allowing them to tamper with private medical records (8). While the common aim of these attacks is to sell this data to a third party, attacks on IoMT devices could include changing medical data leading to improper diagnoses of patients, the prescription of medication leading to an allergic response, and inaccurate monitoring of medical conditions which would impact patient welfare and have potentially significant financial impacts (8).

There have been many instances of attacks on large technology companies in recent years. Fitbit, one of the largest producers of wearable activity tracking watches, has been revealed to be vulnerable to data leakage via network connection (9), and the Nike+ Fuelband is prone to attack due to its USB connector (10). Technology companies such as Huawei, Xiaomi and Jawbone have suffered data leaks (9).

These incidents have negatively impacted public trust in CMDs collecting medical data, with people typically not wishing to share medical information with non-NHS businesses for reasons other than direct care. While trust was shown to increase after a deliberative workshop, it remained low (<50%) (11). As shown here, public distrust towards CMDs amid cybersecurity scandals will halt the potential growth of IoMT and its applications in healthcare.

CMDs and IoMT provide a promising avenue for quick, efficient diagnoses and treatment of a variety of conditions and allow for DCTs which increases the number of willing participants and allows for remote accurate monitoring of conditions. However, cybersecurity issues halt the progress and uptake of CMDs due to public distrust and misuse of the technology by cyber attackers. Unfortunately, cybersecurity issues can typically only be addressed after the incident occurs, however updates to UK regulations regarding CMDs will help prevent future attacks and data leaks.

Cybersecurity breaches can have a variety of goals.

1)     Deloitte – Medtech and the Internet of Medical Things [Internet] 2018 – Available from: https://www2.deloitte.com/global/en/pages/life-sciences-and-healthcare/articles/medtech-internet-of-medical-things.html

2)     Sato T, Ishimaru H, Takata T, Sasaki H, Shikano M. Application of Internet of Medical/Health Things to Decentralized Clinical Trials: Development Status and Regulatory Considerations. Frontiers in Medicine. 2022;9. – Available from: https://doi.org/10.3389%2Ffmed.2022.903188

3)     Angus DC. Randomized clinical trials of artificial intelligence. Jama. 2020 Mar 17;323(11):1043-5. – Available from: doi:10.1001/jama.2020.1039

4)     McKinsey & Company – No place like home? Stepping up the decentralization of clinical trials [Internet] 2021 – Available from: https://www.mckinsey.com/industries/life-sciences/our-insights/no-place-like-home-stepping-up-the-decentralization-of-clinical-trials

5)     Anderson A, Borfitz D, Getz K. Global public attitudes about clinical research and patient experiences with clinical trials. JAMA Network Open. 2018 Oct 5;1(6):e182969-. Available from: doi:10.1001/jamanetworkopen.2018.2969

6)     Marra C, Chen JL, Coravos A, Stern AD. Quantifying the use of connected digital products in clinical research. NPJ digital medicine. 2020 Apr 3;3(1):1-5. – Available from: https://doi.org/10.1038/s41746-020-0259-x

7)     Fortune Business Insights – Internet of Medical Things (IoMT) Market [Internet] – Available from: https://www.fortunebusinessinsights.com/industry-reports/internet-of-medical-things-iomt-market-101844

8)     Hasan MK, Ghazal TM, Saeed RA, Pandey B, Gohel H, Eshmawi AA, Abdel‐Khalek S, Alkhassawneh HM. A review on security threats, vulnerabilities, and counter measures of 5G enabled Internet‐of‐Medical‐Things. IET Communications. 2022 Mar;16(5):421-32. – Available from: https://doi.org/10.1049/cmu2.12301

9)     Jiang D, Shi G. Research on data security and privacy protection of wearable equipment in healthcare. Journal of Healthcare Engineering. 2021 Feb 5;2021. – Available from: https://doi.org/10.1155/2021/6656204

10)  Arias O, Wurm J, Hoang K, Jin Y. Privacy and security in internet of things and wearable devices. IEEE Transactions on Multi-Scale Computing Systems. 2015 Nov 6;1(2):99-109. DOI: 10.1109/TMSCS.2015.2498605

11)  Chico V, Hunn A, Taylor M. Public views on sharing anonymised patient-level data where there is a mixed public and private benefit. NHS Health Research Authority, University of Sheffield School of Law. 2019 Sep. – Available from: https://s3.eu-west-2.amazonaws.com/www.hra.nhs.uk/media/documents/Sharing_anonymised_patient-level_data_where_there_is_a_mixed_public_and_privat_Pab71UW.pdf

Medical Device Clinical Trials vs Pharmaceutical Clinical Trials – What’s the Difference?

Medical devices and drugs share the same goal – to safely improve the health of patients. Despite this, substantial differences can be observed between the two. Principally, drugs interact with biochemical pathways in human bodies while medical devices can encompass a wide range of different actions and reactions, for example, heat, radiation (Taylor and Iglesias, 2009). Additionally, medical devices encompass not only therapeutic devices but diagnostic devices, as well (Stauffer, 2020).

More specifically medical device categories can include therapeutic and surgical devices, patient monitoring, diagnostic and medical imaging devices, among others; making it a very heterogeneous area (Stauffer, 2020). As such, medical device research spills over into many different fields of healthcare services and manufacturing. This research is mostly undertaken by SME’s ( small to medium enterprises) instead of larger well-established companies as is more predominantly the case with pharmaceutical research. SME’s and start-ups undertake the majority of the early stage device development, particularly where any new class of medical device is concerned, whereas the larger firms get involved in later stages of the testing process (Taylor and Iglesias, 2009).

Classification criteria for medical devices

There are strict regulations that researchers and developers need to follow, which includes general device classification criteria. This classification criterion consists of three classes of medical devices, the higher class medical device the stricter regulatory controls are for the medical device. 

  • Class I, typically do not require premarket notifications
  • Class II,  require premarket notifications
  • Class III, require premarket approval

Food and Drug Administration (FDA)

Drug licensing and market access approval by the Food and Drug Administration (FDA) and international equivalents require manufacturers to undertake phase II and III randomised controlled trials in order to provide the regulator with evidence of their drug’s efficacy and safety (Taylor and Iglesias, 2009).

Key stages of medical device clinical trials

In general medical device clinical trials are smaller than drug trials and usually start with feasibility study. This provides a limited clinical evaluation of the device. Next a pivotal trial is conducted to demonstrate the device in question is safe and effective (Stauffer, 2020).

Overall the medical device trials can be considered to have three stages:

  • Feasibility study,
  • Pivotal study to determine if the device is safe and effective,
  • Post-market study to analyse the long-term effectiveness of the device.

Clinical evaluation for medical devices

Clinical evaluation is an ongoing process conducted throughout the life cycle of a medical device. It is first performed during the development of a medical device in order to identify data that need to be generated for regulatory purposes and will inform if a new device clinical investigation is necessary. It is then repeated periodically as new safety, clinical performance and/or effectiveness information about the medical device is obtained during its use.(International Medical Device Regulators Forum, 2019)

During the evaluative process, a distinction must be made between device types – diagnostic or therapeutic. The criteria for diagnostic technology evaluations are usually divided into four groups:

  • technical capacity
  • diagnostic accuracy
  • diagnostic and therapeutic impact
  • patient outcome

The importance of evaluation

Evaluations provide important information about a device and can indicate the possible risks and complications. The main measures of diagnostic performance are sensitivity and specificity. Based on the results of the clinical investigation the intervention may be approved for the market. When placing a medical device on the market, the manufacturer must have demonstrated through the use of appropriate conformity assessment procedures that the medical device complies with the Essential Principles of Safety and Performance of Medical Devices(International Medical Device Regulators Forum, 2019).The information on effectiveness can be observed by conducting experimental or observational studies.

Post-market surveillance

Manufacturers are expected to implement and maintain surveillance programs that routinely monitor the safety, clinical performance and/or effectiveness of the medical device as part of their Quality Management System (International Medical Device Regulators Forum, 2019). The scope and nature of such post market surveillance should be appropriate to the medical device and its intended use. Using data generated from such programs (e.g. safety reports, including adverse event reports; results from published literature, any further clinical investigations), a manufacturer should periodically review performance, safety and the benefit-risk assessment for the medical device through a clinical evaluation, and update the clinical evidence accordingly.

The use of databases in medical device clinical trials

The variations in the available evidence-base for devices means that, unlike with drugs, medical devices will typically require the consideration and analysis of data from observational studies in ascertaining their clinical and cost-effectiveness. Using modern observational databases has advantages because these databases represent continuous monitoring of the device in real-life practice, including the outcome (Maresova et al., 2020).

Bayesian methods as an alternative framework for evaluation

Bayesian methods for the analysis of trial data have been proposed as an alternative framework for evaluation within the FDA’s Center for Devices and Radiological Health. These methods provide flexibility and may make them particularly well suited to address many of the issues associated with the assessment of clinical and economic evidence on medical devices, for example, learning effects and lack of head-to-head comparisons between different devices.

Use of placebo in medical vs pharmaceutical trials

An additional key difference between drug and medical device trials are that use of placebo in medical device trials are rare. If placebo is used in a trial for surgical / implanted devices  it would usually be a sham surgery or implantation of a sham device (Taylor and Iglesias, 2009). Sham procedures are high risk and may be considered unethical. Without this kind of control, however, there is in many cases no sure way of knowing whether the device is providing real clinical benefit or if the benefit experienced is due to the placebo effect. 

Conclusion

            In conclusion, there are many similarities between medical device and pharmaceutical clinical trials, but there are also some really important differences that one should not miss:

  1.  In general medical device clinical trials are smaller than drug trials.
  2.  The research is mostly undertaken by SME’s ( small to medium enterprises) instead of big well-known companies
  3. Drugs interact with biochemical pathways in human bodies whereas medical devices use a wide range of different actions and reactions, for example, heat, radiation.
  4. Medical devices can be used for not only diagnostic purposes but therapeutical purposes as well.
  5.  The use of placebo in medical device trials are rare in comparison to pharmaceutical clinical trials.

References:

Bokai WANG, C., 2017. Comparisons of Superiority, Non-inferiority, and Equivalence Trials. [online] PubMed Central (PMC). Available at: <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5925592/> [Accessed 28 February 2022].

Chen, M., Ibrahim, J., Lam, P., Yu, A. and Zhang, Y., 2011. Bayesian Design of Noninferiority Trials for Medical Devices Using Historical Data. Biometrics, 67(3), pp.1163-1170.

E, L., 2008. Superiority, equivalence, and non-inferiority trials. [online] PubMed. Available at: <https://pubmed.ncbi.nlm.nih.gov/18537788/> [Accessed 28 February 2022].

Gubbiotti, S., 2008. Bayesian Methods for Sample Size Determination and their use in Clinical Trials. [online] Core.ac.uk. Available at: <https://core.ac.uk/download/pdf/74322247.pdf> [Accessed 28 February 2022].

U.S. Food and Drug Administration. 2010. Guidance for the Use of Bayesian Statistics in Medical Device Clinical. [online] Available at: <https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-use-bayesian-statistics-medical-device-clinical-trials> [Accessed 28 February 2022].

van Ravenzwaaij, D., Monden, R., Tendeiro, J. and Ioannidis, J., 2019. Bayes factors for superiority, non-inferiority, and equivalence designs. BMC Medical Research Methodology, 19(1).