Artificial intelligence in medical device software and high-risk medical devices - a review of definitions, expert recommendations and regulatory initiatives.

INTRODUCTION: Artificial intelligence (AI) encompasses a wide range of algorithms with risks when used to support decisions about diagnosis or treatment, so professional and regulatory bodies are recommending how they should be managed. AREAS COVERED: AI systems may qualify as standalone medical device software (MDSW) or be embedded within a medical device. Within the European Union (EU) AI software must undergo a conformity assessment procedure to be approved as a medical device. The draft EU Regulation on AI proposes rules that will apply across industry sectors, while for devices the Medical Device Regulation also applies. In the CORE-MD project (Coordinating Research and Evidence for Medical Devices), we have surveyed definitions and summarize initiatives made by professional consensus groups, regulators, and standardization bodies. EXPERT OPINION: The level of clinical evidence required should be determined according to each application and to legal and methodological factors that contribute to risk, including accountability, transparency, and interpretability. EU guidance for MDSW based on international recommendations does not yet describe the clinical evidence needed for medical AI software. Regulators, notified bodies, manufacturers, clinicians and patients would all benefit from common standards for the clinical evaluation of high-risk AI applications and transparency of their evidence and performance.

Cybersecurity of medical devices: new challenges arising from the AI Act and NIS 2 Directive proposals.

Cyberattacks on the IT infrastructure of hospitals, electronic health records or medical devices that have taken place during the COVID-19 pandemic reaffirmed how crucial it is to ensure cybersecurity in the healthcare sector. Medical devices are regulated in the European Union (EU) through vertical product-specific legislation, such as the Medical Device Regulation (MDR), among others. The MDR foresees safety requirements implying cybersecurity obligations for medical device manufacturers. In 2021, the EU legislator put forward the Network and Information Security System Directive reform (NIS 2) and the Artificial Intelligence Act (AIA) proposal, containing additional cybersecurity requirements applicable to medical devices. This article analyses how the new reforms interact with the existing legislation from a cybersecurity perspective. The research finds that parallel provision of analogous cybersecurity requirements (especially on notification requirements) could lead to regulatory overlapping, fragmentation, and uneven levels of protection of individuals in the EU internal market. In the "Recommendations and conclusions", the article provides policy recommendations to the EU legislator to help mitigate these risks.