When the Food and Drug Administration (FDA) blessed Apple’s electrocardiogram app on its Apple Watch Series 4 in September 2018, it was a big step for a growing area in medicine: software as a medical device (SaMD). SaMD is a “product without a body in the sense that it is pure software that operates on a platform,” said Bill Greenrose, managing director of regulatory and operational risk for Deloitte.

The concept itself isn’t totally new. A patient portal could be considered an SaMD because it essentially is software running on a platform that collects patient data. But when the first portals asked patients to log in to a website to fill out their medical history, the possibility of having software do things like adjust medication doses based on biofeedback or detect and diagnose stroke by analyzing magnetic resonance images, was a far-off dream.

Now, SaMD is about to become much more pervasive in the world of medicine, and especially diagnostics, as technology moves at rocket speed. SaMD will provide “a lot more data because, at the end of the day, that is what this is all about and why everybody is getting so excited,” Greenrose said. “The more information [diagnostics manufacturers] can collect about actions and activities of patients, the better they can help shape the use of those products,” which not only will improve patient care, he said, but also make developers more profitable because their devices will work better.

Results released in March from a study using Apple Watch software is encouraging others to pursue the SaMD strategy, but it is not likely to assuage critics of emerging direct-to-consumer (DTC) SaMD products. The Apple-sponsored study, launched in November 2017, looked at whether the app could identify atrial fibrillation. While investigators found that 84% of participants with irregular pulse notifications from the app were in atrial fibrillation at the time of the notification, false-positives remain a concern for software built into a device used by millions of consumers.

An Evolving Regulatory Picture

While software already plays a role in medical care, it’s usually at the service of hardware doing the work, such as the case of insulin pumps that patients program themselves. “Medical devices have had software in them probably as long as there have been medical devices,” said Aaron L. Josephson, senior director of the government relations consulting group, ML Strategies, who also worked at FDA for 10 years, including as a senior policy advisor in the Center for Devices and Radiological Health, which regulates medical devices. “The challenge is that the software now has become a lot more complex and a lot more integrated into healthcare delivery,” he said.

Moreover, SaMDs are unlike anything FDA has regulated before. “When you evaluate a hardware device, you’re looking at whether it would withstand a certain amount of stress and if it meets certain criteria,” Josephson said. “With software, you’re looking at a bunch of code. The question is, how does looking at that code really tell you if it's safe and effective? The answer is, it doesn’t. You have to look at what the output of the software is.”

In 2017, FDA introduced a Digital Health Action Plan that included hiring more digital staff, releasing new guidance documents, and launching a digital health software pre-certification pilot program (Pre-Cert) with Apple, FitBit, Johnson & Johnson, PEAR Therapeutics, Phosphorus, Roche, Samsung, Tidepool, and Verily as early participants.

The goal of a Pre-Cert program is deciding “if the software developer has what they’re calling a culture of quality and organizational excellence,” Josephson said. “Are you an organization that values quality? Are you an organization that does other things that FDA considers to be showing that you’re a good steward of public health in the way that you develop your products?” After being pre-certified, a developer will need to have that certification renewed after a certain period of time, most likely 2 years, Josephson said.

Josephson doesn’t think FDA is getting in the way of innovation because of how the agency is working with industry on its pilot program. “FDA is kind of admitting [it doesn’t] have the resources [the agency] would need to review the skyrocketing volume of software devices,” an important first step in finding a new model, he said. “Pre-Cert does allow you to certify a developer who can then make countless numbers of SaMD and distribute them legally without FDA having to check in on every one of them,” he said.

The DTC Dilemma

FDA’s eagerness to work with industry is not necessarily easing concerns about releasing SaMD data directly to patients, especially it’s without parameters to explain that data’s limitations. Recently, FDA has been allowing DTC genetic testing to expand, in what amounts to a test case for how regulators think companies should handle vast amounts of patient data.

A. Cecile J.W. Janssens, PhD, a research professor of epidemiology at the Rollins School of Public Health at Emory University in Atlanta, has written extensively about DTC testing issues, especially surrounding 23andMe, a personal genomics company that sells its genetic testing kits online. In 2018, FDA permitted 23andMe to market certain genetic health risk tests and required a warning statement that consumers should not use these test results to stop or change any medications.

“I’m not against direct-to-consumer testing. We live in a free world, so if people want to offer that, and other people want to use it, they should be able to do that,” said Janssens. “They should present it in such a way that the limitations of everything are also clear.” 23andMe tests over 600,000 single nucleotide polymorphisms, which might sound impressive, she said, until put into the context that “we have about 3 billion letters, and they only do 600,000. It’s only really a snapshot.”

If a company puts a warning label next to data it shares directly with consumers, saying it shouldn’t be used to make medical decisions, will consumers really follow that advice? FDA, Janssens said, is “basically saying that all this risk information is OK as long as those tests do not diagnose you. They didn’t tell anything about whether the predictive algorithms need to be predictive. They don’t regulate any of that, so it’s really opened the market to a lot of junk,” Janssens said.

Pushing Into Higher-Risk Areas

Right now, SaMDs are used more often in clinical trials than for routine patient care, and they are mostly a low risk—Class I, as FDA calls them—category, said Greenrose. He sees that changing in the next 5 years, both as regulatory processes are cemented, and as technology continues to develop and move into Class II (moderate-risk) and Class III (high-risk) assessments that will “inform the clinician after the fact that it made an adjustment,” he said.

Greenrose said that as devices and software proliferate, clinical laboratorians should prepare to see data coming in from these sources. These data will supplement traditional inputs labs are used to and include information such as where a patient was during and right before a sample was taken. “We’re almost getting into real-time medicine,” Greenrose said. “There’s a lot more information becoming available that can help create a better picture of what the test results really mean within the larger context of the patient’s condition.”

Jen A. Miller is a freelance journalist who lives in Audubon, New Jersey. Follow her on Twitter: @byJenAMiller