The government has just issued to some updated guidance on when an app becomes a “medical device.” It has done this because, as its own press release says, healthcare apps are becoming part of daily life – but using an unregulated app might just have life-threatening consequences.

The Medicines and Healthcare products Regulatory Agency hopes the guidance will clarify when an app is a medical device, and help users to check if an app is “safe and works.” However, poke this space and things become a lot less straightforward.

There are a lot of “health” apps out there, should I trust them?

As a general rule no. Multiple studies have shown a lot of so-called medical apps have no clinical input at all, let alone solid evidence that support their claimed medical application. This is not such a big deal for dodgy “wellness diaries” but some can cause real clinical harm.

One study showed three out of four melanoma detection apps reviewed incorrectly identified at least 30% of melanomas as “unconcerning”.

In January, the US Federal Trade Commission forced Lumos Lab, makers of memory game app Luminosity, to settle charges for US$2 million over unsubstantiated claims that it treated age related brain diseases, stroke, and PTSD. Then there’s the apps that leak your personal health information to third parties.

Scary, so which apps really are medical devices?

The UK relies on EU guidelines for determining when software becomes a medical device. The essentially draws the line at software that is directly involved in patient care, such as generating “patient data to support or influence the medical care provided to that patient.”

The MHRA, drawing from the EU regulations, says a computer program or functional document, including an app, is a medical device if it has “medical purpose”.

Seems pretty clear, right?

Sort of, but the line at which an app is used for “medical purposes” is a little blurry. If it is just “supporting” a doctor making clinical decisions, does than count as medical device?

For instance, MHRA says that a “medical purpose” could include monitoring, diagnosing and preventing a disease, injury or handicap. However, an app that monitors “fitness/health/wellbeing” rather than disease, or is used as “clinical decision support tool” rather than actually making a diagnosis, would not be considered a medical device.

Likewise, apps that store data, provide general medical advice, or provide administrative functions, like appointment bookings, are not medical devices.

Google DeepMind ran into some difficulties with these distinctions in May with its Streams app “pilot”, which was using historical NHS patient data to identify acute kidney injury for patients at London’s Royal Free Hospital.

Among other controversies, Google DeepMind did not deem the app a medical device and had not registered it with any official body. The Streams app has not been used at London’s Royal Free since.


So if an app is a medical device, how do we know it’s safe to use?

The requirements differ depending on the function of the app; the more medically involved, and therefore a risky, the more stringent the certification.

But generally speaking, like any other medical product sold in the EU, medical device apps are meant to through an accreditation process to get CE mark, which denotes they have met certain standards of safety, health and environment protection.

For apps, this generally means the benefits must outweigh the risk, they should be easy to use, should “design out risk” and do what it says on the box (which may require clinical trials depending on the function). They must also be clinically evaluated. Once again, these standards rely on EU regulations so could eventually change in a post-Brexit Britain.

That sounds comforting, apart from the Brexit bit. So how many of this app medical devices are out there in UK?

Well… we don’t really know. While apps doing medicine are meant to be CE certified, a lot of monitoring for adverse effects is down to self-regulation. Some developers have made a big thing out of going through the process, starting with the Mersey Burns App that was the first to win a CE mark. But most don’t.

For the least risky type of software medical devices, type 1, manufacturers need to register with MHRA, but don’t need to tell the regulator what specific medical devices they have developed. So the regulatory body for medical devices in the UK does not have a list of software functioning as a medical device in this country.

The authority does have a list of 66 “manufacturers” that make standalone software as a medical device, including apps and which have registered since 2014. These range from the big systems suppliers, such as CSC, and big pharma, such a GlaxoSmithKline and Pfizer, to individuals and NHS trusts.

Have any of these companies every reported a problem with their software medical devices?

Not specifically in the app space, but primary care systems supplier TPP flagged up problems with the algorithm QRisk2 digital calculator operating within its SystmOne product in May this year.

The calculator, designed by doctors and academic, is used to determine a patient’s heart attack risk but the version within TPP turned out to have a code mapping error that could have affected up to 270,000 patients. The problem is now fixed.

TPP has said QRisk2 isn’t medical device but instead a clinical decision support tool. Both TPP and the original developer of QRisk, ClinRisk, are, however, on MHRA’s manufacturer list.

So what apps should even be used in NHS?

After the debacle that was the now-closed NHS Health Apps Library, Public Health England has been developing an alternative app endorsement service. However, progress has been slow and even the project lead has said it only had a 50% chance of success.

As of 5 September, there was no progress to report and now the government has announced it will forge ahead with a new app library, which will be up and running by March next year.

Until then, John Wilkinson, MHRA’s director of medical devices, says before using an app that is diagnosing or recommending treatment, patients and clinicians should check for a CE mark and developers should make sure they have CE accreditation if they want to make those sorts of products.

On the less serious side of health apps, Dr Mahiben Maruthappu, senior fellow to NHS England’s chief executive, has given a thumbs up to Pokemon Go. Not a medical device app perhaps, but pretty safe if you look where you are going.