Digital health and artificial intelligence (AI) are fast becoming the main drivers transforming the life sciences industry, from biopharmaceutical research and development (R&D) to clinical trial recruitment, diagnostics, supply chain optimization, and pharmacovigilance. Here, we examine the top six trends.
For several years, pharmaceutical companies have been using global data sharing and analytics platforms such as Vivli to share clinical data on a voluntary basis. In 2023, the EU will finalize the conditions for obligatory sharing of electronic health data under the proposed European Health Data Space (EHDS) Regulation. Even though the EHDS will take a few years to become applicable and operational, companies are already exploring its risks, in particular to protect intellectual property and trade secrets (e.g., the risk of reverse engineering of AI algorithms). But companies are also seeing an upside and are studying opportunities to obtain access to valuable data from the EHDS. In the first half of 2023, discussions between EU institutions and industry will focus on the EHDS user conditions, set out in a “data permit,” and the deferrals necessary to permit patent filings. Another hot topic in the legislative discussions will be whether EHDS data can be used by reimbursement authorities. Finally, the EU’s growing “digital protectionism” can affect where EHDS data can be stored and transferred.
When the internet took off, EU regulators started a long process of adapting laws to the online world, and that process has now moved into an intense “second phase” with a slew of new proposals. Companies have had to restructure their networks of contracts with suppliers, customers, consumers, and insurers to adapt to contractual risks and liabilities. The result can be summarized crudely as “what applies online applies offline.” Now, for AI applications and products, another major adaptation is underway. When companies put a self-learning product on the market (with components sourced from suppliers), and customers and end users can all affect the output of the product, e.g., by using the model on their data, how are risks and liabilities going to be distributed? The EU is putting a heavy finger on the scales through the revised Product Liability Directive (PLD) and new AI Liability Directive (AILD). Both new directives seek to adapt existing civil liability rules for the digital age and extend existing rules on strict liability for harm caused by defective products. Companies will need to follow these directives as they go through the legislative process, review their contracts and general conditions affected by new obligations and liabilities, and prepare for enhancing their governance structures for risk signaling and mitigation.
Ongoing product development for the EU market will need to take account of the EU’s rapidly developing, world-first legal framework on AI. The key piece of future legislation, the AI Act, will classify AI applications depending on different “risk levels.” Like for medical devices, the EU has opted to “privatize” compliance assessment. High-risk AI products will need to be assessed by specialized bodies that will themselves need to be designated (e.g., notified bodies designated for the assessment of medical devices can seek additional designation for assessing AI components). Because there is already a capacity crunch for notified bodies assessing medical devices in the EU, companies will need to consider how they will secure AI assessment capacity.
The standards to be met will likely include risk management, bias avoidance, traceability, interpretability, and explainability of output. The development of standards is in full swing, and the new deadline for the final joint report by the EU standardization bodies is January 31, 2025. Companies will want to watch the standard-setting processes taking place in the EU and globally (see the Joint EU-US Roadmap on Evaluation and Measurement Tools for Trustworthy AI and Risk Management (AI Roadmap) by the EU-US Trade and Technology Council (TTC)). In the meantime, the applicable regulatory obligations on developers may be further blurred by the proposed postponement of the application of the provisions of the EU Medical Device Regulation to 2027 or 2028, which is expected to be announced in early 2023. As there is a close overlap between the medical device and AI frameworks, it will take some time before it is clear to what timelines developers will need to adhere. Given the obligations imposed on providers and users of AI systems alike, developers should be very clear on the parameters of use of these systems to avoid unintended liability.
As in the U.S., new product requirements will include cybersecurity. The EU Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), which has recently been published, is driven by the fact that many medical devices operate on legacy systems, making them vulnerable to cyberattacks, and by the increasing interconnection of medical devices through the internet of medical things (IoMT). Operators of essential services, including critical medicinal products and pharmaceutical companies, should start preparing to comply with several security regulations set out in the proposed directive.
Current reimbursement systems in the EU are geared toward established technologies and not set up to assess forward-looking or preventive benefits, for example, from improved screening and detection of diseases. Assessing real-world data is challenging, too. While developing their reimbursement strategies, companies will want to follow the rollout of the EU Regulation on Health Technology Assessment (HTA), which will include the development of EU-wide clinical and methodological criteria for the evaluation of digital medical devices for pricing and reimbursement decisions.
The UK’s National Health System is increasingly looking at R&D partnership models with digital health developers. The UK is developing new evidence standards frameworks for digital health and AI and exploring an early value assessment pathway for digital technologies to enable interim recommendations on reimbursement while further evidence is generated.
At the same time, the UK is revising its medical device legal regulatory framework, including software and AI as medical devices. During 2023, the government will work on a package of new legislation, expected to be published in 2024. Regulator capacity will remain a key concern. The postponement of the applicability of the new UKCA (UK Conformity Assessed) mark regime by 12 months signifies the lack of preparedness both from the industry’s and the regulator’s side. In terms of AI regulation, the UK has stated its intent to take a light approach, with sector-specific guidance where required to remain agile.
Many companies underestimate the force of change brought about by discussions at the WHO, which has been strengthening its role in helping national regulators assess and regulate digital technologies. Most recently, the WHO launched its Global Strategy on Digital Health 2020-2025. This provides guidance to national regulators in their approach to virtual care, remote monitoring, AI, big data analytics, blockchain, smart wearables, and tools for (remote) data capture, exchange, and storage. Many countries use WHO recommendations as a blueprint for new laws.