Risk Assessment and Classification of Medical Device Sofware for the Internet of Medical Things Challenges arising from connected, intelligent medical devices Irina Brass ∗ University College London, London, UK i.brass@ucl.ac.uk Andrew Mkwashi University College London, London, UK a.mkwashi@ucl.ac.uk ABSTRACT Although the medical device industry operates within a stringent regulatory environment, the growing deployment of connected, intelligent medical devices (CIMDs) in the healthcare sector is chal- lenging these established regulatory frameworks. CIMDs come in a variety of forms, from implantables, to specialist IoMT devices de- ployed at the point-of-care, to AI-based medical devices, and AI as a medical device (AIaMDs). These devices raise several cybersecurity, data management, and algorithmic integrity concerns for patient safety and the delivery of reliable, responsible healthcare. The pur- pose of this article is to focus on a particular characteristic of CIMDs: their changing risk profle, several times throughout their lifecycle, with limited awareness from users, manufacturers, and regulators. Looking at the implications of these often subtle yet meaningful software modifcations for current medical device regulations and for critical stakeholders in the CIMD ecosystem, the article high- lights three main challenges to: i) risk assessment, classifcation and management frameworks that underpin current medical device regulations; ii) current medical device compliance frameworks, es- pecially the post-market surveillance of medical devices; and iii) the detection, categorization, and reporting of compromised devices that might not perform according to their intended purpose. The article brings empirical evidence from a qualitative research study conducted with critical stakeholders in the medical device sector. CCS CONCEPTS · Internet of medical things;· artifcial intelligence;· risk classifcation; KEYWORDS Medical device software, regulation ACM Reference Format: Irina Brass and Andrew Mkwashi. 2022. Risk Assessment and Classifcation of Medical Device Software for the Internet of Medical Things: Challenges arising from connected, intelligent medical devices. In Proceedings of the 12th International Conference on the Internet of Things (IoT ’22), November 07ś10, 2022, Delft, Netherlands. ACM, New York, NY, USA, 8 pages. https: //doi.org/10.1145/3567445.3571104 ∗ Corresponding author. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). IoT ’22, November 07ś10, 2022, Delft, Netherlands © 2022 Copyright held by the owner/author(s). ACM ISBN 978-1-4503-9665-3/22/11. https://doi.org/10.1145/3567445.3571104 1 INTRODUCTION The use of software in medicine and healthcare, including software as a medical device (SaMD 1 ), has been growing over the years, having a variety of applications and purposes from clinical decision support, diagnosis, treatment, and assistance in complex medical interventions. Within the broad category of software-based medical devices and SaMDs, we have identifed a category of healthcare technologies that is raising considerable concerns about patient safety and security, and the integrity of digital healthcare, which we call łconnected, intelligent medical devicesž (CIMDs). CIMDs are łmedical devices that incorporate software and artifcial intelligence tools, and use communication technologies and networks to trans- fer, manage, store, and analyze health dataž [31:10]. These can be connected devices used in various healthcare settings such as smart CT scanners, as well as wearables or implantables such as heartrate monitors that collect patient data and can provide therapeutic op- tions. They can also be AI-based medical devices or standalone AI as a Medical Device (AIaMD) that provide decision support or assistance to professional staf. Together, these devices form a con- nected, intelligent medical device ecosystem at the confuence of the Internet of Medical Things (IoMT) and artifcial intelligence (AI) [22, 40, 42] ś a connected infrastructure of smart medical devices, software applications, and communication systems and services that facilitate data collection, transmission, storage, management, analysis, and actuation in digital healthcare. While CIMDs have undoubtable benefts ś from remote man- agement of heart failure in implantables to sophisticated ma- chine learning software that provides considerable support in di- agnosis or surgery ś they also raise critical cybersecurity and algorithmic integrity concerns. These challenges are becoming more well documented in the specialist literature and practice [7, 8, 10, 25, 27, 29, 41, 44], highlighting their serious consequences for patient safety, their health outcomes and fundamental rights, as well as important consequences for medical professionals and the resilience of the healthcare infrastructure [31]. Because of their potentially life-threatening consequences for patients, medical devices are strictly regulated in most jurisdic- tions in order to evaluate and manage their safety and performance (Section 3). The regulation is generally structured on a risk-based medical device classifcation system, from low to moderate to high risk. Risk assessment and classifcation are conducted by the de- vice manufacturer and reported to the regulator for review and/ or market authorisation, or to an approved body as part of conformity 1 The IMDRF defnes SaMD as łsoftware intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical devicež [21:6]. 171