IVDR, a proactive approach for pandemics like Covid-19

Ongoing EU leadership in Regulations

The European Commission’s latest In Vitro Diagnostic Regulation (IVDR 2017/746) addresses several weaknesses of the earlier version In-Vitro Medical Devices Directive (IVDD) and brings significant regulatory changes for manufacturers of In Vitro Diagnostics (IVD) devices to legally qualify to sell in the European Union.

The new IVDR greatly expands the scope of compliance besides increasing the number of IVD devices subject to rigorous oversight. It aims to address concerns such as patient safety and transparency and as a result includes greater expectations for clinical evidence and scrutiny of manufacturers’ data for greater transparency. The new IVDR was scheduled to come into force from May 2022, however the Covid-19 pandemic situation has forced the EU to push the deadline, likely to May 2023.

An IVD medical device encompasses a wide range of laboratory developed tests, point-of-care devices, instruments, reagents, and kits used to analyze human samples and guide clinical decision making. The new IVDR provides increased traceability throughout the supply chain, with the introduction of Unique Device Identification (UDI) system, risk-based rules classification scheme and new standards for clinical evidence. It also provides post-market vigilance reporting and surveillance requirements. Thus, the Regulation aims to balance proportionate responsible regulation while addressing an increasingly technological approach to healthcare, including in such areas as software and algorithms as part of IVD instruments and SaMD (Software as a Medical Device). 

Interestingly the new IVDR has no grandfathering provisions. This means that if a manufacturer has been selling IVD devices in the EU for several years now they would have been conforming already to the earlier original IVDD, however that does not waive off compliance obligation to the new IVDR in order to continue selling legally in the EU! 

Risk-based Classification of IVDs
IVDR introduces seven risk based classification rules which have resulted in four risk groups in IVDs, which determines device’s conformity assessment route and product-specific technical specification requirement.

  • Low-risk (Classes A & B ) : Products used for general laboratory use, instruments specified for IVD procedures and/or specimen receptacles are defined as Class A. Devices which are controls, that have no quantitative or qualitative assigned values, self-testing devices(non-critical conditions) are classified as Class B.
  • Moderate-risk (Class C): Devices intended to be used in STD Detection, detection of infectious agents, screening in CSF or blood, cancer detection, genetic testing and or pre-natal women screening for immune status to infectious agents.
  • High-risk (Class D): Devices involved in the detection of transmissible agents of a life-threatening disease where it is critical for patient management or high risk of propagation.

Devices under class C & D have a more regular Surveillance Assessment on top of technical documentation, like Performance Evaluation Report (PER), Periodic Safety Update Report (PSUR) and Summary of Safety and Performance (SSP), that are expected to be updated at least annually, and updates are to be gathered using the Post-Market Surveillance (PMS) plan.

Covid-19 IVD tests
The novel coronavirus that broke out in China at the end of 2019 and spread to almost every country has dominated all spheres of public life the world over as well as the grabbing the headlines ever since. The question before public health authorities now is how people infected with the virus could be diagnosed and treated quickly. In order to be able to effectively contain the spread of the disease, a quick and reliable diagnostic test is required. False negatives are dangerous as it aids further spread of the coronavirus. Whereas, false positives lead to unnecessary and drastic measures, such as the isolation of the supposedly infected patients. Hence both ends of error are unacceptable.

2019-nCoV is clearly a pathogen with a “high or suspected high risk of propagation”. In addition, the number of deaths shows clearly that the pathogen can be characterized as causing a life-threatening lung disease, and worse in a surprising recent trend an increasingly high mortality due to cardiovascular complications. Both conditions of this rule (life-threatening and high risk of propagation) are fulfilled, therefore, IVD devices used for coronavirus test falls into the highest risk class: class D!

Risk Management for Security and Safety
Risk Management is process of identifying and measuring risks towards safety and effectiveness resulting from the intended use and foreseeable misuse of a medical device and reducing them “as far as possible” to an acceptable level. The risk management process has elements such as security risk analysis, security risk evaluation, security risk control, evaluation of residual security risk and reporting which are documented in a risk management plan. 

If a security risk or control measure could have a possible impact on safety and effectiveness, then it should be included in the safety risk assessment. Similarly, any safety risk control or consideration that might have an impact on security should be included in the security risk analysis. Manufacturers should consider risk controls that maximize device cybersecurity while not unduly affecting other safety controls. As a company portfolio changes, through development or acquisition, it should be reviewed to ensure that any adaptations based on the risk of new products are considered.

IVD Software & Algorithms
IVD software is used with or in many devices – in laboratory based or point of care analyzers, in hand-held personal IVDs, as standalone software, as software upgrades to existing systems. Software as part of an IVD instrument, Software as Medical Device (SaMD) and software applications are included in the definition of IVD and fall under the scope of IVDR. This includes companion diagnostics applications as well as stand-alone software. A manufacturer must have a technical file that demonstrates the conformity of their standalone software with the respective provisions of the applicable IVDR clauses.

Due to the ‘black box’ nature of computer algorithms, viewed in terms of inputs and outputs without a full understanding of the internal working, it is suggested to regulate the use of such algorithms in some IVD areas, including genetics & genomic testing.

Cybersecurity and IVDR
Recent technical advances have resulted in radical transformations in health care delivery, which have the capability to improve patient care. However it has also exposed IVD devices vulnerable to security breaches. The new IVDR enhances the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. 

Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. It requires manufacturers to develop and manufacture their products in accordance with the state-of-the-art, considering the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorized access. In order to have a strong handle on IT security issues that may potentially impact business, it is imperative to understand the relationship between three central components: threat, vulnerability, and risk.

  • Threat is what an organization is defending itself against, which includes the probability of an attack as well as the severity of impact in the case of an attack e.g. a DoS attack.
  • Vulnerabilities are the flaws or weaknesses that undermine an organization’s IT security efforts, e.g. an unpatched Web server application flaw that lets hackers into the system. 
  • Risk refers to the calculated assessment of potential threats to an organization’s security and vulnerabilities within its network and information systems.

Cyber criminals and hackers are continuing to seize opportunities to take advantage of vulnerable networks amidst the Covid-19 pandemic. According to C5 alliance, cyber-attacks have increased by 150% in healthcare sectors as of mid-2020. There is 26% chance that 14% of patient monitoring tools will get attacked, according to research conducted by Atlas VPN. This research also reported that 27% of medical devices are still running on Windows XP or decommissioned versions of Linux, exposing these devices to increased cyber threats.

Cyber-attack schemes include hacking IVD devices either to control or to be used as a backdoor into a hospital’s IT network. This can result in potential harm to patients or financial loss for providers, posing major challenges for medical device manufacturers. Cybersecurity risk may also pose a safety risk. For example, an attacker modifying patient data in transit from a pulmonary artery pressure sensor device, causing misdiagnosis based on altered blood pressure readings, leading to worsening of the patient’s heart failure condition, is an example of a cyber security risk that has a catastrophic safety impact. Similarly an attacker gaining access to the network and manipulating a ventilator’s alarm messages sent to the central monitoring system,  may delay, or block the emergency measures not being taken in time which is an incident with severe safety impact.

However all cybersecurity risks may not have a safety impact. For example, an attacker eavesdropping on the network communication between a local patient monitor and central monitoring station, thereby gaining possession of sensitive health information of the patient is a cyber security risk that has no safety impact. While a network spread malware (worm) that encrypts contents of the hard drive causing device unavailability is a cyber security risk with indirect safety impact in that the affected systems are rendered unavailable for diagnosis of patients.

It is important to understand potential cyber threats and how to implement proper measures to ensure the safety of patients and trial data. Learning how to better design and include security in devices and systems at the beginning of development will protect users, as it is more difficult to add security features after creation. To run a software as intended it requires IT security, Information security & Operation security. To be effective, cybersecurity measures need to be addressed throughout the lifecycle of IVD software products. The appropriate level of cybersecurity activities on a software project is driven by several factors:

  • Value of the assets contained within the systems, e.g., systems containing personal information need to be well protected
  • Criticality of the systems, e.g., systems which are expected to have high levels of availability must be secured against denial of service attacks
  • Systems that are available on the public internet, e.g. Cloud software, must have high levels of verification that they are secure against known vulnerabilities.

Cybersecurity challenges for IVDR compliance
Multiple factors contribute to the cybersecurity challenges being faced by manufacturers. Starting with being standalone devices, IVD devices have evolved into integrated equipment, connected to networks, with a large component of software that creates new problems of security and privacy protection. Vulnerabilities already existed in medical devices only they now became exposed to a larger threat landscape through the network connections including wireless that has amplified the security risk. Software used in medical devices and/or Software as Medical Device (SaMD) might be vulnerable to cyber-attacks which should be handled and avoided with proper security measures. Many a time, large complex medical software was originally designed without cybersecurity in mind, it was written to be functional and performant and cybersecurity came as an after-thought.

Consequently, health care became a prime target for cyberattack with a recent SANS Institute report reporting that 94% of health care organizations have been the victim of cyberattacks, including on medical devices and related infrastructure. Many common threats continue to be problematic in health care, including Cyber criminals using malware and ransomware to shut down individual devices, servers, or even entire networks.  An increasing amount of protected health information is being stored on the cloud so without proper encryption, this could be a weak spot for the security of health care organizations. 

Clever cyber criminals have created websites with addresses that are similar to reputable sites. Phishing attack strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from users. While encryption is critical for protecting health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches. Employees either through error or misuse (internal threat) could leave health care organizations susceptible to attack through weak passwords, unencrypted devices, steal property or data or commit other crimes. Wearable and implantable IoT healthcare devices, from insulin pumps to monitors to pacemakers, can be vulnerable to attack. Many IoT devices are not capable of supporting an endpoint security agent, which means they do not have the ability to block a signature of malicious behaviors or an attack.Unprotected mobile devices or loss of such devices holding sensitive medical data is yet another source of exploits.

IVD Cybersecurity best practices 
Countering cyber-attacks starts by including security and safety measures from the beginning of the device’s or application’s development and creating a cybersecurity strategy. The first step is to develop a risk-based cybersecurity plan that addresses overall vulnerability issues about safety, security, privacy, automation, software, and design.

Second, medical device manufacturers should make provisions to ensure that device design is simple and easy to update and adheres to regulatory guidelines. Also, manufacturers should plan vulnerability management processes, ensuring that fixes can be rapidly developed and deployed. At the same time, processes, and protocols to handle security breaches will need to be defined.

Evidence based compliance and conformity for IVDR
The IVDR mandates that manufacturers must keep technical documentation up to date for these devices as such as they allow the conformity of the devices with the requirements of the Regulation to be assessed. It should contain full disclosure of Design, Production and Quality Testing details.

This information can range from the very basic—such as what the device is—to more complex information such as variety and design and manufacturing details. The IVDR also requires the EU Declaration of Conformity and copies of other relevant certificates to be submitted to the competent authorities for at least 10 years after the device has been placed in the market.

IVDR obligations for manufacturers are to demonstrate the following in the device documentation:

  • Analytical performance
  • Clinical performance
  • Scientific Validity
  • Stability

The IVDR also specifies a Post-Market Performance Follow-Up plan requirement, which includes how it should be defined within a QMS.

To achieve CE Marking most of the manufacturers of Class B, C & D devices will be required to provide the above-mentioned information to their notified body for review. Class A manufacturers must register with a notified body and document the information listed above; however, it will not be reviewed prior to EU market entry.

Note: If the IVD manufacturer utilize the services of sub-contractors for design, development or production, this information must be represented in all documents, including the QMS status.

The Covid-19 triggered extension of the new IVDR’s deadline gives a breathing space to IVD manufacturers for achieving compliance. However in order to continue selling legally in the EU, they will still need to scramble. They would probably need to utilize the services of IVDR Regulatory and Cybersecurity consultants to conduct formal threat modeling, cybersecurity risk analysis and vulnerability analysis to generate the security requirements and perform formal reviews and penetration testing as part of verification and validation. They would probably also need to work with implementation partners who have the experience of fixing vulnerabilities in IVD software and algorithms, be it secure configuration of operating systems, web servers, database servers, or secure application redesign. Meanwhile how the delay would affect the accuracy of Covid-19 tests and what impact it would have on public health especially in already Covid-19 ravaged nations like Italy, Spain, France and UK (although technically out of the EU post Brexit) will be known only in the coming few years.

About the AuthorKrithika is a Senior software Engineer at Sequoia Applied Technologies. She is a software professional with domain knowledge on Telecom and Life sciences and very passionate about technology.

Life still goes on… A sneak peek to the world of Industrial IoT in the post-COVID

Using IIOT at workplace covid-19 pandemic
Temperature scanning for elevated body temperatures before entering the workplace

We know that the world is in chaos due to the so-called uncontrollable pandemic-COVID-19. It has brought changes to both our personal and professional life in many ways. However, we should acknowledge the fact that this has accelerated the digital transformation of enterprises. Thanks to the concept of the Internet of Things (IoT). This will rewrite the future of today’s companies forever!

Although few companies have been at the forefront of adopting and implementing IoT solutions and AI for their enterprises, Covid-19 has put these technologies to stress test.

Companies that were an early adopter of IoT in the manufacturing field were able to run at lower capacity but still were more productive than the others because their machines could generate data to monitor the performance and longevity of the same. This also enabled the factories to run more efficiently with fewer human resources. Our customers in the Industrial IOT space are seeing an increase in demand for adoption and implementation of their IoT platforms.

Organizations that want to offer a better and safer customer experience with contactless interaction, will adopt IoT faster even if the products are in the beta stage. The supply chain industry will change significantly in the post-COVID world by implementing solutions like delivery robots, drones, and contactless payment options too.

Hats off to companies such as meshek{76}, which is into smart, autonomous farming and precision agriculture, have placed themselves well in advance to cope up with the post COVID scenario. The autonomous robotic system for growing and picking crops without human intervention helps to avoid the contamination of the same while they are being distributed to the market place.

Public utilities are accelerating the adoption of smart metering solutions as they want to reduce the need for maintenance and monitoring professionals with regards to their safety

Even the regular working environment in the workplace is going to be a different one in the post-COVID times. You may see a touchless sanitation facility. The facility managers or the employees could track whether the toilets are cleaned /sanitized regularly with the IoT enabled cleaning equipment that has sensors attached to them that keeps a record of the number of times they are being used.

IoT technology may also be adopted by facility managers to monitor the restroom supplies such as hand soaps’ levels or the number of paper towels/ toilet papers and hence limit the number of unwanted trips made by employees to check on this.

The bottom line, the list of applications of IIoT goes on. It has now become the top priority for every company to prepare for a post-COVID world. We at SequoiaAT make this happen for you by implementing real-time solutions with smart technologies. Check out our customer stories to know more about our IIoT applications.

Sequoia Applied Technologies opens new office in Boston

Sequoia Applied Technologies a leading provider for software engineering service, opened a new office in Boston, Massachusetts, to accommodate rapid growth and leverage the diverse high-technology companies based out of the area.

The new office enables us to serve our customers in the east coast region better and supports the company’s growth strategy. Boston was chosen as a regional hub for the company because of its rich technology background and as it is home to some of the most innovative companies in America. We believe there is a great demand for software engineering services in small to medium-sized companies in the region. Company has appointed Priya Samant who is a Social Impact entrepreneur to lead the Boston office. “This is a great time to join SequoiaAT, with many new initiatives in place that aligns with the needs of high tech companies in the region” said Priya.

Speaking on the occasion Aju Kuriakose, CEO of Sequoia applied Technologies said “The decision to have our east coast office in Boston was a no brainer for our growth strategy as it enables us to be closer to our customers. As Boston is home to many high-tech companies as well as the rich and diverse talent from well-known prestigious colleges and universities, which will help us to expand our software engineering services offerings in the region”

About Sequoia Applied Technologies

Sequoia Applied Technologies is a California-based Software Product engineering services company, focused on providing a broad range of services and solutions in IoT, Cloud, Mobility & Analytics. Sequoia AT works with Startups and fortune 500 companies to help bring innovative products to market. SequoiaAT has enabled over a dozen products in market in past 24 months. SequoiaAT works with its customers as a true partner and offers the extra degree advantage to help then succeed in their goals. SequoiaAT has its engineering offices in Santa Clara, Chennai, & Trivandrum.

Visit www.sequoiaat.com for more information.


Town Hall hosted by Sequoia on Conventional Approached to Unconventional Challenges

The event was moderated by Priya Samant and the speakers were from different industries . The speaker list is included below

Dr Frank-Jürgen Richter, Founder and Chairman, Horasis: The Global Visions Community .

Gopal Goswami, Research Scholar and Social Entrepreneur .

Arushi Nishank, Environmentalist, Entrepreneur and Acclaimed Kathak Dancer.

Madhur Bhandarkar – Acclaimed National Award Winning Filmmaker .

Brahmanand Singh, Director and 2 times National Award Winner .

Mehmood Ali, Founder Don Cinema & Pen N Camera International .

Harshal Pradhan, Political Strategist .

Vikkas Chopra Business Head for Films, Pen Studios .

Dr Christoph Nabzdyk, MD. Asst. Professor of Anesthesiology, Mayo Clinic School of Medicine .

Aju Kuriakose, CEO, Sequoia Applied Technologies .

Leena Pradhan-Nabzdyk, PhD, MBA Assistant Professor of Surgery, Harvard Medical School.

The event was made possible only because of Virendra Rawat – CEO Green Mentors and Geo Murickan – CEO Transfinnovation.

SequoiaAT in 10 Best IoT Solutions Providers of 2019

Sequoia AT is pleased to announce that they are on the list of the CIO bulletin’s 10 Best IoT solution providers for 2019. Speaking on the occasion, COO of the company, KR Gopinath says “I am glad that they recognized what we do here in Sequoia. Our team’s outside the box thinking and persistence for making our customers products better is why we were recognized by the CIO Bulletin.”

SequoiaAT currently has two development centers in Santa Clara (USA) and Trivandrum (India). SequoiaAT is planning on expansion of their development offices in Santa Clara (USA)  & setting up new office in Kochi (India).

Working with passion is the internal theme at Sequoia. And this recognition is a proof of what every Sequoiaan believes in. Ram Mohan (Director) says that “At SequoiaAT the quality starts by ensuring that we hire for our culture. We hire only individuals who are extremely passionate about their work. This enables us to go beyond our customer expectations.”

SequoiaAT was named perviously named in the Top 100 Tech companies founded by Indians in Silicon India Magazine

Complete link to this article in CIO Bulletin can be found at this link 

How AI is changing healthcare

AI in Healthcare
AI in Healthcare

AI is the next big wave which will change we know the world for generations to come.  AI has attracted over $17 billion in investments since 2009  and will add over 15 trillion to world economy by 2030  as per estimates.

The term AI was coined in 1956 and even thought of by ancient philosophers, but Some of the early work in this space was done at Stanford University for treating blood infections. Till about early 2000’s most of the work in AI was limited to universities like MIT, Stanford, Rutgers etc.


One of the domains which stands to benefit the most from AI is healthcare. The healthcare industry is advancing in discoveries daily as technology advances in major ways. We have done amazing things in the last few years and currently Artificial Intelligence has been dominating as the main point of interest. AI is being harnessed to increase longevity and health of the human race.

As an example we all know one problem with hospitals is wait times. As a hospital, doctors need to make every second count. With help of AI hospitals can assign beds to patients faster and more effectively. While this may seem like a useless task it prevents having employees do this job, and little by little, it saves a lot of time. In the John Hopkins Hospital, this has been able to see and predict future requests for beds, and even plan for future unavailabilities. As per the recent article in HBR, It decreased wait times, and even allowed them to accept over 50% more new patients from other hospitals. AI can also do the paperwork that takes doctors a significant amount of time, giving them more time to engage with their patients. Every second that AI saves is another second for doctors to save a life.

Besides preparation, AI directly uses Brain Computer Interfaces. This can be used to decode neural activity. Potentially it could be used to help the many people with ALS and strokes, as well as the half a million people yearly that have spinal cord injuries. Neurological problems have been extremely difficult, if not impossible to solve. AI is helping in ways unimaginable 10 years ago. When AI is allowed to look at all the data from patients, it can notice patterns and analyze them in ways that would be humanly unachievable. AI will make sense of data allowing them to predict things that will happen to specific patients with incredible accuracy. AI could take all of the unstructured data and classify them, and this is especially useful as we are expected to double medical data every 73 days from 2020, according to IBM.

Even selfies can be used to find diseases. An algorithm can find the subjects facial features, and predict facial feature abnormalities. Just in a few pictures the AI can analyze things that we would need expensive equipment and preparation to find out. AI with expensive tools such as x-rays and MRI scans, can find out all problems instantaneously. AI is highly useful in predicting patterns. This can be used to predict problems and also patient recovery time. With the right data sets, AI will be able to foresee diseases like seizures and sepsis.

At SequoiaAT we have started taking small steps towards AI in medicine by collaborating with companies in life-sciences and medical domains. We have been working with them on solutions which further this goal.

AI will do everything that humans can do in a fraction of the time, in all helping and curing more people. AI will save unbelievable amounts of money, and even more time, making every second count.