Home AI Approval Set to Accelerate: Highlights from the NMPA-Sponsored AI Medical Device Innovation Promotion Conference

AI Approval Set to Accelerate: Highlights from the NMPA-Sponsored AI Medical Device Innovation Promotion Conference

Jul 18, 2019 08:00 CST Updated 08:00
SHUKUN

Provider of Intelligent Products and Innovative Solutions

Just half a month after the official release of the “Key Points for Approval of Medical Device Software Assisted by Deep Learning” to AI companies, the National Medical Products Administration has once again taken significant steps in the approval of AI-based medical devices.


On July 17, the Artificial Intelligence Medical Device Innovation Promotion Conference was held in Beijing, jointly organized by the Center for Medical Device Evaluation of the National Medical Products Administration (NMPA), the National Computer Network and Information Security Management Center of the Cyberspace Administration of China, the China Academy of Information and Communications Technology, the International Exchange and Cooperation Center of the National Health Commission, the China National Center for Biotechnology Development, the Chinese Society for Biomedical Engineering, the Chinese People's Liberation Army General Hospital, Peking Union Medical College Hospital of the Chinese Academy of Medical Sciences, West China Hospital of Sichuan University, Shanghai Shenkang Hospital Development Center, Tsinghua University, Zhejiang University, Sichuan University, and South China University of Technology. Jiao Hong, Commissioner of the NMPA; Xu Jinghe, Deputy Commissioner of the NMPA; Sun Lei, Director of the Center for Medical Device Evaluation of the NMPA; Deng Gang, Deputy Director of the Center for Medical Device Evaluation of the NMPA; and Zhang Feng, Member of the Leading Party Members Group and Chief Engineer of the Ministry of Industry and Information Technology, all attended the conference.


At the conference, the AI Medical Device Innovation Collaboration Platform was officially established. With the vision of building an open, collaborative, and shared innovation ecosystem for AI-enabled medical devices, the platform aims to serve scientific regulation, technological innovation, and product commercialization, and will make every effort to accelerate the approval of AI-based medical products.


Here, VCBeat has summarized selected content from the conference to help medical AI professionals clarify the National Medical Products Administration’s (NMPA) approval rationale and key considerations. The content primarily covers the following three aspects:


Establishment of a Multi-Stakeholder Platform for Industry-Academia-Research Collaboration


The AI Medical Device Innovation Collaboration Platform is jointly established by public institutions under central state organs, professional societies, medical institutions, and universities. The Management Committee oversees ten initial working groups, each of which is managed by different participating institutions.

 

 屏幕快照 2019-07-17 下午10.43.41.png

Platform Architecture

 

As shown in the figure above, the Center for Medical Device Evaluation (CMDE) concurrently serves as the lead for the three most critical working groups in the approval process of medical AI products: technical regulations, standardization research, and clinical evaluation. The important working group on the construction of assessment databases is primarily led by the Shanghai Shenkang Hospital Development Center. Meanwhile, the security issues highlighted in this meeting are under the responsibility of the National Computer Network and Information Security Management Center of the Cyberspace Administration of China.

 

屏幕快照 2019-07-17 下午10.44.54.png

Functional Distribution of Working Groups


From the functional distribution of the 10 working groups, it is evident that this conference was meticulously planned. The innovation platform not only incorporated common assessment criteria such as clinical approval, data standardization, and cybersecurity, but also established parallel working groups to address non-governmental functions, including AI talent development and international AI regulatory exchange.

 

Furthermore, there are as many as three working groups dedicated to database-related tasks, conducting independent research on laboratory test databases, real-world data, and data verification, respectively. This sufficiently demonstrates the Center for Medical Device Evaluation’s emphasis on data, a core element of AI, and may indicate that data will become a key constraint on the development of artificial intelligence enterprises.

 

Data Security Becomes a Key Focus for AI


Zou Xiaoxiang from the Security Center of the Cyberspace Administration of China (CAC) delivered a keynote speech on data security at the conference. She stated, “Under the guidance of the Center for Medical Device Evaluation (CMDE), and in accordance with documents such as the CMDE’s ‘Technical Review Guidelines for Cybersecurity Registration of Medical Devices’ and the FFDA’s ‘Pre-market Guidance Principles for Cybersecurity Management of Medical Devices,’ and leveraging technical support from the CAC Security Center, China has completed three major cybersecurity assessments for medical devices.” These initiatives include:


1. Develop 20 test cases for cybersecurity standards;

2. Conducted security assessments on 15 products from eight leading domestic and international manufacturers;

3. Issue 15 security assessment reports.

 

During the cybersecurity assessment of medical devices, the Cyberspace Administration of China’s Security Center identified that many medical devices harbor significant security vulnerabilities that cannot be promptly remediated; manufacturers failed to incorporate adequate security considerations into their product designs; and enhancing security requires cooperation from healthcare institutions such as hospitals.

 

Most medical device manufacturers in the preliminary assessment failed to address confidentiality issues during health data transmission, resulting in the Cyberspace Administration of China’s Security Center capturing large volumes of plaintext health data during testing.

 

屏幕快照 2019-07-17 下午11.24.57.png

Capture Status Screenshot


Regarding this issue, Zou Xiaoxiang stated, “Healthcare institutions should encrypt sensitive data during data transmission operations such as archiving and backup, especially when transmitting sensitive data over the public internet; otherwise, it may lead to the leakage of medical and health data.”

 

Smart Healthcare CloudIt is another hotspot for security issues. As this platform propels closed and isolated medical institutions toward an open and interconnected environment, it also faces more severe security challenges.

 

Statistics show that in 2018 alone, more than ten data breach incidents involving over 100,000 records occurred worldwide: Oklahoma State University Medical Center was hacked, resulting in the leakage of medical billing information for nearly 280,000 patients; LifeBridge Health suffered a malware attack, leading to the exposure of personal information for approximately 500,000 patients accumulated over more than a year; Singapore’s government health database was hacked, causing the leak of data for 1.5 million patients; UnityPoint Health fell victim to a phishing attack, resulting in the breach of 1.4 million patient records; and Augusta University Medical Center in the United States was targeted by a phishing attack, leading to the leakage of 417,000 records...

 

The occurrence of numerous incidents has sufficiently demonstrated the importance of cybersecurity. The cybersecurity protection capabilities of hospitals within medical consortia vary significantly; if even a single medical institution is breached, the entire system faces the risk of data leakage. Therefore, Zou Xiaoxiang compares the cybersecurity of medical consortia to a wooden bucket, noting that “a breach at one point leads to total failure.”

 

Currently, there are 657 smart healthcare cloud platforms across China, with over 200 located in Beijing; approximately 100 each in Guangdong and Zhejiang; nearly 70 in Shanghai; and close to 50 in Shandong. These four regions are the primary hubs where the information technology industry has taken root.

 

The Cyberspace Administration of China’s Security Center conducted spot checks on 79 entities. The results showed that 57 platforms had high-risk vulnerabilities, 13 platforms had medium-risk vulnerabilities, and 89% of medical institutions faced relatively serious security risks.

 

Hackers can exploit these vulnerabilities to infiltrate and attack systems such as PACS, HIS, and case management systems, severely disrupting normal platform operations; they may alter or delete patient consultation information, thereby delaying treatment; remotely control the dosage of therapeutic agents administered to patients, which could potentially result in patient death; and steal patient treatment records, genetic data, and other sensitive information, leading to breaches of citizen privacy.

 

Therefore, Zou Xiaoxiang put forward the following suggestions regarding the many issues in cybersecurity.

 

1
On Standards, Specifications, and Testing & Certification


1. Research cybersecurity-related standards and actionable evaluation specifications and methods for AI-based medical devices, study relevant standard specifications, and construct a cybersecurity testing technology system.


2. For critical systems and key equipment adopted in the healthcare sector, routine network access security testing and certification should be implemented, and comprehensive cybersecurity audits should be conducted when necessary to fully assess their security status.


3. Establish a unified cybersecurity threat intelligence repository for the healthcare industry and the China National Vulnerability Database (CNVD) through security testing and certification.

 

2
On Safety Inspections and Risk Assessments


1. Pre-launch Risk Assessment: Medical devices requiring internet connectivity (external) or network integration (internal) must possess necessary cybersecurity risk prevention and control capabilities. It is recommended that industry regulatory authorities uniformly organize or authorize pre-launch risk assessments focused on their security protection measures.


2. Safety Inspections During Operation: For medical devices that are connected to external networks or integrated into internal networks, it is recommended that industry regulatory authorities uniformly organize or authorize irregular remote surprise inspections or on-site inspections to comprehensively assess the overall safety status of medical devices nationwide.

 

屏幕快照 2019-07-17 下午10.51.47.png

Assessment Criteria

 

3
On Situational Awareness and Early Warning


1. Strengthening proactive cybersecurity discovery capabilities: By conducting detection and discovery of connected devices, components, and systems in cyberspace, we can identify medical devices and their components exposed to the internet at an early stage.


2. Strengthening Cybersecurity Monitoring and Early Warning Capabilities: By monitoring and analyzing medical communication traffic at key internet nodes, it is possible to promptly identify the current status of the cyberspace of medical devices and rapidly predict future development trends.

 

“‘Some prioritize development over security and construction over protection; some believe that closing their doors ensures greater security and are unwilling to pursue security in an open environment; some consider cybersecurity to be solely the responsibility of the central government or specialized departments, having nothing to do with themselves’—these views are all incorrect,” summarized Zou Xiaoxiang.

 

“To implement cybersecurity responsibilities for medical devices, industry participants and enterprises, as operators, shall assume primary responsibility for protection, while competent authorities shall fulfill their regulatory duties. Addressing the vulnerabilities exposed in the ‘cloud, pipeline, and endpoint’ architecture, a technical system for medical device security protection should be established through design considerations from the perspectives of medical devices and their accompanying software, as well as the security of smart cloud platform systems and applications, thereby comprehensively enhancing capabilities for health data protection and defense against security threats.”

 

A database comprising eight types of test samples, including lung CT, brain MRI, and coronary CTA, will be established, with the Shanghai Shenkang Hospital Development Center undertaking the construction work.


The future AI evaluation database will be developed by the Shanghai Shenkang Hospital Development Center. At the conference, He Ping, Director of the Medical Consortium Center at the Shanghai Shenkang Hospital Development Center, stated that the Shenkang Center would integrate clinical resources and align with the characteristics of AI-based medical device products to establish an evaluation database tailored for medical device regulatory review. The presentation comprised the following key points.

 

1
Database Development Direction


The establishment of a database is a prerequisite for the approval of artificial intelligence products. Previously, only two types of imaging data—pulmonary nodules and fundus images—were available, and the specific type of test database had not been defined. At this meeting, He Ping first outlined the pathway for database establishment from a macroscopic perspective, primarily encompassing the following three points.


1. Based on the Shenkang Medical Consortium Big Data, establish standards, regulatory management provisions, and ethical standards for a specialized “Review Technology and Professional Database for AI + Medical Imaging Systems” that can be efficiently utilized for artificial intelligence research and development.


2. Carry out demonstration applications to continuously improve and enhance the review technologies and professional databases for “AI + Medical Imaging Systems.”


3. On this basis, establish a “review technology and professional database for artificial intelligence + medical imaging systems” to lay the foundation for large-scale application and promotion across China.

 

2
Library Construction Mode

 

After establishing the direction for database development, data selection becomes a more challenging issue. In this regard, He Ping proposed multiple requirements for test data selection and stated that enterprises could participate in a streamlined manner.


1. Authentic real-world medical data with data ownership, dynamic growth, and multi-center diversity. Specifically, this includes: comprehensive clinical data collected from 38 Grade A tertiary hospitals plus a dynamically growing directory of medical data from partner institutions; inherent compliance with requirements for multi-center, multi-device, and multi-modal data (multi-center); ensuring that future test data derives from diverse, authentic, and reliable sources (diversity); and medical data standards, types, and volume meeting the requirements of various data sampling methods (ultra-large sample size).

 

2. Strict Data Asset Control

Establish a medical big data management and control platform to better manage big data assets (standardization and specifications); improve data governance systems, standards, processes, and platforms (security and controllability).

 

3. Corporate Participation Model

Where the primary construction entity holds dominant authority over the project, enterprises may participate indirectly.

 

3
Construction Objectives


So, what specific work will the Shenkang Center undertake in the near future? He Ping summarized it into five points as “One, Two, Three, Four, Eight.”


"One" refers to one portal, namely the National Portal for Evaluation Services of AI-Based Medical Software;


"Two platforms refer to the Medical Software Evaluation Data Middle Platform and the Medical Software Evaluation Service Platform;"


"Three Centers" refers to three data centers: the Full-Sample Big Data Center, the Annotated Data Center, and the Evaluation Data Center;


Four-Tier Data Quality Governance Framework: Standardization-Based Quality Control, Acquisition and Validation Quality Control, Data Integration Quality Control, and Data Development and Utilization


Database of eight or more types of test samples: including lung CT, liver CT, fracture CT, brain MRI, cardiac MRI, coronary CTA, ECG, ophthalmology, etc.


In addition, the Shanghai Shenkang Hospital Development Center will establish multiple clinical evaluation and trial bases for medical software, including facilities affiliated with Shanghai Shenkang, the PLA General Hospital (301 Hospital), West China Hospital of Sichuan University, and Peking Union Medical College Hospital.

 

Meanwhile, the Shenkang Center will also establish a dedicated evaluation platform for artificial intelligence products, with its operational workflow illustrated in the figure below.


屏幕快照 2019-07-17 下午11.07.13.png


4
Platform Service Model Description (Data Management)


Following database construction, how to utilize the database and ensure data security also became key focal points of this presentation, which can be summarized into four main aspects.


1. Build a “review technology and professional database for AI + medical imaging systems,” consolidate data catalogs from all parties, provide search engines and directory trees, integrate search results into final outcomes, and feed them back to users, who then collaborate with the hospitals that own the data based on the search results. The portal operator is responsible for ensuring security and compliance of the data catalogs across various entities and during the process of returning results externally.


2. Hospital Data Centers and Regional Data Centers: Jointly build a data governance and application platform to collaboratively govern and manage data, while providing services to meet the needs of clinical research, technology transfer, and artificial intelligence applications within each institution.


3. Data on hospitals, regions, etc.: Data remains within the institution; only a data catalog is provided to users for indexing via the management and control platform.


4. Data on hospitals, regions, etc.: Implement strict data governance when providing analytical results to users to ensure data security.

 

5
Database Monitoring


In addition to database construction, data collection, and regulation formulation, the Shenkang Center has also established strict monitoring procedures, a point that has not been mentioned previously.


1. Resource Metering and Statistical Reports: Periodically generate metering reports for resources under each project, and display the resource usage and usage trends of each project through various statistical charts, enabling administrators to clearly view the total resource analysis and trend analysis for each project, thereby supporting business decision-making;

 

2. Resource Pool Capacity Analysis: Statistical analysis of capacity data for data centers and live network operational equipment based on load rate sustainability, device models, and load metrics to promptly identify underutilized idle devices, thereby improving resource utilization and reducing operational costs;

 

3. Periodic Reports: Compile statistics on user consumption of various resource types and the utilization status of each category, such as the total capacity and usage of CPU, memory, storage, and IP resources for the basic cloud platform and business systems. Generate reports periodically and automatically distribute them via email to designated addresses.

 

After introducing the functions of the Shenkang Center, He Ping summarized its work objectives into the following four points.


1. Under the guidance of the Center for Medical Device Evaluation of the National Medical Products Administration, the Shenkang Center, in collaboration with working groups and research teams, has firmly grasped the scientific judgment of the important period of strategic opportunity, adhered to promoting high-quality development, and accelerated the construction and development of medical artificial intelligence.


2. Fulfill the responsibilities of sub-project leader for data management within the AI medical device evaluation repository; establish an AI-based medical evaluation database; catalog, aggregate, and integrate clinical medical data; ensure data security and promote the utilization of medical data in the field of AI medical devices; and take the lead in developing a comprehensive set of data standards and management specifications.


3. Unlock the application scenarios and data required for the research, development, and deployment of medical AI; study and improve clinical research management and innovation systems; and gradually establish a platform for resource co-construction and sharing, business collaboration, and benefit sharing among value contributors in the future intelligent healthcare ecosystem.


4. Stimulate the innovation vitality of medical and research institutions, leverage global innovation resources, explore new models spanning from scientific research to clinical validation and then to technology commercialization, and cultivate the artificial intelligence healthcare and health technology industry.

 

Summary


The conference also addressed the development of a regulatory review guideline framework for AI-based medical devices. The presentations primarily focused on interpreting the “Key Points for Approval of Medical Device Software Assisted by Deep Learning in Decision-Making,” released by the Center for Medical Device Evaluation (CMDE) of the National Medical Products Administration (NMPA) on June 28. The document comprises five sections: scope of application, key considerations for approval, software updates, relevant technical considerations, and instructions for registration submission materials. VCBeat has already provided a comprehensive analysis in its article titled “NMPA Releases Key Approval Points for Medical AI Products: Are AI Companies Ready?” Therefore, further elaboration is omitted here.

 

Based on the entire conference content, VCBeat has distilled the highlights into the following six points:

 

1. Improvement of the System

From an external perspective, the previous approval system lacked transparency. While relevant functions were centralized within the Center for Medical Device Evaluation (CMDE), the specific division of responsibilities was difficult to discern from the outside. The emergence of this innovative collaboration platform has not only distributed the various functions involved in medical AI approval across different working groups but also assigned these groups to distinct institutions. Today, the entire process has become systematic, with clearly defined roles and responsibilities, which will significantly accelerate the approval of AI products.

 

2. Multi-party Participation

The operation of innovative collaboration platforms will no longer be independently led by public institutions under central state organs; instead, professional societies, medical institutions, and universities are increasingly joining these efforts. At the current stage, while medical AI cannot yet be considered mature, market demand remains strong. Therefore, the industry-academia-research collaboration model can both help meet market needs to a certain extent and enable continued in-depth research based on existing foundations.

 

3. Cloud Platform Security Issues

Cloud platform security issues have long been criticized, and the investigation by the Security Center of the Cyberspace Administration of China (CAC) has numerically demonstrated the real situation in the highly interconnected environment. Demand breeds innovation; to ensure the secure operation of medical consortia, the state will increase investment in hospital data security. This pain point may also give rise to a new cohort of market-leading giants.

 

4. Plan for Establishing a New Test Database

The conference proposed that the Shanghai Shenkang Center will aim to establish imaging test databases for CT of the lung, CT of the liver, CT for fractures, brain MRI, cardiac MRI, coronary CTA, electrocardiography (ECG), and ophthalmology. These eight categories encompass the majority of artificial intelligence products currently available on the market. This initiative clearly demonstrates the role of corporate advocacy in driving policy development. Meanwhile, the plan has bolstered physicians’ confidence in adopting these products, as the National Medical Products Administration (NMPA) has, to some extent, recognized their future potential. Finally, the establishment of these databases suggests that these products are more likely to receive regulatory approval ahead of others.

 

5. Clear Data Management System

In the remarks delivered by He Ping, Director of the Medical Alliance Center at the Shanghai Shenkang Hospital Development Center, we can see that the National Medical Products Administration (NMPA) has strictly stipulated regulations governing the flow of data among different medical institutions and regions, as well as the responsibilities of hospitals. This implies that previous gray-area tactics employed by certain hospitals and enterprises will be curbed. Naturally, stricter regulation means data will be harder to obtain; startups will need to incur higher costs and secure data through new forms of collaboration, while companies that have already trained mature algorithms may thereby establish significant barriers to entry.

 

6. Development of Risk Assessment Indicators

The regulatory review guideline framework for AI-based medical devices emphasizes criteria for false positives and false negatives. Currently, much of the data submitted by manufacturers lacks clear provenance, raising concerns regarding accuracy and sensitivity. The establishment of this framework may provide clear quality assessment metrics for AI products.

 

As evidenced by the six points above, the National Medical Products Administration (NMPA) has demonstrated strong resolve in advancing the approval of medical AI products; however, clinical evaluation remains a critical area requiring attention. The platform framework indicates that clinical evaluation continues to fall under the purview of the Center for Medical Device Evaluation (CMDE). In practice, however, enterprises still face significant challenges in completing clinical trial assessments.


The work of the Real-World Data Application Group may help companies navigate clinical trials, but it still necessitates that enterprises enhance AI’s capabilities in real-world settings. For AI to be successfully implemented in hospitals, this is an insurmountable hurdle that AI companies must overcome. Therefore, to achieve a breakthrough in the medical AI sector, companies must continue their exploration and innovation.