When Heroku removed their free tier, many people started to ask questions about what they should do next. There were a number of options. Pay Heroku, but do stuff yourself, move somewhere else free, but do it yourself, or pay for someone to host Nightscout for you.
The idea of paying someone else to host Nightscout for you wasn’t new, but what that means for those running the services does raise some questions.
Firstly, in the US, the FDA considers this type of activity to be a class 2 medical device. In Europe, dependent on what’s being offered as part of the service, it may or may not be a medical device and this may then fall under different categories, dependent on what is being offered.
So let’s start with some definitions for the European viewpoint. According to the Johner Institute, interpreting the EU Medical Device Regulations:
” Medical Device ” means an instrument, apparatus, device, software, implant, reagent, material or other item which, according to the manufacturer, is intended for humans and alone or in combination one or more of the following specific intended to fulfill medical purposes:
— diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease,
— Diagnosing, monitoring, treating, alleviating or compensating for injuries or disabilities,
— examination, replacement or modification of the anatomy or of a physiological or pathological process or condition,
— Obtaining information from the in vitro analysis of samples taken from the human body, including from donated organs, blood and tissue
and whose intended main effect in or on the human body is neither achieved by pharmacological or immunological means nor metabolically, but whose mode of action can be supported by such means.
So if we consider what Nightscout, when built, does, which is software intended to fulfill the monitoring of diabetes, it seems to fall squarely into the definition of a medical device. Even more so if Nightscout is used as the mechanism by which remote treatment can be administered
As has been looked at many times, if you build it yourself from the source, then it’s hard to consider it as something that anyone other than you is responsible for, in it’s “product” form, and you, as an individual bear the risks of using what is defined as an experimental software which should not be used for medical purposes.
This all seems reasonable.
But what happens when someone else builds it and runs it as a service?
That’s quite a paradigm shift, and one that anyone running a “Nightscout as a service”, or “NAAS” model needs to consider.
It can’t be coincidence that CamAPS is willing to partner with multiple monitoring services, as long as they have the appropriate certification.
Nightscout as a service
We’ve already established that Nightscout run by a third party is a medical device run by a third party, but what does that mean in the world of regulation and legal situation?
I’m not a lawyer, so I’m taking the EU Medical Device Regulations and figuring out how they might work in this case.
Firstly, Nightscout (or anything else that’s currently part of the “WeAreNotWaiting” stable) is code that’s released into the open that you individually build. In that case, as per a comment by one European regulator, it’s not a medical device.
As soon as you build it and offer it to others, it becomes a medical device and you, it’s distributor. That causes two issues. The first is that it is not a licensed device under MDR. The second is that you are distributing something that is an unlicensed device. Two breaches of the regulations, and it’s up to the local regulator as to how they deal with this.
Some jurisdictions take a harsher view than others.
And if you allow remote treatment of an AID device? That’s then more of a risk, as you’re dealing not only in display of data but also in delivery of drugs, which levels the owner with an additional risk.
If, for some reason, your platform delivers multiple doses of insulin and that results in hospitalisation, then there’s an additional legislative risk associated with that.
It’s also why the regulators demand that there are clear development and testing processes in place for approved medical devices and that there’s a person who is responsible for it.
So what are you saying?
Anyone considering using a NAAS service needs to consider all of the above.
Someone providing this type of service and not in discussion with their regulator is potentially causing concerns for both them and their users.
Not least of which is that a regulator may find out and shut down the service with zero notice.
It should also remind people why development and testing cycles exist in software platforms, and why they matter to the WeAreNotWaiting world.
At the very least, you need to ask any provider you consider using how they deal with development and testing and whether they’re in dialogue with their regulator.
Strong answers in both these spaces will help to alleviate concerns that a service might just disappear overnight.