MDR and cloud – choose your provider with care

MDR will have a big impact on the eHealth market. Suddenly, software is being treated as a medical device. Here we look at how MDR affects your choice of cloud provider.
MDR and cloud – choose your provider with care

What you need to know about the impact of MDR on your providers

MDR will have a big impact on the eHealth market. Suddenly, software is being treated as a medical device. Here we look at how MDR affects your choice of cloud provider.

MDR (the medical device regulation) is shaking up the eHealth market. Many eHealth apps will now become Class II or even Class III medical devices. As a result, you will need to get certification for your app. A key part of this is the need to comply with a suitable quality management system. Currently, this means ISO 13485. This will have major implications for your choice of providers. Read on for more about MDR and cloud.

What is ISO 13485?

Many of you will be familiar with ISO 13485, but for those who aren’t, here’s a brief summary. ISO 13485 is the overarching quality management standard for medical devices. Unlike ISO 9001, it places an emphasis on risk management throughout the product lifecycle. This means all the way from design and development through to traceability and post-production. Compliance with the standard requires you to document everything. ISO 13485 also makes quality management a specific management responsibility.   a

What are MDR requirements for suppliers?

Compliance with ISO 13485 requires you to ensure that all your providers are also compliant. More specifically, when using cloud for MDR (e.g. AWS or, you have to ensure 4 things. Verify they are suitable; Check their QMS is suitable; Ensure you will be notified of any service changes; and plan for provider failure.

For example, if you decide to use AWS you need to do the following:

  1. Check that AWS can provide the required service, including verifying their SLAs are suitable. In particular, you need to understand any risks that are not covered by the SLAs (e.g. do they guarantee your data won’t become corrupted?).
  2. Use the AWS ISO 9001 and ISO 27001 certification reports (not just the certificates). These allow you to verify that they have suitable procedures in place relating to managing software quality and mitigating security threats.
  3. Create an SOP which requires an employee to regularly check the AWS blog, product news pages, Twitter, etc. for any changes or updates and then check whether these affect you. This avoids the need to sign a separate quality assurance contract with AWS.
  4. Perform a risk analysis, which goes through scenarios in which AWS fails and how you will mitigate all these risks without.

What are my options for choosing a cloud provider?

The implications of the above are significant. In essence, you are left with three options when choosing an MDR cloud provider.

  • Use ISO 13485 certified providers. Then you know most of the above requirements are already met.
  • Sign a specific quality assurance contract with your provider to confirm that they deliver the specified product and will notify you of any changes. Larger providers are unlikely to do this for a small startup.
  • Create additional documentation and procedures to avoid the need for a separate QA contract. This includes the need to check for software changes, monitor outages, etc.

Let’s explore these options in more detail.

Using an ISO 13485 compliant supplier

This is far and away the cheapest, easiest and quickest solution for MDR and cloud. Because your supplier is compliant, they will have procedures for notifying you of updates, responding to any issues, documenting changes, etc. Effectively, by becoming certified themselves, the provider is proving to you (and your certification body) that their quality management procedures are suitable for a medical device.

QA contracts

Signing separate contracts with every supplier requires a lot of effort up front. Both your and your supplier’s lawyers will need to be involved, so it is expensive. You will need some process to verify that the contracts are being honoured. It also requires the supplier to put in place the required procedures to be able to notify you of changes and outages. The big issue here is that larger providers (e.g. Google Cloud, AWS and Microsoft Azure) are unlikely to want to sign such contracts with startups.

Documentation & Procedures

Putting in place suitable standard operating procedures is probably the most time consuming and difficult approach. Not only do you need to document your process fully, but you also have to demonstrate that you are following the processes properly. This requires ongoing time and effort and will lead to a lot of documentation.

How can help? makes it easy for you to build eHealth applications that are compliant with the stringent requirements of HIPAA and GDPR. We are the first (and only) ISO 13485 certified DBaaS supplier, and are acknowledged experts in the eHealth market. – your trusted supplier for MDR and cloud!

We already have all the procedures in place to notify you about changes to our product, service outages and the like. Our service is also designed to be turn-key. You can build a compliant app within minutes using our straightforward API.

Talk to an expert