You arrive in hospital with chest pain and are quickly connected to a machine that checks the electrical activity of your heart.
Its built-in software analyses your heartbeat and signals a possible heart attack, prompting doctors to act fast. But what if the system got it wrong?
That is one of the concerns driving new rules from the Pharmacy and Poisons Board (PPB), which now require makers of medical device software to prove the software is safe and accurate before it is allowed into the Kenyan market.
The PPB says one wrong algorithm can mean the difference between life and death. The Guideline on Regulation of Medical Device Software in Kenya (MDSW) was published last week.
Dr Paulyne Wairimu, the Medical Devices and Diagnostics Lead at the PPB, told the Star that the guideline will help Kenya keep abreast of ever-evolving technological advancements in health.
“We will require software engineers to register to ensure their software works properly and interprets the correct clinical data. So that the public gets access to quality services,” she explained.
The board is especially focused on the growing use of artificial intelligence in medical devices.
AI in software learns from large amounts of medical data to detect patterns and make fast predictions, such as identifying heart problems from an electrocardiogram (ECG) or cancer from scans.
The PPB is now asking software developers to train their AI models on Kenyan data to ensure accuracy.
“Ethical considerations, such as biases in AI systems, patient consent and data protection, must be addressed,” the guideline says, warning that biased or poorly trained systems could lead to incorrect or unfair outcomes.
In some ways, these models act like digital doctors by giving medical advice or alerts, meaning their decisions can directly affect a patient’s treatment.
“We are bringing cutting-edge technology closer to the public. But because these software components carry risks, AI-powered tools need to have data that speaks to the Kenyan population and is trained on the Kenyan population,” said Dr Wairimu, who is also chairperson of the Africa Medical Devices Forum.
The guidelines will regulate software embedded in machines (SIMD), including the firmware powering devices such as CT scanners and ECG monitors.
They will also regulate software as a medical device (SAMD), such as apps that analyse medical images from MRI and CT scans to detect breast cancer.
However, the new rules will not affect most health apps downloaded from the internet, such as exercise, sleep, weight loss and nutrition apps.
Wairimu said the guidelines will ensure all health-related software adheres to Kenyan laws, including the Kenya AI Strategy 2025–30, the Data Protection Act, and the Digital Health Act.
She said developers must demonstrate that data collected will be stored within Kenya and not shared with third parties.
“We have the capacity to conduct the verification. We have hired new expertise and are adding more capacity. We are hiring new staff with technical expertise,” Wairimu explained.
The guidelines mark a departure from earlier regulatory approaches in Kenya, where software was only broadly covered under general medical device rules, with limited specific guidance.
Now, software is being treated as a medical device in its own right.
The guidelines also introduce a lifecycle approach, meaning regulation does not end at approval. Instead, developers must continue monitoring their products after deployment.
This is particularly important because, unlike traditional devices, software can be updated frequently or even learn and adapt over time.
Kenya’s new rules align closely with international standards, particularly those developed by the International Medical Device Regulators Forum, which guides regulators worldwide on software used in healthcare.
The document acknowledges this alignment, “The International Medical Device Regulators Forum (IMDRF) framework on Software as a Medical Device (SaMD) will guide the implementation.”
Global regulators in regions such as the United States and the European Union have tightened oversight of medical software, especially with the rise of artificial intelligence tools.
The guideline adopts a risk-based approach, meaning the level of scrutiny depends on how dangerous the software could be if it fails.
It states, “Risk-based approach – regulatory oversight should be proportional to the risk level of the MDSW.”
This ensures high-risk software, such as diagnostic tools, faces stricter requirements than low-risk applications.
Another critical area addressed is cybersecurity.
The document recognises that digital systems are vulnerable to hacking and data breaches, which can have direct consequences for patient safety.
It calls for cybersecurity governance and safeguards commensurate with the intended use of the MDSW and the potential risk it poses to patients.
While the new rules are expected to improve patient safety, they may also present challenges. Developers, especially smaller start-ups, may face higher costs and longer timelines as they work to meet requirements for clinical evaluation, documentation, and ongoing monitoring.
Comments 0
Sign in to join the conversation
Sign In Create AccountNo comments yet. Be the first to share your thoughts!