Findings
The most promising aspects of mental health for digital measurement are sleep, physical activity, stress, and social behavior, which have the strongest scientific evidence. Core barriers to adoption include high cost and limited access, data privacy concerns, poor technological literacy, and a lack of technology adaptation for specific mental health needs. Essential technology characteristics for "fit-for-purpose" sDHTs include usability, reliable performance, strong data privacy and security, and long battery life.

Recommendations
Research and development should prioritize moving promising measures (sleep, activity, stress, social behavior) to large-scale clinical trials. Algorithms must be refined and clinically validated for mental health indications, and new sensor modalities should be explored. Infrastructure must be developed by creating standards and ontologies for mental health sensor data to ensure interoperability and scalability. To improve access and equity, financial support mechanisms and inclusive, culturally tailored design are critical.

Regulatory Considerations
The report does not provide a separate section for "Regulatory Considerations" but emphasizes that future development and funding should prioritize clinical validation across diverse populations. It notes the importance of a clear understanding of the intended measurement claims and the need for rigorous validation studies to move beyond pilot and feasibility stages to demonstrate real-world clinical utility.

Findings
AI-enabled medical devices require robust risk assessment to address data drift, bias, and transparency challenges.
The total product lifecycle (TPLC) approach is essential for managing AI-enabled devices, ensuring continuous oversight and updates.
There is a need for improved standardization in AI model validation and performance monitoring to ensure consistency in regulatory submissions.
Effective data management practices, including dataset representativeness and bias control, are critical for AI model development.
Cybersecurity vulnerabilities in AI-enabled medical devices must be proactively addressed to prevent risks to patient safety and data integrity.

Recommendations
AI-enabled device manufacturers should integrate Good Machine Learning Practice (GMLP) principles throughout the device lifecycle.
Marketing submissions should include comprehensive documentation of AI model development, validation, and performance monitoring.
Developers should implement transparency measures, such as model interpretability and explainability, to enhance user trust and understanding.
AI models must undergo rigorous bias evaluation to ensure equitable performance across diverse patient populations.
A predetermined change control plan (PCCP) should be established to allow safe and effective AI model updates post-market without additional FDA submissions.

Regulatory Considerations
FDA encourages early engagement through the Q-Submission Program for AI-enabled device manufacturers.
Compliance with FDA-recognized consensus standards, such as ANSI/AAMI/ISO 14971 for risk management, is recommended.
AI-enabled devices must meet labeling requirements, ensuring that users clearly understand model inputs, outputs, and performance metrics.
Post-market surveillance and continuous monitoring of AI model performance are necessary to ensure ongoing safety and effectiveness.
Cybersecurity measures must be included in regulatory submissions, detailing safeguards against data breaches and unauthorized model modifications.

Findings
Collaborative Communities are sustained, multi-stakeholder forums (including patients, industry, academia, and the FDA) dedicated to solving shared challenges in the medical device ecosystem. These communities are not intended to replace formal regulatory mechanisms. They are equipped to perform activities such as:
Developing best practices and strategies.
Generating and evaluating evidence to support novel approaches.
Clarifying ill-defined challenges and generating consensus on definitions.
Addressing issues related to product quality and safety.

Recommendations
The FDA/CDRH does not establish or fund these communities. Instead, the FDA recommends that interested stakeholders convene and lead these groups. The FDA reviews opportunities on a case-by-case basis for participation, considering:
The community's potential public health impact.
Alignment with the CDRH mission, priorities, and resources.
The existence of a formal governance structure, a convener, a plan to measure success, and a mechanism for sustained engagement.

Regulatory Considerations
The FDA's participation in these communities is a strategic priority for advancing regulatory science and fostering responsible medical device innovation. Examples of digital health-related collaborations include those focused on AI/ML, Digital Biomarkers, Digital Health Technologies (DHTs), and Real-World Data (RWD). The outcomes developed by these groups can inform and accelerate the development of science-based solutions to policy and scientific challenges.

Findings
Cybersecurity is an integral part of medical device safety and effectiveness, and manufacturers are responsible for addressing it throughout the entire device lifecycle. The FDA considers a device's cybersecurity as part of its benefit-risk assessment for both premarket and postmarket activities. A lack of robust cybersecurity controls can lead to patient harm, compromised device functionality, and breaches of data privacy. The dynamic nature of cybersecurity threats requires ongoing monitoring, risk management, and timely implementation of mitigation strategies.

Recommendations
Manufacturers should build cybersecurity into devices from the design phase ("secure by design") and conduct a thorough risk analysis to identify and mitigate potential vulnerabilities. Premarket submissions should include comprehensive documentation of the device's cybersecurity controls, a risk management plan, and a plan for postmarket surveillance and response. Manufacturers should establish a robust postmarket surveillance program to monitor for, identify, and address new cybersecurity threats in a timely manner. Clear and informative labeling is essential to help users understand and manage cybersecurity risks.

Regulatory Considerations
The FDA has the authority to take action against devices with inadequate cybersecurity that pose a risk to public health. The agency recommends that manufacturers use the Q-submission process to discuss specific cybersecurity questions related to their device submissions. Compliance with recognized standards and best practices for cybersecurity is strongly encouraged. Manufacturers must report certain cybersecurity incidents to the FDA as part of their postmarket reporting requirements. The FDA collaborates with other government agencies and stakeholders to promote a coordinated approach to medical device cybersecurity.

Findings
The DHCoE works to strategically advance science and evidence for digital health technologies (DHTs).
Key areas of focus include Artificial Intelligence / Machine Learning (AI/ML) in Software as a Medical Device (SaMD), Cybersecurity, Augmented Reality (AR) and Virtual Reality (VR), and Wireless Medical Devices.
The DHCoE develops and publishes Guidances with Digital Health Content and maintains a Digital Health Policy Navigator to provide clarity on regulatory policies.
Digital health technologies are acknowledged as having the potential to facilitate decentralized clinical trial activities and allow for continuous or frequent measurements of clinical features remotely.
Programs and initiatives include the Software Precertification (Pre-Cert) Pilot Program, the Regulatory Accelerator, and the Diagnostic Data Program.
The center is also involved in international harmonization on device regulatory policy and standards.

Recommendations
The DHCoE recommends that stakeholders, including sponsors and DHT manufacturers, engage with the agency early to discuss the use of DHTs in drug development or for decentralized clinical trials (DCTs).
Stakeholders are encouraged to use the Digital Health Policy Navigator tool to assess whether a particular software function meets the device definition and is the focus of FDA oversight.
The DHCoE emphasizes the need for a patient-centered approach for AI/ML-enabled devices that considers issues like usability, equity, trust, and accountability, and promotes transparency.

Regulatory Considerations
The DHCoE's work includes innovating the regulatory paradigm for digital health, moving towards models that may include shifting scrutiny from the pre-market to the post-market phase and focusing on the capability of firms (Software Pre-Cert Pilot Program).
The FDA has committed, as part of PDUFA VII, to activities such as publishing a Framework for the Use of DHTs in Drug and Biological Product Development and establishing a DHT Steering Committee.
The center provides information to help determine the regulatory status of various digital health products, such as Software as a medical device (SaMD), mobile medical applications (MMA), and General Wellness products.
Submissions for products with device software functions must include recommended documentation for the FDA's evaluation of safety and effectiveness.
For questions regarding upcoming premarket submissions, stakeholders are directed to contact the appropriate review division through a Q-submission.

Findings
FDA considers electronic records and signatures to be equivalent to paper records and handwritten signatures when they meet the requirements of 21 CFR part 11. Advances in technology, including Digital Health Technologies (DHTs) and cloud computing, necessitate updated guidance on ensuring the authenticity, integrity, and confidentiality of electronic data in clinical investigations. Records submitted to the FDA under predicate rules (e.g., marketing applications) are subject to part 11. FDA does not intend to assess the compliance of external Real-World Data (RWD) sources like Electronic Health Record (EHR) systems with part 11, but the sponsor remains responsible for the quality and integrity of all submitted data.

Recommendations
Risk-Based Validation: Regulated entities should use a risk-based approach to validation for all electronic systems deployed, proportionate to the risks to participant safety and reliability of trial results. Validation must cover system functionality, trial-specific configurations, customizations, and interoperability.
Data Retention & Audit Trails: Electronic records must be retained for the applicable period in a secure and traceable manner. Audit trails must capture all changes (old/new value, user ID, date/time) and should be protected from modification.
Security & Access Controls: Logical and physical access controls (e.g., strong login credentials, multi-factor authentication) must limit system access to authorized users based on a documented risk assessment. Security safeguards (e.g., encryption, antivirus) must be in place to protect data at rest and in transit.
DHT Use: DHTs should be selected and validated to be fit for purpose. The data originator (person, system, or DHT itself) must be associated with every data element as part of the audit trail. The final location of source data for inspection is the durable electronic data repository, not the individual DHT.
Outsourcing: Regulated entities must have a written agreement with IT service providers (including for cloud computing) detailing roles, responsibilities, and the service provider's ability to provide data integrity and security safeguards. The sponsor must maintain oversight.

Regulatory Considerations
FDA does not certify electronic systems or signature methods; they are evaluated during inspection. Users of electronic signatures must submit a letter of non-repudiation to the FDA certifying that the electronic signature is the legally binding equivalent of a handwritten signature. Security breaches impacting participant safety or privacy should be reported to the IRB and FDA in a timely manner.

Findings
The FDA considers electronic records and signatures equivalent to their paper counterparts when they meet the requirements of 21 CFR Part 11. Due to technological advances, electronic systems and digital health technologies (DHTs) are now integral to clinical trials, requiring a modern, risk-based approach to ensure data integrity. Sponsors remain ultimately responsible for the quality and integrity of all data submitted, even when using third-party IT service providers or data from real-world sources like EHRs. The authenticity, integrity, and confidentiality of electronic data are paramount and must be maintained through robust system controls throughout the data lifecycle.

Recommendations
Regulated entities should use a justified and documented risk-based approach to validate all electronic systems before and during a clinical trial, with the level of validation depending on the system's potential to impact participant safety and trial result reliability. Secure, computer-generated, time-stamped audit trails must be implemented to track the creation, modification, and deletion of all electronic records without obscuring original data. Robust logical and physical access controls are necessary to limit system access to authorized individuals. Entities should have written agreements with IT service providers that clearly define roles, responsibilities, and procedures for ensuring data security and long-term retention.

Regulatory Considerations
The requirements of 21 CFR Part 11 apply to all electronic records created, modified, or submitted to the FDA under predicate rules for clinical investigations, including those from foreign sites under an IND or IDE. While the FDA does not intend to assess the Part 11 compliance of external source systems like EHRs, data becomes subject to these regulations once transferred into the sponsor's electronic system. During inspections, the FDA will focus on system validation, data handling procedures, security protocols, audit trails, and documentation of sponsor oversight. Users must certify to the FDA that their electronic signatures are the legally binding equivalent of handwritten signatures.

Findings
Decentralized Clinical Trials (DCTs), which shift activities away from sites, rely heavily on technology to reduce participant burden and improve access to trials. Digital platforms are essential for this shift, providing centralized data capture, remote monitoring, and streamlined workflows. Benefits include allowing participants to be monitored remotely, which can improve self-management and clinical outcomes, and giving researchers better insight into the real-world variability of disease activity. Currently, commercial platforms are often limited in functionality and face major challenges due to a lack of interoperability and specific data standardization protocols for clinical trial platforms, making it difficult to integrate third-party modules.

Recommendations
The paper strongly recommends the adoption of unified, integrated, and DCT-specific digital platforms to fully realize the benefits of decentralization. Platform developers should adopt international standards for health data exchange, such as HL7 FHIR and CDISC standards (PRM, CDASH, ADaM), to address the lack of data standardization and improve interoperability and modularity. Platforms should incorporate features that enhance participant engagement and adherence, such as customization options, simple user interfaces (UIs), push notifications, gamification, and allowing access to participant data . Security and governance teams are paramount to manage risks associated with malware, lost devices, and ensuring compliance with local legislation and data security protocols.

Regulatory Considerations
Digital platform design must maintain digital security and compliance with local legislation and data standards. The paper notes that a fully integrated, unified digital platform in a best-case scenario would use pre-existing standards (like CDISC and HL7) to guarantee interoperability. Adopting these standards and recommendations for data sharing, privacy, and security, as recommended by organizations like the Healthcare Information and Management Systems Society, is critical for future digital components used in DCTs. Improved data integrity and accountability in platforms could be further explored using technologies like blockchain to create an immutable ledger.

Findings
Cybersecurity threats in healthcare are increasingly frequent and severe, posing risks to device safety and clinical care.
Many vulnerabilities arise from third-party software components and interconnected device ecosystems.
Legacy devices often lack adequate cybersecurity controls, leading to increased patient and organizational risks.
Cybersecurity risk management processes must integrate safety and security assessments throughout the device lifecycle.
Transparency in device cybersecurity is crucial for enabling safe integration and use by healthcare providers and end users.

Recommendations
Implement a Secure Product Development Framework (SPDF) for comprehensive cybersecurity throughout the product lifecycle.
Include a Software Bill of Materials (SBOM) for all premarket submissions to track software dependencies and vulnerabilities.
Perform robust cybersecurity testing, including penetration testing and vulnerability assessments.
Enhance device labeling with clear cybersecurity-related instructions and risks for users.
Develop a coordinated vulnerability disclosure plan for postmarket cybersecurity management.

Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulation requirements, including design controls and risk management.
Compliance with Section 524B of the FD&C Act for cybersecurity of cyber devices.
Submission of SBOMs and detailed security risk management reports for premarket applications.
Provision of cybersecurity information as part of device labeling to prevent misbranding under Section 502 of the FD&C Act.
Integration of security testing and validation as part of the FDA review process.

Findings
The DTRA Best Practice Evaluation Rubric uses five dimensions to determine if a DCT practice should be considered a "best practice":
Evidence of Success: Requires measurable and demonstrable success using KPIs and tangible outcomes.
Improving Patient Experience: Must address the needs of patients, caregivers, and therapeutic experts, demonstrating improved experience and engagement.
Site Impact: Must consider the implications of adoption and the practical impact on site burden and working practices.
Operational and Technical Feasibility: Ensures operational and technical aspects (including ongoing support, security, integrity, scaling, and reuse) have been fully considered when deploying new technologies.
Regulatory & Ethical Compliance: Requires appropriate consideration of global and local regulations and guidance (e.g., ICH E6/E8, GDPR, HIPAA), including adherence to privacy, consent, and ethical safeguards.

Recommendations
A practice should demonstrate several key factors across the dimensions:
Patient-Centricity: Reduce patient burden by offering the option to reduce physical visits and enable greater patient empowerment and access to information. It should strive to increase the diversity of recruited patients while mitigating bias toward technologically literate patients.
Site Support: Achieve a net reduction in burden for sites, utilizing simple, intuitive technology with minimal, on-demand training. It must provide clarity of fiduciary responsibility and use technology to increase risk-based monitoring without sacrificing data integrity.
Technical Rigor: Have a clear problem statement and a thoroughly defined strategy to mitigate operational and technical risks. It should take a holistic approach and ensure the solution is fit for use for the specific patient population, aligning with data privacy and security standards.

Regulatory Considerations
Practices must ensure compliance with both global and local regulations and Health Authority guidance. Explicit attention must be given to aligning with ICH E6 (Good Clinical Practice) and privacy laws like GDPR and HIPAA. The design must protect stakeholders providing sensitive or personal data with safeguards to ensure ethical safety.

Findings
Sensor-generated health data must be collected in a way that ensures completeness, contextual metadata, and fit-for-purpose accuracy to support clinical applications.
Data security and privacy regulations vary globally, necessitating the implementation of adaptable frameworks such as the FAIR data principles and cybersecurity best practices.
Standardized data transmission and processing protocols are required to ensure interoperability across digital health platforms and prevent data loss or corruption.
Validation frameworks, such as DiMe’s V3 (Verification, Analytical Validation, and Clinical Validation), are essential to confirm the reliability of digital clinical measures.
Equity and accessibility considerations must be prioritized, ensuring that digital health solutions work across diverse populations and healthcare settings.

Recommendations
Digital health developers should follow standardized methodologies for data collection, leveraging frameworks such as the EVIDENCE checklist and DiMe’s V3 validation process.
Privacy-by-design principles should be embedded into sensor-based data systems to comply with HIPAA, GDPR, and emerging digital health privacy regulations.
Data processing workflows must be transparent, well-documented, and validated to ensure consistent, unbiased, and reproducible results in clinical applications.
Organizations should adopt cybersecurity best practices, including end-to-end encryption, authentication protocols, and risk mitigation strategies, to protect sensor data.
Sensor data integration strategies should be aligned with industry standards and open-source protocols to promote interoperability and scalability in healthcare ecosystems.

Regulatory Considerations
Regulatory agencies such as the FDA encourage the use of validated digital biomarkers and structured sensor data processing methodologies to support regulatory submissions.
Sensor data privacy policies must comply with local and international regulations, requiring clear user agreements, informed consent, and transparent data governance.
Secure data transmission protocols must be implemented to prevent unauthorized access, aligning with industry standards for encryption, authentication, and network security.
Organizations deploying sensor-based health technologies should conduct risk assessments and audits to ensure compliance with evolving regulatory requirements for AI and digital health.
Global harmonization of data security and transmission standards is necessary to support cross-border data exchange, facilitating regulatory approval and market access for digital health innovations.

Findings
The MS digital health space is still largely uncharted.
Balancing the needs and desires of different users when creating a digital solution is challenging.
Insufficient adherence to remote digital health solutions presents a challenge to long-term engagement.
Creating a digital solution that is both meaningful to end users and aligned with regulatory standards involves challenges and compromises.

Recommendations
Employ an iterative development process to continually refine digital health solutions.
Collaborate closely with healthcare professionals and patients throughout the design process.
Use behavioral science strategies to enhance user engagement and adherence.
Ensure that digital solutions are scientifically robust and meet regulatory standards.
Implement a prescription-based model to improve adherence and integration into clinical practice.

Regulatory Considerations
Conduct technical verification and clinical validation for each assessment in digital health solutions.
Ensure data privacy and cybersecurity measures are robust and comply with local regulations.
Maintain ongoing post-marketing surveillance to monitor safety and effectiveness.
Adapt solutions to meet diverse regulatory requirements across different geographies.