By Samwel Doe Ouma

Dr Ahmed Mohamed Chief Executive Officer Pharmacy and Poisons Board

Pharmacy and Poisons Board (PPB) is moving to strengthen regulation of digital health technologies with new draft guidance targeting software used for medical purposes, as artificial intelligence and mobile health tools gain ground in patient care.

PPB Chief Executive Officer Dr Ahmed Mohamed said the regulator is developing a framework to ensure software-driven medical technologies meet standards of safety, quality and performance before entering the market.

“The move reflects the growing role of standalone software in healthcare, performing functions such as diagnosis, monitoring and treatment,” he said.

The board has developed guidelines to regulate Medical Device Software (MDSW), including Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD), while also addressing the rise of AI-powered medical technologies in Kenya.

The framework aims to strengthen oversight of digital health tools, ensuring software used in diagnosis, treatment and monitoring meets required safety, quality and performance standards in line with global best practices.

Under the proposed rules, SaMD will be regulated separately from software embedded in hardware devices a distinction regulators say is necessary to address risks linked to standalone digital tools, particularly those powered by artificial intelligence and machine learning.

“The framework aligns Kenya with global standards, including those of the International Medical Device Regulators Forum, and draws from national policies such as the Kenya National Cybersecurity Strategy (2022–2027), the Digital Health Act (2023) and the Kenya AI Strategy (2025–2030),” Dr Ahmed said.

He added that the approach is risk-based, with oversight proportional to potential patient harm. Higher-risk applications especially those used in diagnosis or treatment will face stricter scrutiny.

Labeling, validation and clinical evidence

The guidance sets detailed requirements for product approval, including documentation on software design, risk assessments, clinical validation, version control and post-market surveillance.

Manufacturers must comply with international standards such as IEC 62304 and ISO 14971, and clearly justify why a product qualifies as a medical device while distinguishing medical from non-medical functions.

The PPB is also tightening labeling and traceability rules. Software supplied on physical media must include clear labels and instructions for use, while web-based or downloadable tools must display key information   including intended use and safety warnings  within the interface.

He said that developers will be compelled to provide installation guidance and maintain robust version control systems to ensure traceability and support corrective actions.

“Verification and validation processes are mandatory, requiring developers to demonstrate that software meets technical specifications and performs safely in real-world clinical settings. Clinical evidence must show that outputs are medically meaningful, supported by literature, comparable technologies or new studies.”

He added that ongoing clinical evaluation after market entry will be required to monitor real-world performance and detect emerging risks.

Cyber security at the core

Kenya is placing cyber security at the center of the framework, warning that increasingly connected medical systems expose patients and hospitals to digital threats.

Medical software linked to networks or cloud systems must be secured throughout its lifecycle, with manufacturers required to adopt secure-by-design and secure-by-default approaches.

This includes safeguards such as user authentication, role-based access controls, encryption and network segmentation, alongside continuous vulnerability monitoring, patch management and incident response systems.

The framework aligns with guidance from the World Health Organization and treats medical software as part of critical digital health infrastructure.

Post-market surveillance and risk management

Manufacturers must implement structured post-market plans to detect and respond to cybersecurity threats and software risks.

These include proactive monitoring of vulnerabilities, formal disclosure processes, regular updates and patching, and recovery mechanisms following cyber incidents. Participation in information-sharing networks is encouraged to track emerging threats.

Companies must also comply with Kenya’s data protection and digital health laws to safeguard patient information.

The framework adopts a lifecycle approach to risk management, requiring manufacturers to identify hazards, assess risks and implement controls from design through post-market use. Regulators caution that pre-market controls alone are insufficient.

AI-specific requirements

The guidance introduces additional safeguards for AI-enabled medical devices, including requirements on data quality, model transparency and performance monitoring.

Dr Ahmed said developers must follow Good Machine Learning Practice principles, ensuring representative datasets, separation of training and testing data, and clear validation of model performance using metrics such as accuracy, sensitivity and specificity.

“For systems with continuous learning capabilities, manufacturers must define how models evolve, ensure data integrity and implement safeguards to detect anomalies and roll back to earlier versions if needed,” he said.

He added that developers must maintain traceability between datasets, software versions and clinical outputs, particularly when errors or bias are identified.

Manufacturers will also be required to monitor real-world performance and submit periodic reports to the regulator, including annual updates throughout the product lifecycle.

The framework classifies medical software based on risk and clinical impact, with higher-risk applications facing stricter oversight depending on intended use, the significance of information provided and the severity of the condition addressed.

Applications must be submitted through the PPB’s online portal, with fees linked to risk classification and systems in place to track products throughout their lifecycle.

Dr Ahmed said the framework is designed to balance innovation with patient safety, standardize evaluation of medical device software and strengthen trust in a rapidly evolving digital health sector.