Date post: | 02-Jul-2015 |
Category: |
Healthcare |
Upload: | erik-vollebregt |
View: | 4,249 times |
Download: | 0 times |
NEAR/ON/IN BODY NETWORK HEALTH TECHNOLOGY, LEGAL ANDREGULATORY ISSUESHealth IT Forum MEDICA13 November 2014
Erik Vollebregtwww.axonlawyers.com
Agenda
• (Implantable) medical devices regulation
• Cybersecurity
• Personal data
Frame of reference
Regulation of medical devices
Currently: directives on (active implantable) medical devices and IVD
devices
• hopelessly outdated with respect to networked devices and devices as a
service
• no proper way to deal with nano particles and bots
• Standalone software MEDDEV guidance revision process halted
pending revision of medical devices regulations
New Medical Devices Regulation and IVD Regulation in the legislative
process
New medical devices regulation
• Devices are still physical widgets
• While the technology is moving to software, systems and swarms
• Definitions unclear
• everything with “indirect medical purpose” can be a medical
device
• Connectivity ill considered
• Connecting devices can easily ‘accessorise’ all devices they
connect with under new accessory definition that includes ‘to
assist’
Rethinking medical device scope
• Medical Device Regulation and IVD Regulation proposals contemplate
potentially enormous widening of scope in ENVI proposal:
• “‘medical device’ means any instrument, apparatus, appliance,
software, implant, reagent, material or other article, intended by the
manufacturer to be used, alone or in combination, for human beings
for one or more of the specific direct or indirect medical purposes of
[...]
• – diagnosis, prevention, monitoring, prediction, prognosis, treatment
or alleviation of disease
[…]
• – providing information concerning direct or indirect impacts on
health”
• This definition would cover a very wide scope of devices
• Not sure yet if this ended up in the final proposal
Rethinking medical device scope
• Implementation of GHTF-like definition
• “‘accessory to a medical device’ means an article which, whilst not
being a medical device, is intended by its manufacturer to be used
together with one or several particular medical device(s) to
specifically enable or assist the device(s) to be used in accordance
with its/their intended purpose(s);”
• Inclusion of notion of support of multiple devices by one accessory?
• What is the scope of the concept of “assist”?
How do we deal with ‘innovative’?
“Innovation” is a scary thing so we regulate the hell out of it
All your
innovation are
belong to me!Love / hate relationship:
Innovation means progress
BUT
Cybersecurity
What is there in the EU?
Annex I
12.1. Devices incorporating electronic programmable systems must be
designed to ensure the repeatability, reliability and performance of
these systems according to the intended use. In the event of a single
fault condition (in the system) appropriate means should be adopted to
eliminate or reduce as far as possible consequent risks.
12.1a For devices which incorporate software or which are medical
software in themselves, the software must be validated according to the
state of the art taking into account the principles of development lifecycle,
risk management, validation and verification.
• EN 62304
EN 62304 § 5.2.2 Software requirements content re security
Typical cybersecurity points,
but only with respect to
standalone software
Are we doing anything in the EU?
What are the medical
devices companies and
healthcare institutions
doing?
Biggest EVAH! About public utilities
and communications infrastructure
Draft NIS Directive
Article 14 provides for market operator
• security requirements and
• incident notification duty
ERGO: all (medical)devices
that run software, that
interconnect and process /
transmit data
NIS Directive
Duty to implement
measures
Notification duty
Public disclosure
of incidents
Delegated acts
Personal data
Personal data currently in the EU
• Everybody agrees the current EU system
is
• Fragmented
• Outdated
• Unclear
• But, it’s still a good system that has
produced a lot of good practices
• Reasonably flexible international
transfers
• Article 29 WP opinions
• Coordinated action by data
protection authorities
Personal data under GDPR:bleak picture
And kill most outsourced
services and big data based
business models currently
contemplated, by the way
General Data Protection Regulation• Data protection as fundamental right
• EU approaches data protection from the angle of fundamental right –
this means less attention to pure internal market interests and more to
data subject interests
• Definitions & scope
• Implementation of Art 29 WP opinions on scope (“singling out”, unique
identifiers, pseudomisation, “reasonably likely means”)
• Consent requirements
• New disqualifiers: imbalance and consent to process data and
necessary for execution of the contract
• Impact assessment
• Mandatory sign-off national authorities prior to processing but no
methodology / standards and no deadlines
• Impact assessment for each individual instance of processing
General Data Protection Regulation• Privacy by design
• Prior approval of impact assessment of each act of processing
• Literally – Parliament proposes that software and devices have to be designed
and built as to enable GDPR and data subject’s rights by default
• Intelligible explanation of automated processing logic
• Exemptions for processing of health data without consent
• With uncertainties around concept of ‘consent’ derogations for “public health”
and “scientific purposes” become crucial
• Exemptions not suited for outsourced processing in eHealth / mHealth services
and not drafted for regulatory clinical data obligations
• Technical standards
• Commission can issue technical standards related to implementation of GDPR
requirements
General Data Protection Regulation• Data subject’s rights
• Right to correct, information, be forgotten and of erasure problematic
in clinical context
• Right to request interoperable and open source format copy of
processed data
• Includes data portability and export in open source formats
• Many open ends still that are subject to implementation by implementing
act or regulation by delegated act
• Commission is not obliged to use these powers and EU legislator may
change the scope or revoke power, which increases uncertainty
www.axonlawyers.com
THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
F +31 88 650 6555
M +31 6 47 180 683
E
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com