NEAR/ON/IN BODY NETWORK HEALTH TECHNOLOGY, LEGAL ANDREGULATORY ISSUESHealth IT Forum MEDICA13 November 2014

Erik Vollebregtwww.axonlawyers.com

Agenda

• (Implantable) medical devices regulation

• Cybersecurity

• Personal data

Frame of reference

Regulation of medical devices

Currently: directives on (active implantable) medical devices and IVD

devices

• hopelessly outdated with respect to networked devices and devices as a

service

• no proper way to deal with nano particles and bots

• Standalone software MEDDEV guidance revision process halted

pending revision of medical devices regulations

New Medical Devices Regulation and IVD Regulation in the legislative

process

New medical devices regulation

• Devices are still physical widgets

• While the technology is moving to software, systems and swarms

• Definitions unclear

• everything with “indirect medical purpose” can be a medical

device

• Connectivity ill considered

• Connecting devices can easily ‘accessorise’ all devices they

connect with under new accessory definition that includes ‘to

assist’

Rethinking medical device scope

• Medical Device Regulation and IVD Regulation proposals contemplate

potentially enormous widening of scope in ENVI proposal:

• “‘medical device’ means any instrument, apparatus, appliance,

software, implant, reagent, material or other article, intended by the

manufacturer to be used, alone or in combination, for human beings

for one or more of the specific direct or indirect medical purposes of

[...]

• – diagnosis, prevention, monitoring, prediction, prognosis, treatment

or alleviation of disease

[…]

• – providing information concerning direct or indirect impacts on

health”

• This definition would cover a very wide scope of devices

• Not sure yet if this ended up in the final proposal

Rethinking medical device scope

• Implementation of GHTF-like definition

• “‘accessory to a medical device’ means an article which, whilst not

being a medical device, is intended by its manufacturer to be used

together with one or several particular medical device(s) to

specifically enable or assist the device(s) to be used in accordance

with its/their intended purpose(s);”

• Inclusion of notion of support of multiple devices by one accessory?

• What is the scope of the concept of “assist”?

How do we deal with ‘innovative’?

“Innovation” is a scary thing so we regulate the hell out of it

All your

innovation are

belong to me!Love / hate relationship:

Innovation means progress

BUT

Cybersecurity

What is there in the EU?

Annex I

12.1. Devices incorporating electronic programmable systems must be

designed to ensure the repeatability, reliability and performance of

these systems according to the intended use. In the event of a single

fault condition (in the system) appropriate means should be adopted to

eliminate or reduce as far as possible consequent risks.

12.1a For devices which incorporate software or which are medical

software in themselves, the software must be validated according to the

state of the art taking into account the principles of development lifecycle,

risk management, validation and verification.

• EN 62304

EN 62304 § 5.2.2 Software requirements content re security

Typical cybersecurity points,

but only with respect to

standalone software

Are we doing anything in the EU?

What are the medical

devices companies and

healthcare institutions

doing?

Biggest EVAH! About public utilities

and communications infrastructure

Draft NIS Directive

Article 14 provides for market operator

• security requirements and

• incident notification duty

ERGO: all (medical)devices

that run software, that

interconnect and process /

transmit data

NIS Directive

Duty to implement

measures

Notification duty

Public disclosure

of incidents

Delegated acts

Personal data

Personal data currently in the EU

• Everybody agrees the current EU system

is

• Fragmented

• Outdated

• Unclear

• But, it’s still a good system that has

produced a lot of good practices

• Reasonably flexible international

transfers

• Article 29 WP opinions

• Coordinated action by data

protection authorities

Personal data under GDPR:bleak picture

And kill most outsourced

services and big data based

business models currently

contemplated, by the way

General Data Protection Regulation• Data protection as fundamental right

• EU approaches data protection from the angle of fundamental right –

this means less attention to pure internal market interests and more to

data subject interests

• Definitions & scope

• Implementation of Art 29 WP opinions on scope (“singling out”, unique

identifiers, pseudomisation, “reasonably likely means”)

• Consent requirements

• New disqualifiers: imbalance and consent to process data and

necessary for execution of the contract

• Impact assessment

• Mandatory sign-off national authorities prior to processing but no

methodology / standards and no deadlines

• Impact assessment for each individual instance of processing

General Data Protection Regulation• Privacy by design

• Prior approval of impact assessment of each act of processing

• Literally – Parliament proposes that software and devices have to be designed

and built as to enable GDPR and data subject’s rights by default

• Intelligible explanation of automated processing logic

• Exemptions for processing of health data without consent

• With uncertainties around concept of ‘consent’ derogations for “public health”

and “scientific purposes” become crucial

• Exemptions not suited for outsourced processing in eHealth / mHealth services

and not drafted for regulatory clinical data obligations

• Technical standards

• Commission can issue technical standards related to implementation of GDPR

requirements

General Data Protection Regulation• Data subject’s rights

• Right to correct, information, be forgotten and of erasure problematic

in clinical context

• Right to request interoperable and open source format copy of

processed data

• Includes data portability and export in open source formats

• Many open ends still that are subject to implementation by implementing

act or regulation by delegated act

• Commission is not obliged to use these powers and EU legislator may

change the scope or revoke power, which increases uncertainty

www.axonlawyers.com

THANKS FOR YOUR ATTENTION

Erik Vollebregt

Axon Lawyers

Piet Heinkade 183

1019 HC Amsterdam

T +31 88 650 6500

F +31 88 650 6555

M +31 6 47 180 683

E

erik.vollebregt@axonlawyers.com

@meddevlegal

B http://medicaldeviceslegal.com

READ MY BLOG:

http://medicaldeviceslegal.com