More on 3D printing of medical devices – seminar in Amsterdam with DSM and Materialise

Because we see a huge increase in interest in regulation of 3D printing and biofabrication (which I have blogged and taught about), my firm decided to organise a seminar about it.

As you are used from us, it’s free, we don’t want anything in return, we love it if you show up and if you don’t that’s fine too – ask us for the slides if you would like to receive them (you can have mine in any event; you can have the others too if the other speakers agree to provide them). However, if you want the full story, it’s always best to attend because there will be drinks afterwards too at which you can network with other companies in the field.

We are very grateful for the cooperation of two companies at the forefront of developments in this field, Materialise and DSM Biomaterials, who will discuss case studies about their own products and services and provide insights into technical challenges.

To subscribe to the seminar, just send an email to the email address in the invitation below. You can bring as many colleagues, friends or contacts as you like; please just let us know in advance so we can have a name badge for everyone to improve your networking experience and ensure that there are enough chairs, drinks and snacks!

I hope to see you there.150204_3Dprinting_and_Biofabrication_edited-1

More on EU medical devices cybersecurity regulation

In a previous post I promised more on cybersecurity, so here it is.

Spoiler alert: the conclusion of this post is that cyber security requirements for medical devices in Europe are currently an overlapping patchwork of different statutes with little attention for system and network security. So the conclusion is: there is nothing specific, except the security requirements in the EN 62304 harmonized standard for Medical device software — Software life-cycle processes. Compared to what the FDA is currently working on the EU is seriously lagging behind, which is strange considering the ambitions that the EU has in eHealth, which will necessitate a lot of medical devices being networked into the Internet of Everything.

Personal data rules

That doesn’t mean that there are no general rules that manufacturers of medical devices must observe in the EU that touch upon cybersecurity. Currently there is quite an acquis being built up in terms of privacy by design obligations for networked devices that process personal data. This is the main approach to cybersecurity for medical devices in the EU at the moment.

Why the personal data nexus? Obviously, medical devices that form part of the internet of things (IoT) will process sensitive personal data in the form of personal health data. In addition to privacy by design requirements that I blogged about earlier, the Article 29 WP has now also issued guidelines for IoT devices that do focus on system security.

But, we are still not there because we are still waiting for the GDPR to drop, which will provide a framework for processing of personal health data that will apply throughout the EU. The Article 29 WP guidelines, as helpful as they are, remain non-binding guidelines.

NIS directive

The NIS directive is a new piece of legislation that will have particular relevance for companies that provide medical devices as a service or provide information society services that consist of monitoring, readout of devices at a distance, etc.

The Parliament has proposed to exclude software developers and hardware manufacturers from the scope of the directive. However, as I have observed many times now, medical devices manufacturers less and less mere widget pushers these days. As a consequence any medical device manufacturer that operates a service in relation to medical devices would be caught under the NIS directive. And the directive is not final yet, so things may still change.

Presentation to summarise

The whole above story is a summary of my below presentation at the MD Project Active Devices event on 9 December that raised some eyebrows in the audience and provoked comments that it’s impossible to meet all these requirements without considerable additional resources.

The extra long disco version of the material in the presentation can be found in my article in eHealth Law and Policy, which you can view for free if you take a free trial subscription.

The time to act is yesterday

Excuse me? Humbug you say? Medical devices is an industry in which hackers do not operate? All the succesful hacks that have happened so far took place only under controlled circumstances in unlikely usability scenarios?

I’ll speak with you again when your company does an e.g. Sony by being hacked painfully publicly several times in a single year and losing massive amounts of sensitive data (because that’s what hackers are after these days) or has the dubious honour of being the first company faced with ransomware holding active implantable devices of patients hostage.

Thinking that this will not happen to you is one of the oldest security fallacies in the book. Having been caught out ignoring this will not look good on a company, especially if you trust the company’s devices literally with your life.

And don’t forget, all the above does not only apply to the new devices yet to be placed on the market, but also to the vast amount that is already out there, with hardcoded admin passwords and less than stellar security measures built in. This means that – literally – the time to act is yesterday.

So Happy New Year – something should and hopefully will happen when we roll the dice in EU cybersecurity policy next year. Otherwise it may well become painfully obvious why we need specific and clear rules for this.

An X-traordinary New Year to you


The devices have landed – and some promotion

European CommissionSo, it took a while but the devices have finally landed. During the EPSCO council of 1 December it was confirmed that the medical devices policy has indeed moved to DG ENTR. I have also heard Commission officials tasked with medical devices at DG SANCO say they are in transition now.

It also became clear that the ambitious Italian pre-pack first reading plan had failed because no common position was reached. The progress report for the meeting was approved and the Italian presidency expressed the hope that the Latvian presidency can build on its work.

The Dutch in 2016

Since it became already clear that the Latvian and Luxemburg presidencies do not have great ambitions in this matter, the scenario that I have sketched that the Dutch presidency in the first half of 2016 will try to make a difference becomes more and more likely.

As you can see in the progress report, there is still a lot of work to be done. Even though all chapters of the proposed regulations have been tossed repeatedly like a regulatory salade niçoise (every chapter and every annex of both proposals (20 chapters, 187 articles and 29 annexes) have been discussed two times each at the end of the Presidency), no agreement was reached and a number of political bones of contention remain, which include:

– Aesthetic devices;

– Ingested products;

– Reprocessing of single-use devices;

– the Unique Device Identification System (“UDI”);

– Mechanisms for surveillance and appointment of the Notified Bodies responsible for conformity assessment of Medical devices and In vitro diagnostic medical devices;

– the Scrutiny mechanism for certain high risk devices;

– Clinical investigations;

– Post-Market Surveillance;

– Tasks of the proposed Medical Device Coordination Group; and

– Role of expert panels and reference laboratories.

The progress report will show you exactly where the differences are for each of these categories. The politically most difficult ones are MDCG, UDI, notified bodies’ role and post market surveillance.

Impact assessment

One of the interesting statements during the EPSCO council was the statement of the Dutch delegation that they thought that with all the amendments on the table it would be a very good idea to revise the impact assessment underlying the original proposals. I cannot applaud that enough, because as I have argued time and again, the so far fact-free amendments of the Parliament should have a basis in reality and it should be made clear what these amendments mean for industry, costs of healthcare and the patient/payor. It would be very interesting to see what the Parliament’s amendments amount to when they are assessed for impact. It will probably show, for example, that the hazardous substances amendment will add nothing in terms of safety but will only cost a lot in terms of compliance for compliance sake exercises.

Prediction for 2015

My prediction for next year (2015) is a year of quiet diplomacy in the background to pre-cook a final agreement during the Dutch presidency. It may happen that the trilogue finally kicks off during the last half of 2015, now that the Parliament voted to be ready for it on 5 November 2014. 2015 will also be the year of eHealth and mHealth, with the Commission starting to translate the feedback to the Green Paper on mHealth into policy actions, part of which may be fed back into the discussions regarding the medical devices regulations, e.g. on the definition of ‘medical device’. The Council and the Commission may also realise how ill-equipped the current proposals for the medical devices and IVD regulations are to deal with modern devices as a service, standalone software and the nexus with

Also, the unannounced audits will become established practice and the notified bodies will continue to increase their clinical evidence requirements as a result of the joint audits under the Joint Action Plan.

Finally, new production techniques like 3D printing will need to find a place in the regulations one way or the other, or we will need to accept that from a regulatory perspective there is no difference.

So how to keep track of all that?

Here are some suggestions

for the end and beginning of the year, to stay on top of all these developments:

I hope to see you at one or more of these very worthwhile events!

EU Council also thinks genetic testing amendment in IVD regulation proposal is outside competence EU

380px-EU_Consilium_Logo.svgIn a previous blog I have addressed the genetic testing amendment to the IVD regulation proposal and have provided argumentation why this proposal is outside the scope of the legislative competence of the EU. To make it interesting I have also explicitly challenged the author of the amendment, rapporteur for the IVD regulation proposal Peter Liese, to prove me and my colleague Julian Hitchcock wrong in our conclusions (executive summary here).

We were actually right

Nothing happened and nobody challenged our conclusions. That may be because we were actually right. So we were not challenged by the University of Passau that admitted that their report’s conclusion that provided the foundation for the Parliament’s amendment was wrong (which it is, and the report was commissioned because the rapporteur himself also doubted that the EU had this competence in the first place). Nor did Mr Liese admit that he had misjudged EU competence.

Rather, the EU’s sovereign member states comprising the Council backed us up. The Dutch government recently stated in answers to the Dutch Parliament (in Dutch, sorry – we’re working on a translation) that a majority of member states in the EU Counsel consider this proposal outside the scope of EU legislative competence, on the exact same grounds that Julian and I concluded in our report: subsidiarity and proportionality prevent posing medical-ethical requirements for national practice of medicine with genetic testing.


The Dutch government states that it looks like the Counsel can accept a compromise to the effect that member states may deal with this matter themselves at national level, much like where things look to be  going with respect to reprocessing of medical devices.

Insufficient attention for IVDs

Also, the Dutch confirm a point that I have lamented often on this blog: the lack of attention for the IVD regulation in the legislative process. The Dutch say that the negotiation process regarding the IVD regulation is though going (“moeizaam“), and that there has been little attention for IVDs in the whole revision process so far because priority is given to the medical devices regulation. This is also painfully obvious in the progress report of the Counsel for preparation of the Employment, Social Policy, Health and Consumers Council meeting on 1 December 2014 (more about this progress report in a future blog).

Cause for concern

The Netherlands thinks that this is a cause for concern and will give efforts to ensure that sufficient time is dedicated to this important subject during this presidency and the following ones. I agree. It would be useful if there would be more attention for the IVD regulation. Not only will there be very big changes for the IVD industry as a result of the IVD regulation proposal, but the importance of IVDs in modern personalized medicine is enormous. IVDs are just too important for society to be overlooked and underprioritised this way.

What happens next?

Well, the Parliament may realize that you cannot conjure competence to legislate out of thin air under rule of law and revoke its proposal because it has no legal basis to be adopted.

Except that this is not how politics work, because this amendment will of course not be revoked but will go in the big horse trading mix between the Commission, the Council and the Parliament. Let’s hope that the Commission and the Council keep in mind that negotiation can only take place with bargaining chips that actually exist and that there really is nothing to negotiate on this point: the comprise on the table is actually just explicit codification of the current situation at member state level.

In, on and near body networks EU regulation

Medica logoI had the pleasure of being invited to speak at the Health IT forum at the MEDICA conference last week on regulation of in, on and near body networks. Most of my day at the MEDICA I spent in the health IT hall, catching up on developments, particularly in the interesting Wearable Technology Pavillion with all its cool gadgets, and talking to clients with booths in the hall or out and about there.

The Health IT forum session about “Healthcare in the age of IOTS. Exploring the added Value of IOTS in Healthcare research, policy and service delivery” put me on a panel with SAP, Microsoft, IBM, Bosch, the illustrious Fraunhofer Institute and my friends at the Continua Health Alliance. It was a lot of fun. The MEDICA will probably put the video recording on its site sooner or later.

Here is my presentation (it was pretty difficult to jam it into 15 minutes but I managed by excluding all the breathing pauses), focusing on what I think are currently the three hot regulatory issues in healthcare and the Internet of Things (IOTS): medical devices regulation, cybersecurity / draft NIS directive and personal (health) data:

So let’s look at each of these three categories in a bit more detail and context.

Medical devices regulation

In terms of medical devices regulation there is the of course by now completely worn out record of the medical devices regulations (at least on this blog it is), which are getting interesting again now that the Italian presidency is rumored to be engaged in a major push behind the scenes to still clinch the pre-pack first reading that they were planning. Also, the Commission has in the mean time published what they think of the Parliament’s first reading on the medical devices and IVDs regulation proposals and has, among other things, no problems with the ill-considered (if you ask me) expanded definition of ‘medical device’ that will include everything with an indirect medical intended purpose. This will redefine the concept of regulatory burden for the industry and expand the scope of medical devices regulation to include many many things that were never intended to be regulated as medical devices, something even the European Court of Justice warned against in the Brain Products case. So good luck, potentially every device that does anything related to a person that may in any way be beneficial for general health in the long run (like a step counter for example) will be sucked into the scope of medical devices regulation. Will that make the world a safer place for patients? Probably not.

Cybersecurity / draft NIS directive

At first sight it seems that there is not much currently in EU medical devices regulation with respect to cybersecurity if you compare this to the new FDA guidance on the subject, but if you look closer there are some design requirements that can be drawn from the EN 62304 standard (see slide 11 of the presentation above). You could even argue that networking aspects are addressed by the mentioning of authentication, authorisation and communication integrity, which is the main security Achilles heel of many of the networked medical devices on the market currently. On the other hand, there does not seem to be a lot of interest at EU level for this subject. All policy documentation that touches upon medical devices and mHealth approaches security from the angle of protection of personal (health) data, a perfectly valid concern but not an adequate approach to security at all.

The draft NIS directive stands to impact substantially on networked medical devices (slide 13) because it will apply to basically all IoT enabled medical devices. It triggers design and organisational obligations in the field of security as well as breach notification obligations (yes, additional to and conveniently diverging from any breach notification obligation under EU data protection law).

More about cybersecurity for devices in my next post on this blog!

Personal (health) data

Personal (health) data remains a problem with the current framework being in a state of hot mess and the new framework under the General Data Protection Regulation being in a state of legislative limbo in the sense that the Commission says it’s all very urgent and a high priority and must be finished this presidency, an end result is still not clearly visible on the horizon. Yet, the GDPR will remedy a lot of the deficiencies of the current directive – that is, if it turns out looking more or less like the first reading of the Parliament. There are a lot of crucial issues in the air, like regulatory one-stop-shopping, exemption for extra-institution outsourced processing of health data and extra-EU international data transfers, just to mention a few that are critical to business models for service providers in the healthcare business that operate services that use IoT enabled devices to collect personal health data from patients in and outside the clinic and process it using cloud services (isn’t everybody doing (or wishing to be doing) that?). Just read the statement of the Healthcare Coalition on Data Protection backed by not the slightest of organisations, and you wil agree with me that it’s a bleak picture for business if there are no drastic changes made to the GDPR (which it currently looks there will not be).


Should we be worried? Yes, I think so. As I have blogged before, Europe has a tendency to be the ‘department of no’ when it comes to regulating this type of technology. Companies understand very well of course  that there has to be regulation of safety and performance, but how about making sure that such regulation is coherent, up to date, consistently applied across the EU and proportionate so they can actually work with it and plan ahead? The EU is losing itself far too much in politics and its weird love/hate relationship with anything ‘innovative’ as has been more than clear in the medical devices and GDPR dossiers, which makes for sub-optimal regulation for everyone involved.

Where have the devices gone?

keep-calm-it-will-happen-14It’s been a matter of a lot of speculation where the devices policy and HTA policy will finally end up in the European Commission.

When the Commission-elect was presented, one of the interesting elements was that medicinal products and medical devices policy were going (back) to DG Enterprise. Remember that the new rapporteur for the medical devices regulation, Glennis Willmott, was very much against this and vowed to bring devices policy back in the fold of DG SANCO. In the mean time the Commission has been elected, but it’s still not clear where the devices will end up.

Something of a concession

Some time ago it already became clear that president Juncker had made something of a concession to the European Parliament with regard to medicinal products and medical devices policy on 22 October:

“Responsibility for medicines and pharmaceutical products will stay with the Directorate-General for Health because I agree with you that medicines are not goods like any other,” he said, adding that Andriukaitis and Bieńkowska will develop the relevant policy jointly. (EurActiv)

But it was not very clear what that concession was exactly because what are “medicines and pharmaceutical products” if not more of the same? Or was something lost in translation resulting in this tautology? Was  everthing that was plannend to be moved (back) to DG Enterprise going back to DG SANCO?

Hey, and what about medical devices – they’re not goods like any other either, right? Or are they? This is really a less than well-chosen statement by President Juncker that the Parliament will probably hurl right back at the Commission as ammunition to support some of its more politically motivated amendments in the legislative procedure for the medical devices and IVD regulations.

Clinica permutations

As matters stand currently, it looks like medicinal products may actually go back (again) to DG SANCO and that HTA plus devices will stay with DG Enterprise. At least, that says Clinica now on 31 October. But Clinica has in the mean time reported every possible permutation in this story as final.

No final word it seems

MedTech Europe is still reserving its position on that same date.

Schermafbeelding 2014-11-01 om 12.30.13 The final word, it seems therefore, has not been given yet.

What would it mean?

What would it mean if devices and HTA would go to / stay with DG Enterprise? As I have blogged, devices started out as a typical internal market policy and this move may signify a re-orientation on the market for medical devices with potentially more attention to innovation friendly policies.

A slip of the tongue that would lead to conclude that President Juncker sees devices as goods like any other contrary to medicinal products may tentatively support this. Such re-ortientation would for one benefit the eHealth industry, which the Commission has put a lot of cards on for its healthcare policy.

Another benefit of more emphasis on internal market might be some efforts of the Commission to deal with the consequences of the Lycocentre judgment that confirmed that there actually is no internal market for medical devices because every member state may qualify a product differently based on different scientific argumentation.

Keep calm

And carry on – the EU’s devices policy will sort itself out sooner or later, possibly next week already. In the mean time, enjoy all the speculation and join the fray it you like!


Get every new post delivered to your Inbox.

Join 3,890 other followers

%d bloggers like this: