I had the pleasure of being invited to speak at the Health IT forum at the MEDICA conference last week on regulation of in, on and near body networks. Most of my day at the MEDICA I spent in the health IT hall, catching up on developments, particularly in the interesting Wearable Technology Pavillion with all its cool gadgets, and talking to clients with booths in the hall or out and about there.
The Health IT forum session about “Healthcare in the age of IOTS. Exploring the added Value of IOTS in Healthcare research, policy and service delivery” put me on a panel with SAP, Microsoft, IBM, Bosch, the illustrious Fraunhofer Institute and my friends at the Continua Health Alliance. It was a lot of fun. The MEDICA will probably put the video recording on its site sooner or later.
Here is my presentation (it was pretty difficult to jam it into 15 minutes but I managed by excluding all the breathing pauses), focusing on what I think are currently the three hot regulatory issues in healthcare and the Internet of Things (IOTS): medical devices regulation, cybersecurity / draft NIS directive and personal (health) data:
So let’s look at each of these three categories in a bit more detail and context.
Medical devices regulation
In terms of medical devices regulation there is the of course by now completely worn out record of the medical devices regulations (at least on this blog it is), which are getting interesting again now that the Italian presidency is rumored to be engaged in a major push behind the scenes to still clinch the pre-pack first reading that they were planning. Also, the Commission has in the mean time published what they think of the Parliament’s first reading on the medical devices and IVDs regulation proposals and has, among other things, no problems with the ill-considered (if you ask me) expanded definition of ‘medical device’ that will include everything with an indirect medical intended purpose. This will redefine the concept of regulatory burden for the industry and expand the scope of medical devices regulation to include many many things that were never intended to be regulated as medical devices, something even the European Court of Justice warned against in the Brain Products case. So good luck, potentially every device that does anything related to a person that may in any way be beneficial for general health in the long run (like a step counter for example) will be sucked into the scope of medical devices regulation. Will that make the world a safer place for patients? Probably not.
Cybersecurity / draft NIS directive
At first sight it seems that there is not much currently in EU medical devices regulation with respect to cybersecurity if you compare this to the new FDA guidance on the subject, but if you look closer there are some design requirements that can be drawn from the EN 62304 standard (see slide 11 of the presentation above). You could even argue that networking aspects are addressed by the mentioning of authentication, authorisation and communication integrity, which is the main security Achilles heel of many of the networked medical devices on the market currently. On the other hand, there does not seem to be a lot of interest at EU level for this subject. All policy documentation that touches upon medical devices and mHealth approaches security from the angle of protection of personal (health) data, a perfectly valid concern but not an adequate approach to security at all.
The draft NIS directive stands to impact substantially on networked medical devices (slide 13) because it will apply to basically all IoT enabled medical devices. It triggers design and organisational obligations in the field of security as well as breach notification obligations (yes, additional to and conveniently diverging from any breach notification obligation under EU data protection law).
More about cybersecurity for devices in my next post on this blog!
Personal (health) data
Personal (health) data remains a problem with the current framework being in a state of hot mess and the new framework under the General Data Protection Regulation being in a state of legislative limbo in the sense that the Commission says it’s all very urgent and a high priority and must be finished this presidency, an end result is still not clearly visible on the horizon. Yet, the GDPR will remedy a lot of the deficiencies of the current directive – that is, if it turns out looking more or less like the first reading of the Parliament. There are a lot of crucial issues in the air, like regulatory one-stop-shopping, exemption for extra-institution outsourced processing of health data and extra-EU international data transfers, just to mention a few that are critical to business models for service providers in the healthcare business that operate services that use IoT enabled devices to collect personal health data from patients in and outside the clinic and process it using cloud services (isn’t everybody doing (or wishing to be doing) that?). Just read the statement of the Healthcare Coalition on Data Protection backed by not the slightest of organisations, and you wil agree with me that it’s a bleak picture for business if there are no drastic changes made to the GDPR (which it currently looks there will not be).
Should we be worried? Yes, I think so. As I have blogged before, Europe has a tendency to be the ‘department of no’ when it comes to regulating this type of technology. Companies understand very well of course that there has to be regulation of safety and performance, but how about making sure that such regulation is coherent, up to date, consistently applied across the EU and proportionate so they can actually work with it and plan ahead? The EU is losing itself far too much in politics and its weird love/hate relationship with anything ‘innovative’ as has been more than clear in the medical devices and GDPR dossiers, which makes for sub-optimal regulation for everyone involved.