I had the pleasure of being invited to speak at the Health IT forum at the MEDICA conference last week on regulation of in, on and near body networks. Most of my day at the MEDICA I spent in the health IT hall, catching up on developments, particularly in the interesting Wearable Technology Pavillion with all its cool gadgets, and talking to clients with booths in the hall or out and about there.
The Health IT forum session about “Healthcare in the age of IOTS. Exploring the added Value of IOTS in Healthcare research, policy and service delivery” put me on a panel with SAP, Microsoft, IBM, Bosch, the illustrious Fraunhofer Institute and my friends at the Continua Health Alliance. It was a lot of fun. The MEDICA will probably put the video recording on its site sooner or later.
Here is my presentation (it was pretty difficult to jam it into 15 minutes but I managed by excluding all the breathing pauses), focusing on what I think are currently the three hot regulatory issues in healthcare and the Internet of Things (IOTS): medical devices regulation, cybersecurity / draft NIS directive and personal (health) data:
So let’s look at each of these three categories in a bit more detail and context.
Medical devices regulation
In terms of medical devices regulation there is the of course by now completely worn out record of the medical devices regulations (at least on this blog it is), which are getting interesting again now that the Italian presidency is rumored to be engaged in a major push behind the scenes to still clinch the pre-pack first reading that they were planning. Also, the Commission has in the mean time published what they think of the Parliament’s first reading on the medical devices and IVDs regulation proposals and has, among other things, no problems with the ill-considered (if you ask me) expanded definition of ‘medical device’ that will include everything with an indirect medical intended purpose. This will redefine the concept of regulatory burden for the industry and expand the scope of medical devices regulation to include many many things that were never intended to be regulated as medical devices, something even the European Court of Justice warned against in the Brain Products case. So good luck, potentially every device that does anything related to a person that may in any way be beneficial for general health in the long run (like a step counter for example) will be sucked into the scope of medical devices regulation. Will that make the world a safer place for patients? Probably not.
Cybersecurity / draft NIS directive
At first sight it seems that there is not much currently in EU medical devices regulation with respect to cybersecurity if you compare this to the new FDA guidance on the subject, but if you look closer there are some design requirements that can be drawn from the EN 62304 standard (see slide 11 of the presentation above). You could even argue that networking aspects are addressed by the mentioning of authentication, authorisation and communication integrity, which is the main security Achilles heel of many of the networked medical devices on the market currently. On the other hand, there does not seem to be a lot of interest at EU level for this subject. All policy documentation that touches upon medical devices and mHealth approaches security from the angle of protection of personal (health) data, a perfectly valid concern but not an adequate approach to security at all.
The draft NIS directive stands to impact substantially on networked medical devices (slide 13) because it will apply to basically all IoT enabled medical devices. It triggers design and organisational obligations in the field of security as well as breach notification obligations (yes, additional to and conveniently diverging from any breach notification obligation under EU data protection law).
More about cybersecurity for devices in my next post on this blog!
Personal (health) data
Personal (health) data remains a problem with the current framework being in a state of hot mess and the new framework under the General Data Protection Regulation being in a state of legislative limbo in the sense that the Commission says it’s all very urgent and a high priority and must be finished this presidency, an end result is still not clearly visible on the horizon. Yet, the GDPR will remedy a lot of the deficiencies of the current directive – that is, if it turns out looking more or less like the first reading of the Parliament. There are a lot of crucial issues in the air, like regulatory one-stop-shopping, exemption for extra-institution outsourced processing of health data and extra-EU international data transfers, just to mention a few that are critical to business models for service providers in the healthcare business that operate services that use IoT enabled devices to collect personal health data from patients in and outside the clinic and process it using cloud services (isn’t everybody doing (or wishing to be doing) that?). Just read the statement of the Healthcare Coalition on Data Protection backed by not the slightest of organisations, and you wil agree with me that it’s a bleak picture for business if there are no drastic changes made to the GDPR (which it currently looks there will not be).
Anyway
Should we be worried? Yes, I think so. As I have blogged before, Europe has a tendency to be the ‘department of no’ when it comes to regulating this type of technology. Companies understand very well of course that there has to be regulation of safety and performance, but how about making sure that such regulation is coherent, up to date, consistently applied across the EU and proportionate so they can actually work with it and plan ahead? The EU is losing itself far too much in politics and its weird love/hate relationship with anything ‘innovative’ as has been more than clear in the medical devices and GDPR dossiers, which makes for sub-optimal regulation for everyone involved.
medicaldeviceslegal 
Hi Erik,
Regarding cyber security it seems to me that Europe is lagging behind the US. Last month the FDA issued the new Cyber Security guidance regarding all medical devices. And also in October the CLSI issued the new AUTO11-A2 standard for in vitro diagnostic medical devices in particular. That’s why I think manufacturers of IVD medical devices will focus on the US and not wait for Europe….
Adriaan
Hello,
It seems MDR amendment 293 “CE mark changed into “CE” accompanied by the term “Medical Device”” would mean that medical devices that also fall under other CE marking requirements (Radio Equip Directive, RoHS, etc.) would need 2 CE marks – one for medical and one for everything else. This seems to be against the Blue Guide which states that the CE mark means the “product is in conformity with Union harmonisation legislation that applies to it and provides for CE marking””. It seems that the MDR should either accept the CE mark or create a unique mark as allowed in decision No 768/2008/EC (per the Blue Guide: “In duly justified cases a total harmonisation piece of legislation that follows Decision No 768/2008/EC may provide for a different marking instead of the CE marking.”)
Am I missing something? Will medical devices need 2 CE marks in some cases?
Many thanks for your updates,
Christine
Hi Crhistine, it’s already possible that medical devices must be CE marked under different directives, such as under MDD and under RoHS. Depending on the device multiple directives may apply to it and some of these assume compliance with others (like MDD includes LVD and EMC compliance) but there is no complete overlap between all directives that may apply to a medical device. RED is another example of a directive that requires a separate CE mark from the MDD.