EU regulations on medical devices and the GDPR: first step forward a necessary coordination
Thanks to Giulia Conforto for collaborating on this article
In the wake of application of the European medical device regulation (EU Regulation No. 745 of 2017), occurred on May 26, Italy is taking its first steps toward adjusting its national regulatory framework. As a result, the European delegation law of 2021, published in the Italian official journal on April 23, includes an entire section (Art. 15) on the future regulatory framework applicable to medical devices, providing the government with guiding principles and criteria for bringing national legislation in line with European regulations on medical devices and IVD medical devices (respectively EU Regulation No. 745 and 746 of 2017 – “EU Regulations”).
Among these principles, that are all very interesting for the governance of the medical devices sector in Italy, below we take a closer look at those concerning the integration of the EU Regulations and the EU Regulation No. 2016/679 on personal data protection (the “GDPR”).
Under the guiding principles established by the delegation law, the government must ensure that personal data processing performed as a result of application of the EU Regulations is brought in line with the GDPR and the current personal data protection regulatory framework.
This is extremely important and requires further attention to one of the crucial issues concerning the collection, security, and processing of medical data by medical devices.
Cybersecurity essential to medical devices
A growing number of medical devices process large amounts of personal data about health. Most such devices are connected to networks, and they include an expanding number of medical devices that consist solely of software or apps (known as “Software as Medical Devices,” or SaMD). As this scenario makes clear, processing such data appropriately is a matter fundamental to the security of the medical device itself, which must be closely examined from that angle.
Annex I to the EU medical device regulation lists security and planning concerns that must be met by devices that incorporate software and SaMDs, including the following:
- the software shall be developed and manufactured in accordance with the state of the art, taking into account the principles of development life cycle and risk management, including information security, verification, and validation (par. 17.2);
- manufacturers shall set forth minimum requirements concerning hardware, IT network characteristics, and IT security measures, including protection against unauthorized access, necessary to run the software as intended (par. 17.4);
- devices shall be designed and manufactured in such a way as to protect, as far as possible, against unauthorized access that could hamper the device from functioning as intended (par. 18.8).
This means that all medical devices on the market must comply with the above (among other things), as they are essential requirements for security and performance and such requirements will be assessed for the purposes of CE marking of devices.
In light of the delicate and critical nature of the matter, in January 2020 the Medical Device Coordination Group (“MDCG”) of the European Commission published “Guidance on Cybersecurity for medical devices,” a set of guidelines that provide device manufacturers guidance on how to meet the essential cybersecurity requirements provided in Annex I to the regulation. Additionally, these guidelines cover certain obligations that the new regulation imposes upon importers and distributors, parties that have been added to the list of those that are required to reach certain regulatory quality targets via mutual collaboration. In this regard, it is key for cybersecurity to be part of post-market surveillance for medical devices, and therefore a manufacturer must work with all those in the supply chain to take any necessary corrective action promptly.
The importance of cybersecurity in the healthcare field was also reinforced by the European Union Agency for Cybersecurity (“ENISA”) when, on January 18, 2021, it published a document geared to incentivizing healthcare organizations to use cloud services while complying with all necessary security measures. That document shows how risks of external intrusion and threats to IT security grow as healthcare organizations rely on external cloud suppliers to collect data from medical devices used to monitor patients remotely.
How this fits with the GDPR
While the EU regulation on medical devices highlights the importance of cybersecurity as a security requirement for devices, it does not go into detail on the regulatory relationship to personal data protection or coordination with the respective regulatory measures.
While the regulation fails even to mention the GDPR, the cybersecurity guidelines include national and European regulations, including the GDPR (as well as EU Cybersecurity Act No. 881/2019), on a list of IT security requirements to be met by those operating in the sector.
This begs the question of whether full compliance with the GDPR is meant to be assessed for the specific purposes of device certification and which modalities are to be used to do so. There is risk of potential overlap between regulations, which could lead to uncertainty for manufacturers and possible duplication in activities performed. For example, we might ask whether for device cybersecurity purposes correct application of the principles of privacy by design and by default and other security-related measures will need to be demonstrated, or whether a data protection impact assessment of the type described by the GDPR might be required for medical device certification.
The need for Europe-wide coordination
From this point of view, clearly the measures described in Art. 15 of the European delegation law mentioned above will wield great significance. Indeed, we will be watching closely to see exactly which government regulations are deployed to ensure that treatment using medical devices complies with medical data protection regulations. This will be implemented via one or more legislative decrees over the next 12 months.
However, since this involves implementing European regulations, further clarification is expected and desired at the European level in order to avoid creating disparity among Member States in implementing regulations on such a sensitive subject, which could generate uncertainty and even more complications for those working in the sector.