In the third instalment of the 2018 Internet of Things Webinar (IoT) Series, Yarmela Pavlovic, Paul Otto, Elisabethann Wright, and Fabien Roy hosted an educational webinar focusing on the evolving world of connected medical devices.

Fabien described the regulatory framework applicable to digital health technologies regulated as medical devices in the EU. He explained the criteria which must be met by products to be considered as medical devices and in particular when a health app becomes a medical device. The discussion included a review of the criteria laid down in MEDDEV 2.1/6 concerning the classification of software as medical devices. Fabien also highlighted the changes resulting from the application of the new Medical Devices Regulation (MDR) in May 2020 and the consequences of this new Regulation for the classification and regulation of digital technologies as medical devices in the EU. Finally, Fabien underlined that it is crucial for manufacturers to take appropriate steps to transition to the MDR as soon as possible.

During his part of the webinar, Paul described the evolving cybersecurity expectations for connected medical devices. He highlighted how regulators worldwide are contributing to an increasingly active enforcement and oversight environment, as the increased data and connectivity associated with IoT brings with it more risk of cyberattacks, data breaches, and patient safety impacts. The discussion involved a deep dive into specific U.S. regulators focused on the privacy and cybersecurity issues presented by connected medical devices. Key government entities highlighted during the presentation included the Food and Drug Administration (FDA), with primary responsibility for pre- and post-market cybersecurity considerations for device design, development, and deployment; the Department of Health & Human Services (HHS) Office for Civil Rights (OCR), with responsibility for enforcing HIPAA regulations relating to privacy and security of patient data; the Federal Trade Commission (FTC), with general consumer protection responsibility and an emphasis on requiring “reasonable security” practices; and the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), with a mission including review of potential cybersecurity vulnerabilities and incidents, resulting in published alerts and advisories. Paul then highlighted key approaches to managing privacy and cybersecurity risks associated with connected medical devices. He focused on four main areas: risk analysis and management, training and awareness, vulnerability management and disclosure, and incident response planning.

Elisabethann discussed the implications of the GDPR for connected medical devices. She called attention to the fact that the GDPR enters into application on 25 May 2018. She then discussed the implications of the GDPR for the activities of medical device companies, focusing particularly on clinical investigations. The discussion included a review of the steps that medical device companies should take and procedures that they should establish to ensure fulfilment of their obligations under the Regulation. The presentation focused particularly on issues such as the potential need to reconsent patients participating in on-going clinical investigations as a result of the GDPR and the possible “secondary use” of patient personal health data collected as part of a clinical investigation.

To hear Yarmela’s thoughtful insights and more regarding this dynamic topic, please listen to the full webinar recording by accessing the link here.