EU CYBERSECURITY REGULATION FOR MEDICAL DEVICES

Q1 conference25 July 2016

Erik Vollebregtwww.axonadvocaten.nl

EU amends devices related rules with profound changes• Medical Devices Regulation / IVD

Regulation• General Data Protection

Regulation• Network Information Systems

Directive

• Get it right or get it wrong – mistakes will impact your company severely

EU approach to cybersecurity

Currently:

• Medical devices Directives (AIMDD, MDD and IVDD)

• Risk management under MDD (EN ISO 14971:2012)• Software life cycle management (EN ISO 62304:AC 2008)

• Data Protection Directive security and integrity of data requirements

Near future:

• Medical Devices Regulation and IVD Regulation software design requirements

• General Data Protection Regulation privacy by design and default requirements

• Network Information Systems Directive

On our way to Snowden 2.0?

Medical devices regulation

Current rules

• Simple yet complex, because security is matter of

• risk management under medical devices rules (EN ISO 14971:2012)

• security measures prescribed in EN 45502-1:2015 and in the EN 62304:AC 2008

• data security under Data Protection Directive (article 17)

• This means no single clear set of clear standards exists in one single place

Risk management

Reduce risk ‘as far as possible’ – no room for acceptable risks (EN ISO 14971:2012 Z annexes):

Risk management

Most developed thinking in in EN 45502-1:2015

EN 62304 § 5.2.2 Software life cycle requirements re security

Typical cybersecurity points for SW requirements

content

Suitable

definition

General EU security regulations and standards• IEC 80001 – Application of risk management for IT-networks

incorporating medical devices

• Plays important role in Swedish competent authority Läkemedelsverket in 2009 in the first version of their guidance “Proposal for guidelines regarding classification of software based information systems used in health care”.

• This is not a harmonised standard under the medical devices directives, because it is directed at clinical institutions and not to medical device manufacturers.

Future rules under MDR / IVDR

• More emphasis on risk management in Annex I of the Regulations – reduction AFAP

• Annex I, 11.2 MDR: Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible:

[…] (e) the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts;

• Specifc chapter on software design requirements in Annex I

Future rules under MDR / IVDR

• New chapter on software design requirements (MDR chapter 14, IVDR chapter 13)

• Annex I, 14.2 / 13.2: “For devices that incorporate software or for standalone software that are devices in themselves, the software shall be developed and manufactured according to the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.”

• Annex I, 14.3a/13.3a: “The manufacturer shall describe minimum requirements on hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended..”

Future rules under MDR / IVDR

New design requirements on access controls:

• Annex I, 15.8 MDR: “Devices shall be designed and manufactured in such a way as to avoid unauthorized access to the device as far as possible that would hamper the device to run as intended.”

• This requirement is not mirrored in the IVDR

• Likely because the active devices chapter in the MDR (chapter 15) is not mirrored in the IVDR

Data Protection

Data Protection Directive

Personal data currently in the EU

• Everybody agrees the current EU system is

• Fragmented• Outdated• Unclear

• But, it’s still a good system that has produced a lot of good practices, among others Article 29 WP opinions on security related subjects, e.g. WP 223 on IoT:

General EU security regulations and standards: data protection• Protection against e.g. alteration and unauthorized access have

everything to do with cybersecurity, as these impact directly on safety and performance of the device.

• Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements.

• Dutch NCA refers to ISO 27000 family as informal harmonised standard

• Dutch sause ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510, 7512 and 7513)

General EU security regulations and standards• Currently authorities mainly approach cybersecurity issues via Data Protection

Directive, which features a secutiry regime in Article 17(1):

Privacy by design obligations for medical devices• WP 223: Controller has responsibility for security of IoT devices• Parties purchasing OEM devices and solutions will want privacy by

design compliance warranties

Privacy by design obligations for medical devicesWP 223 on end of life devices and remote monitoring / measuring devices

Medical devices

General Data Protection Regulation (GDPR)

New General Data Protection Regulation 2016/679• Prepare now!• Virtually everything we currently do will become more complicated, more

expensive, more administratively burdensome• 261 pages, 108 of Recitals• Regulation shall apply from 25 May 2018

• Regulation enters into force on 24 May 2016 (published in the Journal on 4 May), but two year transition

• No grandfathering of existing consents etc

• Many clients target compliance by May 2017 to allow stress testing of systems

• eg ISO audits, impact assessment and employing DP Officers

What stays the same?

• “Personal Data” remains a cornerstone• All means reasonably likely to be used to identify an individual• Remains a dynamic test

• Data can still become “personal” as a result of subsequent technological or other reasons

• Privileged status of “data concerning health” (and data re racial or ethnic origin) requires extra care

• Consent to processing (and purpose limitation) remains a cornerstone• Capacity to consent remains a matter of national law (eg minors or

guardians)• Focus remains on each act of processing of personal data rather than

the collection or holding of data. The data controller must verify that there is a legitimate basis for the processing

• Steps taken to anonymise or pseudonymise data = processing• Export of personal data outside EEA only permissible with adequate

level of protection• Research derogation remains

What changes?

• One stop shop with a lead supervisory competent authority• Fines/penalties for breach

• Up to 4% of annual worldwide turnover for serious breaches (eg requirements relating to international transfers or the basic principles for processing)

• Up to 2% of annual worldwide turnover for other breaches• Data protection becomes a fundamental right• More access rights (e.g. data portability)• Impact Assessments required

• Prior approval of impact assessment of each act of processing (sets of similar processing can be grouped)

• Profiling requirements• Intelligible explanation of automated processing logic

What changes?

• Privacy by design & by default• Taking into account the state of the art, the cost of implementation

and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures (e.g. such as pseudonymisation, which are designed to implement data protection principles (e.g. data minimisation).

• Implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (e.g. amount collected, extent of processing, storage period and accessibility.

What changes?

• Consent requirements tougher• Pseudonymous data remains personal data regardless of the number

and nature of steps taken to key code• Biological samples = identifiable data• Exemptions for processing without consent

• Exemptions not suited for outsourced processing in eHealth / mHealth services and not drafted for regulatory clinical data obligations or health technology assessments

• Technical standards

• Commission can issue technical standards related to implementation of GDPR requirements

• Mandatory Privacy Officer

Impact AssessmentArticle 35

• PIA prior to processing – similar operations with similar risks can be grouped

• Count on all grant funded projects and clinical trails or investigations or registries that require ethics approval needing PIA

• Authorities will make lists of operations subject to PIA• Prior consultation of DPA regarding residual risks (article 36)

Impact Assessment

SecurityData controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing

• Article 32 defines security principles

Security measures must take into account (recital 78):

• Nature of the data to be protected and consequences of security breach

• State of the art • Security by design• Aim to prevent unnecessary collection and further processing of

personal data• Overriding principle: Plan-Do-Check-Act

• Data breach notification (article 33/34)• to DPA (<72 hours) and to data subject• processor must inform controller

Known unknowns and wide open doors

• This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data!

• Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate

NIS Directive

NIS Directive

• Imposes security obligations on “operators of essential services” in critical sectors and “digital service providers” - will be required to take measures to manage cyber risks and report major security incidents

• The NIS Directive is expected to enter into force in August 2016• EU Member States will have 21 months to adopt the necessary

national provisions

• Following this period, EU Member States have six months to identify operators of essential services

• assess whether services are essential for the maintenance of critical social and economic activities

Scope

Applies to separate devices, medical devices related end-to-end services or groups of networked medical devices

www.axonlawyers.com

THANKS FOR YOUR ATTENTIONErik VollebregtAxon LawyersPiet Heinkade 1831019 HC AmsterdamT +31 88 650 6500M +31 6 47 180 683

E erik.vollebregt@axonlawyers.com @meddevlegalB http://medicaldeviceslegal.com

READ MY BLOG:http://medicaldeviceslegal.com