By Sagar Patel
Every day more and more electronic devices are “connected” and medical devices are no exception. Medical devices are connected to network servers for many end outcomes including, preventative diagnostics, patient-care management, medication adherence, and remote health monitoring.
While connectivity is revolutionizing the healthcare industry, protecting patient privacy and safeguarding data against obvious and non-obvious adversaries has been challenging. Free market economies have a history of under-valuing user privacy aspects to improve user convenience.
In response to this, the European Union (EU) introduced GDPR (General Data Protection Regulation), effective May 25, 2018, to increase the user’s role in data protection and provide users with autonomy regarding how their data is handled and safe-guarded. All companies fielding devices in the EU who store and control or process patient data are required to adhere to the GDPR and not adhering will result in financial penalties. Below are GDPR highlights for awareness and consideration for medical device manufacturers.
GDPR outlines the following three categories for clinical data:
Personal data concerning physical or mental health of a person
Personal data relating to inherited or acquired genetic characteristics of a person (genetic data)
For all data collection/processing methods, specific opt-in consent from the user/patient must be obtained. GDPR also mandates Private Impact Assessments (PIAs) for organizations that store/process patient data. A PIA is a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies. Under GDPR, data protection regulators may carry out security audits for verifying regulation compliance. An audit would primarily involve obtaining access to any premises of the data controller and processor, including any data processing equipment and means.
One GDPR section which isn’t discussed in depth is data pseudonymization. Often copious amounts of data collected through connected medical devices is used to train machine learning algorithms, usually for predictive diagnostics. Current data collection means allow patient profiling based on multiple data points due to the nature of data collection methods. GDPR specifically calls for data processors/controller to implement data pseudonymization to mitigate profiling risks. This may involve dissociating the data from the user/patient and encrypting it, be it in transit or at rest.
In addition, GDPR provides patients several rights, including:
Right to be forgotten (erasure): User may request all data associated with them to be deleted from any data controller/processor.
Right to data portability: Allows individuals to obtain and reuse their personal data for their own purposes.
Right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
Right to object: Allows individuals to object to the processing of their personal data in certain circumstances, such as for targeted marketing.
GDPR changes the way in which medical device companies need to think about and design medical devices with respect to communication, software updating, data storage and processing. While GDPR may initially seem overwhelming, organizations employing comprehensive user privacy practices will be well on their way to regulation adherence and data protection.
About the Author
Sagar Patel is a Cybersecurity Software Engineer at Battelle. He is lead engineer for Battelle's DeviceSecure Services and is a member of the Association for the Advancement of Medical Instrumentation (AAMI) Device Security Working Group.
This article was originally published in MDDI Online.