Is Three Years Enough Time to Prepare for new EU Medical Device Regulations?

Nowhere is the Internet of Things so worrisome as in the world of medical devices. From pace makers vulnerable to wireless hacking to insulin pumps devices are deployed with little thought to threat vectors or defenses. Regulators in the EU recognize the importance of controlling medical device proliferation and have enacted a broad set of requirements for tracking medical device development and deployment.

On 5 April, two new Regulations on medical devices were adopted by the European Commission replacing and updating the current regulations.

The new rules will only apply 3 years after entry into force for the Regulation on medical devices (spring 2020) and 5 years after entry into force (spring 2022) for the Regulation on in-vitro diagnostic medical devices.

The new Regulations in a nutshell:

The new Regulations contain a series of extremely important improvements to modernize the current system. Among them are:

  -A new pre-market scrutiny mechanism with the involvement of a pool of experts at EU leveler high-risk devices;

  -the reinforcement of the criteria for designation and processes for oversight of Notified Bodies;

  -the inclusion of certain aesthetic devices which present the same characteristics and risk profile as analogous medical devices under the scope of these Regulations;

  -the introduction of a new risk classification system for in-vitro diagnostic medical devices in line with international guidance;

 -improved transparency through the establishment of a comprehensive EU database on medical devices and of a device traceability system based on Unique Device Identification;

  -the introduction of an “implant card” containing information about implanted medical devices for a patient;

  -the reinforcement of the rules on clinical evidence, including an EU-wide coordinated procedure for authorization of multi-center clinical investigations

  -the strengthening of post-market surveillance requirements for manufacturers;

  -improved coordination mechanisms between EU countries in the fields of vigilance and market surveillance.

Article 33 of the new regulation establishes a European database on medical devices called Eudamed. It is here that data erasure is mentioned.

7. The Commission and the Member States shall ensure that data subjects may effectively exercise their rights to information, of access, to rectification and to object in accordance with Regulation (EC) No 45/2001 and Directive 95/46/EC, respectively. They shall also ensure that data subjects may effectively exercise the right of access to data relating to them, and the right to have inaccurate or incomplete data corrected and erased. Within their respective responsibilities, the Commission and the Member States shall ensure that inaccurate and unlawfully processed data are deleted, in accordance with the applicable legislation. Corrections and deletions shall be carried out as soon as possible, but no later than 60 days after a request is made by a data subject. 

I suspect this is going to have an impact on any IT Asset Disposition service (ITAD) that is processing medical devices. They will certainly need to erase all data on the devices. But there will likely be a requirement for connecting to the Eudamed database to update it on the status of the device and record that it was properly erased.

After last week’s demonstration that the UK National Health Service is extremely vulnerable to attacks against un-patched versions of Windows dating back more than a decade there is some doubt that the industry is going to be able to adapt to these new regulations. A three year grace period seems like a lot of time. But note that organizations have 375 days to become compliant with the EU General Data Protection Regulation, the mother of all Data Protection Regulations, yet most are woefully unprepared.