Med-Tech Meets High-Tech: Privacy, Cybersecurity and AI in Connected Devices
December 04, 2023Paul Rothermel presented on Med-Tech Meets High-Tech at a recent CLE program that Gardner Law and Fieldfisher hosted in Huntington Beach, California. If you don't have time to watch the session recording, please see the summary of key topics below.
Innovation in connected medical devices is critical to advances in health care outcomes, user experience, and reducing costs. These exciting technologies also can be challenging when it comes to navigating the complex tangle of privacy laws and cybersecurity requirements, not to mention the nascent legal frameworks addressing artificial intelligence and machine learning.
This brief article summarizes key considerations from the presentation to help connected medical device manufacturers identify and address privacy and cybersecurity issues effectively.
So Many Connected Devices
The realm of connected (or “smart”) medical devices is expansive, encompassing categories such as at-home devices, durable medical equipment (DME), patient monitoring wearables, implants, in-clinic devices like blood pressure monitors and oximeters, and software as a medical device, among others. Each category presents unique challenges and opportunities in terms of data collection, business models, and patient relationships.
Numerous variables influence the connected medical device landscape, ranging from business models (who is buying what and how does it get delivered?) to legal frameworks (what laws apply to this product or service?). Factors such as contractual relationships, data collection, clinical trials, data ownership, and the use of AI/ML bring a multitude of considerations to device development and usage.
Privacy and Cybersecurity Requirements Touch Every Connected Device
Compliance with various regulatory frameworks like the Health Insurance Portability and Accountability Act (“HIPAA”), the Federal Trade Commission Act (“FTCA”), state laws such as the Washington My Health My Data Act (“MHMDA”) or California Consumer Privacy Act (“CCPA”), as well as the Food, Drug, and Cosmetic Act (“FDCA”), are critical not only to minimize regulatory risk but also to reach and retain customers. HIPAA, in particular, governs the use and disclosure of Protected Health Information (“PHI”), impacting manufacturers and business associates in handling and protecting sensitive data. Other laws are likely to apply to manufacturers who avoid acting as business associates or covered entities. All connected medical devices are subject to privacy and cybersecurity regulation, but the particular requirements may vary. Manufacturers developing smart devices must also keep an eye toward regulation of artificial intelligence and machine learning. In the U.S., regulations are already beginning to formulate around AI/ML and we can anticipate significantly more regulatory activity in the coming months and years.
Understanding the legal landscape your device is entering is relevant to its design. For example, designing a product and business model to minimize or avoid patient data collection or processing by the manufacturer may indirectly reduce the cost of providing that product to customers.
Successfully Navigating These Challenges
Key to maneuvering effectively through these challenges are fundamental data privacy and security principles: Understanding data lifecycles, planning contractual terms for business needs, determining patient consent requirements, and implementing robust privacy cybersecurity measures.
To successfully navigate the complexities of connected medical device privacy and security, device makers must carefully assess and plan, ideally during the design phase: data flow lifecycles, for contracts aligned with company goals, adherence to patient consent requirements, and prioritization of robust privacy and cybersecurity measures ensuring safety, effectiveness, and privacy of devices and their ecosystems. These key factors will contribute to commercial success by offering better patient privacy protections, minimizing concerns from potential customers, and reducing risk of government enforcement actions or other legal risks. Taking a proactive approach could also improve the company’s posture in discussions with strategics. Success begins with assessment of these key risk areas during the product design phase.
Gardner Law has extensive experience with connected medical devices and applying data, privacy, and cybersecurity considerations to these innovative products. If you have questions, the team at Gardner Law can help.
Learn more about this topic by watching Paul Rothermel's session at Gardner Law's Mastering Tomorrow's Healthcare Tech event.