SlideShare a Scribd company logo

EU cybersecurity requirements under current and future medical devices regulation

Download as PPTX, PDF
Erik Vollebregt
Erik Vollebregt

Presentation delivered at Q1 MEDICAL DEVICE CYBERSECURITY RISK MITIGATION conference in Washington on 25 July 2016 concerning EU cybersecurity requirements under current and future medical devices regulation

Health & Medicine
1 of 36
EU CYBERSECURITY REGULATION FOR MEDICAL DEVICES Q1 conference 25 July 2016 Erik Vollebregt www.axonadvocaten.nl
EU amends devices related rules with profound changes• Medical Devices Regulation / IVD Regulation • General Data Protection Regulation • Network Information Systems Directive • Get it right or get it wrong – mistakes will impact your company severely
EU approach to cybersecurity Currently: • Medical devices Directives (AIMDD, MDD and IVDD) • Risk management under MDD (EN ISO 14971:2012) • Software life cycle management (EN ISO 62304:AC 2008) • Data Protection Directive security and integrity of data requirements Near future: • Medical Devices Regulation and IVD Regulation software design requirements • General Data Protection Regulation privacy by design and default requirements • Network Information Systems Directive
On our way to Snowden 2.0?
Medical devices regulation
Current rules • Simple yet complex, because security is matter of • risk management under medical devices rules (EN ISO 14971:2012) • security measures prescribed in EN 45502-1:2015 and in the EN 62304:AC 2008 • data security under Data Protection Directive (article 17) • This means no single clear set of clear standards exists in one single place
Risk management Reduce risk ‘as far as possible’ – no room for acceptable risks (EN ISO 14971:2012 Z annexes):
Risk management Most developed thinking in in EN 45502-1:2015
EN 62304 § 5.2.2 Software life cycle requirements re security Typical cybersecurity points for SW requirements content
General EU security regulations and standards • IEC 80001 – Application of risk management for IT-networks incorporating medical devices • Plays important role in Swedish competent authority Läkemedelsverket in 2009 in the first version of their guidance “Proposal for guidelines regarding classification of software based information systems used in health care”. • This is not a harmonised standard under the medical devices directives, because it is directed at clinical institutions and not to medical device manufacturers.
Future rules under MDR / IVDR • More emphasis on risk management in Annex I of the Regulations – reduction AFAP • Annex I, 11.2 MDR: Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible: […] (e) the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts; • Specifc chapter on software design requirements in Annex I
Future rules under MDR / IVDR • New chapter on software design requirements (MDR chapter 14, IVDR chapter 13) • Annex I, 14.2 / 13.2: “For devices that incorporate software or for standalone software that are devices in themselves, the software shall be developed and manufactured according to the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.” • Annex I, 14.3a/13.3a: “The manufacturer shall describe minimum requirements on hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended..”
Future rules under MDR / IVDR New design requirements on access controls: • Annex I, 15.8 MDR: “Devices shall be designed and manufactured in such a way as to avoid unauthorized access to the device as far as possible that would hamper the device to run as intended.” • This requirement is not mirrored in the IVDR • Likely because the active devices chapter in the MDR (chapter 15) is not mirrored in the IVDR
Data Protection
Data Protection Directive
Personal data currently in the EU • Everybody agrees the current EU system is • Fragmented • Outdated • Unclear • But, it’s still a good system that has produced a lot of good practices, among others Article 29 WP opinions on security related subjects, e.g. WP 223 on IoT:
General EU security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sause ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510, 7512 and 7513)
General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
General Data Protection Regulation (GDPR)
New General Data Protection Regulation 2016/679 • Prepare now! • Virtually everything we currently do will become more complicated, more expensive, more administratively burdensome • 261 pages, 108 of Recitals • Regulation shall apply from 25 May 2018 • Regulation enters into force on 24 May 2016 (published in the Journal on 4 May), but two year transition • No grandfathering of existing consents etc • Many clients target compliance by May 2017 to allow stress testing of systems • eg ISO audits, impact assessment and employing DP Officers
What stays the same? • “Personal Data” remains a cornerstone • All means reasonably likely to be used to identify an individual • Remains a dynamic test • Data can still become “personal” as a result of subsequent technological or other reasons • Privileged status of “data concerning health” (and data re racial or ethnic origin) requires extra care • Consent to processing (and purpose limitation) remains a cornerstone • Capacity to consent remains a matter of national law (eg minors or guardians) • Focus remains on each act of processing of personal data rather than the collection or holding of data. The data controller must verify that there is a legitimate basis for the processing • Steps taken to anonymise or pseudonymise data = processing • Export of personal data outside EEA only permissible with adequate level of protection • Research derogation remains
What changes? • One stop shop with a lead supervisory competent authority • Fines/penalties for breach • Up to 4% of annual worldwide turnover for serious breaches (eg requirements relating to international transfers or the basic principles for processing) • Up to 2% of annual worldwide turnover for other breaches • Data protection becomes a fundamental right • More access rights (e.g. data portability) • Impact Assessments required • Prior approval of impact assessment of each act of processing (sets of similar processing can be grouped) • Profiling requirements • Intelligible explanation of automated processing logic
What changes? • Privacy by design & by default • Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures (e.g. such as pseudonymisation, which are designed to implement data protection principles (e.g. data minimisation). • Implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (e.g. amount collected, extent of processing, storage period and accessibility.
What changes? • Consent requirements tougher • Pseudonymous data remains personal data regardless of the number and nature of steps taken to key code • Biological samples = identifiable data • Exemptions for processing without consent • Exemptions not suited for outsourced processing in eHealth / mHealth services and not drafted for regulatory clinical data obligations or health technology assessments • Technical standards • Commission can issue technical standards related to implementation of GDPR requirements • Mandatory Privacy Officer
Impact Assessment Article 35 • PIA prior to processing – similar operations with similar risks can be grouped • Count on all grant funded projects and clinical trails or investigations or registries that require ethics approval needing PIA • Authorities will make lists of operations subject to PIA • Prior consultation of DPA regarding residual risks (article 36)
Impact Assessment
Security Data controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing • Article 32 defines security principles Security measures must take into account (recital 78): • Nature of the data to be protected and consequences of security breach • State of the art • Security by design • Aim to prevent unnecessary collection and further processing of personal data • Overriding principle: Plan-Do-Check-Act • Data breach notification (article 33/34) • to DPA (<72 hours) and to data subject • processor must inform controller
Known unknowns and wide open doors • This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data! • Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate
NIS Directive
NIS Directive • Imposes security obligations on “operators of essential services” in critical sectors and “digital service providers” - will be required to take measures to manage cyber risks and report major security incidents • The NIS Directive is expected to enter into force in August 2016 • EU Member States will have 21 months to adopt the necessary national provisions • Following this period, EU Member States have six months to identify operators of essential services • assess whether services are essential for the maintenance of critical social and economic activities
Scope Applies to separate devices, medical devices related end-to-end services or groups of networked medical devices
www.axonlawyers.com THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 M +31 6 47 180 683 E erik.vollebregt@axonlawyers.com @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com

Recommended

Cybersecurity for medical devices in the EU
Cybersecurity for medical devices in the EUCybersecurity for medical devices in the EU
Cybersecurity for medical devices in the EUErik Vollebregt
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security Erik Vollebregt
 
3d printing and biofabrication
3d printing and biofabrication3d printing and biofabrication
3d printing and biofabricationErik Vollebregt
 
MMA roadshow m health summit europe
MMA roadshow m health summit europeMMA roadshow m health summit europe
MMA roadshow m health summit europeErik Vollebregt
 
EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...Erik Vollebregt
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
Mma roadshow mHealth in the EU
Mma roadshow mHealth in the EUMma roadshow mHealth in the EU
Mma roadshow mHealth in the EUErik Vollebregt
 
EU Medical Device Clinical Research under the General Data Protection Regulation
EU Medical Device Clinical Research under the General Data Protection RegulationEU Medical Device Clinical Research under the General Data Protection Regulation
EU Medical Device Clinical Research under the General Data Protection RegulationErik Vollebregt
 

Recommended

Cybersecurity for medical devices in the EU
Cybersecurity for medical devices in the EUCybersecurity for medical devices in the EU
Cybersecurity for medical devices in the EUErik Vollebregt
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security Erik Vollebregt
 
3d printing and biofabrication
3d printing and biofabrication3d printing and biofabrication
3d printing and biofabricationErik Vollebregt
 
MMA roadshow m health summit europe
MMA roadshow m health summit europeMMA roadshow m health summit europe
MMA roadshow m health summit europeErik Vollebregt
 
EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...Erik Vollebregt
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
Mma roadshow mHealth in the EU
Mma roadshow mHealth in the EUMma roadshow mHealth in the EU
Mma roadshow mHealth in the EUErik Vollebregt
 
EU Medical Device Clinical Research under the General Data Protection Regulation
EU Medical Device Clinical Research under the General Data Protection RegulationEU Medical Device Clinical Research under the General Data Protection Regulation
EU Medical Device Clinical Research under the General Data Protection RegulationErik Vollebregt
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical DevicesSuresh Mandava
 
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...qserveconference2013
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Healthulmedical
 
Recent and future developments in UDI for medical devices in the EU
Recent and future developments in UDI for medical devices in the EURecent and future developments in UDI for medical devices in the EU
Recent and future developments in UDI for medical devices in the EUErik Vollebregt
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesHealthegy
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device securityOWASP
 
Cybersecurity in Medical Devices
Cybersecurity in Medical DevicesCybersecurity in Medical Devices
Cybersecurity in Medical DevicesSheersha Pramanik 🇮🇳
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devicesSafisSolutions
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityDr Dev Kambhampati
 
Trends in EU regulation of software as medical device
Trends in EU regulation of software as medical deviceTrends in EU regulation of software as medical device
Trends in EU regulation of software as medical deviceErik Vollebregt
 
Hacking Into Medical Devices
Hacking Into Medical DevicesHacking Into Medical Devices
Hacking Into Medical DevicesJane Wang
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 shawn_merdinger
 
E health, mhealth and apps
E health, mhealth and appsE health, mhealth and apps
E health, mhealth and appsErik Vollebregt
 
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannFrank Siepmann
 
Informa Eudamed update 29 january 2014
Informa Eudamed update 29 january 2014Informa Eudamed update 29 january 2014
Informa Eudamed update 29 january 2014Erik Vollebregt
 
Netherland medical devices compliance update
Netherland medical devices compliance update Netherland medical devices compliance update
Netherland medical devices compliance update Erik Vollebregt
 
MedTech Europe Netherland Compliance Update
MedTech Europe Netherland Compliance UpdateMedTech Europe Netherland Compliance Update
MedTech Europe Netherland Compliance UpdateErik Vollebregt
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicineconnected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture TelemedicineAlessandro Sappia
 
EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016Erik Vollebregt
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 

More Related Content

What's hot

CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical DevicesSuresh Mandava
 
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...qserveconference2013
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Healthulmedical
 
Recent and future developments in UDI for medical devices in the EU
Recent and future developments in UDI for medical devices in the EURecent and future developments in UDI for medical devices in the EU
Recent and future developments in UDI for medical devices in the EUErik Vollebregt
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesHealthegy
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device securityOWASP
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devicesSafisSolutions
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityDr Dev Kambhampati
 
Trends in EU regulation of software as medical device
Trends in EU regulation of software as medical deviceTrends in EU regulation of software as medical device
Trends in EU regulation of software as medical deviceErik Vollebregt
 
Hacking Into Medical Devices
Hacking Into Medical DevicesHacking Into Medical Devices
Hacking Into Medical DevicesJane Wang
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 shawn_merdinger
 
E health, mhealth and apps
E health, mhealth and appsE health, mhealth and apps
E health, mhealth and appsErik Vollebregt
 
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannFrank Siepmann
 
Informa Eudamed update 29 january 2014
Informa Eudamed update 29 january 2014Informa Eudamed update 29 january 2014
Informa Eudamed update 29 january 2014Erik Vollebregt
 
Netherland medical devices compliance update
Netherland medical devices compliance update Netherland medical devices compliance update
Netherland medical devices compliance update Erik Vollebregt
 
MedTech Europe Netherland Compliance Update
MedTech Europe Netherland Compliance UpdateMedTech Europe Netherland Compliance Update
MedTech Europe Netherland Compliance UpdateErik Vollebregt
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicineconnected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture TelemedicineAlessandro Sappia
 
EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016Erik Vollebregt
 

What's hot (20)

CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
Software and Smartphone Applications By E. Vollebregt - Axon Lawers (Qserve C...
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Health
 
Recent and future developments in UDI for medical devices in the EU
Recent and future developments in UDI for medical devices in the EURecent and future developments in UDI for medical devices in the EU
Recent and future developments in UDI for medical devices in the EU
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
 
Cybersecurity in Medical Devices
Cybersecurity in Medical DevicesCybersecurity in Medical Devices
Cybersecurity in Medical Devices
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
 
Trends in EU regulation of software as medical device
Trends in EU regulation of software as medical deviceTrends in EU regulation of software as medical device
Trends in EU regulation of software as medical device
 
Hacking Into Medical Devices
Hacking Into Medical DevicesHacking Into Medical Devices
Hacking Into Medical Devices
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
 
E health, mhealth and apps
E health, mhealth and appsE health, mhealth and apps
E health, mhealth and apps
 
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
 
Informa Eudamed update 29 january 2014
Informa Eudamed update 29 january 2014Informa Eudamed update 29 january 2014
Informa Eudamed update 29 january 2014
 
Netherland medical devices compliance update
Netherland medical devices compliance update Netherland medical devices compliance update
Netherland medical devices compliance update
 
MedTech Europe Netherland Compliance Update
MedTech Europe Netherland Compliance UpdateMedTech Europe Netherland Compliance Update
MedTech Europe Netherland Compliance Update
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicineconnected Medical devices IoT Cybersecurity reference architecture Telemedicine
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
 
EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016
 

Similar to EU cybersecurity requirements under current and future medical devices regulation

New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)Erik Vollebregt
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudGurbir Singh
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Codemotion
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviSharique Rizvi
 
State regulation of information protection in the cloud - international and K...
State regulation of information protection in the cloud - international and K...State regulation of information protection in the cloud - international and K...
State regulation of information protection in the cloud - international and K...Vsevolod Shabad
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshellInitio
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 

Similar to EU cybersecurity requirements under current and future medical devices regulation (20)

New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
 
State regulation of information protection in the cloud - international and K...
State regulation of information protection in the cloud - international and K...State regulation of information protection in the cloud - international and K...
State regulation of information protection in the cloud - international and K...
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 

More from Erik Vollebregt

Economic operators and the exits
Economic operators and the exitsEconomic operators and the exits
Economic operators and the exitsErik Vollebregt
 
Q1 medical device packaging conference 10 november 2020
Q1 medical device packaging conference 10 november 2020Q1 medical device packaging conference 10 november 2020
Q1 medical device packaging conference 10 november 2020Erik Vollebregt
 
Easy medical devices podcast self tests ivdr
Easy medical devices podcast self tests ivdrEasy medical devices podcast self tests ivdr
Easy medical devices podcast self tests ivdrErik Vollebregt
 
Your legal relationship with your notified body
Your legal relationship with your notified bodyYour legal relationship with your notified body
Your legal relationship with your notified bodyErik Vollebregt
 
Point of-care, biosensors &amp; mobile diagnostics europe 2019
Point of-care, biosensors &amp; mobile diagnostics europe 2019Point of-care, biosensors &amp; mobile diagnostics europe 2019
Point of-care, biosensors &amp; mobile diagnostics europe 2019Erik Vollebregt
 
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?Erik Vollebregt
 
M&A and medical devices presentation
M&A and medical devices presentationM&A and medical devices presentation
M&A and medical devices presentationErik Vollebregt
 
MDR and class I medical devices presentation
MDR and class I medical devices presentationMDR and class I medical devices presentation
MDR and class I medical devices presentationErik Vollebregt
 
Q1 MDR and IVDR PRRC presentation
Q1 MDR and IVDR PRRC presentation Q1 MDR and IVDR PRRC presentation
Q1 MDR and IVDR PRRC presentation Erik Vollebregt
 
Legal aspects of the new EU Medical Devices Regulation - known and unknowns
Legal aspects of the new EU Medical Devices Regulation - known and unknownsLegal aspects of the new EU Medical Devices Regulation - known and unknowns
Legal aspects of the new EU Medical Devices Regulation - known and unknownsErik Vollebregt
 
Advamed Med Tech 2019 countdown presentation
Advamed Med Tech 2019 countdown presentationAdvamed Med Tech 2019 countdown presentation
Advamed Med Tech 2019 countdown presentationErik Vollebregt
 
Managing New Requirement for Economic Operator Regime
Managing New Requirement for Economic Operator RegimeManaging New Requirement for Economic Operator Regime
Managing New Requirement for Economic Operator RegimeErik Vollebregt
 
Legal and regulatory developments in precision medicine and diagnostic devices
Legal and regulatory developments in precision medicine and diagnostic devicesLegal and regulatory developments in precision medicine and diagnostic devices
Legal and regulatory developments in precision medicine and diagnostic devicesErik Vollebregt
 
Q1 Medical Devices Regulation - practical consequences for manufacturers
Q1 Medical Devices Regulation - practical consequences for manufacturersQ1 Medical Devices Regulation - practical consequences for manufacturers
Q1 Medical Devices Regulation - practical consequences for manufacturersErik Vollebregt
 
Economic operators under the MDR and IVDR
Economic operators under the MDR and IVDREconomic operators under the MDR and IVDR
Economic operators under the MDR and IVDRErik Vollebregt
 
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniekVZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniekErik Vollebregt
 
NEN symposium on Medical Devices and IVD Regulation
NEN symposium on Medical Devices and IVD RegulationNEN symposium on Medical Devices and IVD Regulation
NEN symposium on Medical Devices and IVD RegulationErik Vollebregt
 
Advamed EU MDR and IVDR panel presentation
Advamed EU MDR and IVDR panel presentationAdvamed EU MDR and IVDR panel presentation
Advamed EU MDR and IVDR panel presentationErik Vollebregt
 
Use of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPRUse of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPRErik Vollebregt
 
Regulation of Economic Operators under the MDR and IVDR
Regulation of Economic Operators under the MDR and IVDRRegulation of Economic Operators under the MDR and IVDR
Regulation of Economic Operators under the MDR and IVDRErik Vollebregt
 

More from Erik Vollebregt (20)

Economic operators and the exits
Economic operators and the exitsEconomic operators and the exits
Economic operators and the exits
 
Q1 medical device packaging conference 10 november 2020
Q1 medical device packaging conference 10 november 2020Q1 medical device packaging conference 10 november 2020
Q1 medical device packaging conference 10 november 2020
 
Easy medical devices podcast self tests ivdr
Easy medical devices podcast self tests ivdrEasy medical devices podcast self tests ivdr
Easy medical devices podcast self tests ivdr
 
Your legal relationship with your notified body
Your legal relationship with your notified bodyYour legal relationship with your notified body
Your legal relationship with your notified body
 
Point of-care, biosensors &amp; mobile diagnostics europe 2019
Point of-care, biosensors &amp; mobile diagnostics europe 2019Point of-care, biosensors &amp; mobile diagnostics europe 2019
Point of-care, biosensors &amp; mobile diagnostics europe 2019
 
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
 
M&A and medical devices presentation
M&A and medical devices presentationM&A and medical devices presentation
M&A and medical devices presentation
 
MDR and class I medical devices presentation
MDR and class I medical devices presentationMDR and class I medical devices presentation
MDR and class I medical devices presentation
 
Q1 MDR and IVDR PRRC presentation
Q1 MDR and IVDR PRRC presentation Q1 MDR and IVDR PRRC presentation
Q1 MDR and IVDR PRRC presentation
 
Legal aspects of the new EU Medical Devices Regulation - known and unknowns
Legal aspects of the new EU Medical Devices Regulation - known and unknownsLegal aspects of the new EU Medical Devices Regulation - known and unknowns
Legal aspects of the new EU Medical Devices Regulation - known and unknowns
 
Advamed Med Tech 2019 countdown presentation
Advamed Med Tech 2019 countdown presentationAdvamed Med Tech 2019 countdown presentation
Advamed Med Tech 2019 countdown presentation
 
Managing New Requirement for Economic Operator Regime
Managing New Requirement for Economic Operator RegimeManaging New Requirement for Economic Operator Regime
Managing New Requirement for Economic Operator Regime
 
Legal and regulatory developments in precision medicine and diagnostic devices
Legal and regulatory developments in precision medicine and diagnostic devicesLegal and regulatory developments in precision medicine and diagnostic devices
Legal and regulatory developments in precision medicine and diagnostic devices
 
Q1 Medical Devices Regulation - practical consequences for manufacturers
Q1 Medical Devices Regulation - practical consequences for manufacturersQ1 Medical Devices Regulation - practical consequences for manufacturers
Q1 Medical Devices Regulation - practical consequences for manufacturers
 
Economic operators under the MDR and IVDR
Economic operators under the MDR and IVDREconomic operators under the MDR and IVDR
Economic operators under the MDR and IVDR
 
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniekVZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
 
NEN symposium on Medical Devices and IVD Regulation
NEN symposium on Medical Devices and IVD RegulationNEN symposium on Medical Devices and IVD Regulation
NEN symposium on Medical Devices and IVD Regulation
 
Advamed EU MDR and IVDR panel presentation
Advamed EU MDR and IVDR panel presentationAdvamed EU MDR and IVDR panel presentation
Advamed EU MDR and IVDR panel presentation
 
Use of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPRUse of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPR
 
Regulation of Economic Operators under the MDR and IVDR
Regulation of Economic Operators under the MDR and IVDRRegulation of Economic Operators under the MDR and IVDR
Regulation of Economic Operators under the MDR and IVDR
 

Recently uploaded

VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service MumbaiVIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbaisonalikaur4
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceNehru place Escorts
 
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknownarwatsonia7
 
Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...
Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...
Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...rajnisinghkjn
 
call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Low Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service Mumbai
Low Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service MumbaiLow Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service Mumbai
Low Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service Mumbaisonalikaur4
 
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...rajnisinghkjn
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsMedicoseAcademics
 
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...narwatsonia7
 
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original PhotosBook Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photosnarwatsonia7
 
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersnarwatsonia7
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingCall Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingNehru place Escorts
 
97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAA97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAAjennyeacort
 
Call Girls Service Noida Maya 9711199012 Independent Escort Service Noida
Call Girls Service Noida Maya 9711199012 Independent Escort Service NoidaCall Girls Service Noida Maya 9711199012 Independent Escort Service Noida
Call Girls Service Noida Maya 9711199012 Independent Escort Service NoidaPooja Gupta
 
High Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near Me
High Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near MeHigh Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near Me
High Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near Menarwatsonia7
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxDr.Nusrat Tariq
 
Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...
Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...
Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...Nehru place Escorts
 
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment BookingCall Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Bookingnarwatsonia7
 
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...narwatsonia7
 

Recently uploaded (20)

VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service MumbaiVIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
 
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
 
Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...
Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...
Noida Sector 135 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few C...
 
call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in munirka DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Low Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service Mumbai
Low Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service MumbaiLow Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service Mumbai
Low Rate Call Girls Mumbai Suman 9910780858 Independent Escort Service Mumbai
 
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes Functions
 
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
 
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original PhotosBook Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
 
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
 
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingCall Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
 
97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAA97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAA
 
Call Girls Service Noida Maya 9711199012 Independent Escort Service Noida
Call Girls Service Noida Maya 9711199012 Independent Escort Service NoidaCall Girls Service Noida Maya 9711199012 Independent Escort Service Noida
Call Girls Service Noida Maya 9711199012 Independent Escort Service Noida
 
High Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near Me
High Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near MeHigh Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near Me
High Profile Call Girls Mavalli - 7001305949 | 24x7 Service Available Near Me
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptx
 
Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...
Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...
Call Girls Service in Virugambakkam - 7001305949 | 24x7 Service Available Nea...
 
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment BookingCall Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
 
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
 

EU cybersecurity requirements under current and future medical devices regulation

  • 1. EU CYBERSECURITY REGULATION FOR MEDICAL DEVICES Q1 conference 25 July 2016 Erik Vollebregt www.axonadvocaten.nl
  • 2.
  • 3. EU amends devices related rules with profound changes• Medical Devices Regulation / IVD Regulation • General Data Protection Regulation • Network Information Systems Directive • Get it right or get it wrong – mistakes will impact your company severely
  • 4. EU approach to cybersecurity Currently: • Medical devices Directives (AIMDD, MDD and IVDD) • Risk management under MDD (EN ISO 14971:2012) • Software life cycle management (EN ISO 62304:AC 2008) • Data Protection Directive security and integrity of data requirements Near future: • Medical Devices Regulation and IVD Regulation software design requirements • General Data Protection Regulation privacy by design and default requirements • Network Information Systems Directive
  • 5. On our way to Snowden 2.0?
  • 7. Current rules • Simple yet complex, because security is matter of • risk management under medical devices rules (EN ISO 14971:2012) • security measures prescribed in EN 45502-1:2015 and in the EN 62304:AC 2008 • data security under Data Protection Directive (article 17) • This means no single clear set of clear standards exists in one single place
  • 8. Risk management Reduce risk ‘as far as possible’ – no room for acceptable risks (EN ISO 14971:2012 Z annexes):
  • 9. Risk management Most developed thinking in in EN 45502-1:2015
  • 10. EN 62304 § 5.2.2 Software life cycle requirements re security Typical cybersecurity points for SW requirements content
  • 11. General EU security regulations and standards • IEC 80001 – Application of risk management for IT-networks incorporating medical devices • Plays important role in Swedish competent authority Läkemedelsverket in 2009 in the first version of their guidance “Proposal for guidelines regarding classification of software based information systems used in health care”. • This is not a harmonised standard under the medical devices directives, because it is directed at clinical institutions and not to medical device manufacturers.
  • 12. Future rules under MDR / IVDR • More emphasis on risk management in Annex I of the Regulations – reduction AFAP • Annex I, 11.2 MDR: Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible: […] (e) the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts; • Specifc chapter on software design requirements in Annex I
  • 13. Future rules under MDR / IVDR • New chapter on software design requirements (MDR chapter 14, IVDR chapter 13) • Annex I, 14.2 / 13.2: “For devices that incorporate software or for standalone software that are devices in themselves, the software shall be developed and manufactured according to the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.” • Annex I, 14.3a/13.3a: “The manufacturer shall describe minimum requirements on hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended..”
  • 14. Future rules under MDR / IVDR New design requirements on access controls: • Annex I, 15.8 MDR: “Devices shall be designed and manufactured in such a way as to avoid unauthorized access to the device as far as possible that would hamper the device to run as intended.” • This requirement is not mirrored in the IVDR • Likely because the active devices chapter in the MDR (chapter 15) is not mirrored in the IVDR
  • 17. Personal data currently in the EU • Everybody agrees the current EU system is • Fragmented • Outdated • Unclear • But, it’s still a good system that has produced a lot of good practices, among others Article 29 WP opinions on security related subjects, e.g. WP 223 on IoT:
  • 18. General EU security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sause ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510, 7512 and 7513)
  • 19. General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
  • 20. Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
  • 21. Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
  • 23. New General Data Protection Regulation 2016/679 • Prepare now! • Virtually everything we currently do will become more complicated, more expensive, more administratively burdensome • 261 pages, 108 of Recitals • Regulation shall apply from 25 May 2018 • Regulation enters into force on 24 May 2016 (published in the Journal on 4 May), but two year transition • No grandfathering of existing consents etc • Many clients target compliance by May 2017 to allow stress testing of systems • eg ISO audits, impact assessment and employing DP Officers
  • 24. What stays the same? • “Personal Data” remains a cornerstone • All means reasonably likely to be used to identify an individual • Remains a dynamic test • Data can still become “personal” as a result of subsequent technological or other reasons • Privileged status of “data concerning health” (and data re racial or ethnic origin) requires extra care • Consent to processing (and purpose limitation) remains a cornerstone • Capacity to consent remains a matter of national law (eg minors or guardians) • Focus remains on each act of processing of personal data rather than the collection or holding of data. The data controller must verify that there is a legitimate basis for the processing • Steps taken to anonymise or pseudonymise data = processing • Export of personal data outside EEA only permissible with adequate level of protection • Research derogation remains
  • 25. What changes? • One stop shop with a lead supervisory competent authority • Fines/penalties for breach • Up to 4% of annual worldwide turnover for serious breaches (eg requirements relating to international transfers or the basic principles for processing) • Up to 2% of annual worldwide turnover for other breaches • Data protection becomes a fundamental right • More access rights (e.g. data portability) • Impact Assessments required • Prior approval of impact assessment of each act of processing (sets of similar processing can be grouped) • Profiling requirements • Intelligible explanation of automated processing logic
  • 26. What changes? • Privacy by design & by default • Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures (e.g. such as pseudonymisation, which are designed to implement data protection principles (e.g. data minimisation). • Implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (e.g. amount collected, extent of processing, storage period and accessibility.
  • 27. What changes? • Consent requirements tougher • Pseudonymous data remains personal data regardless of the number and nature of steps taken to key code • Biological samples = identifiable data • Exemptions for processing without consent • Exemptions not suited for outsourced processing in eHealth / mHealth services and not drafted for regulatory clinical data obligations or health technology assessments • Technical standards • Commission can issue technical standards related to implementation of GDPR requirements • Mandatory Privacy Officer
  • 28. Impact Assessment Article 35 • PIA prior to processing – similar operations with similar risks can be grouped • Count on all grant funded projects and clinical trails or investigations or registries that require ethics approval needing PIA • Authorities will make lists of operations subject to PIA • Prior consultation of DPA regarding residual risks (article 36)
  • 30. Security Data controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing • Article 32 defines security principles Security measures must take into account (recital 78): • Nature of the data to be protected and consequences of security breach • State of the art • Security by design • Aim to prevent unnecessary collection and further processing of personal data • Overriding principle: Plan-Do-Check-Act • Data breach notification (article 33/34) • to DPA (<72 hours) and to data subject • processor must inform controller
  • 31. Known unknowns and wide open doors • This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data! • Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate
  • 33. NIS Directive • Imposes security obligations on “operators of essential services” in critical sectors and “digital service providers” - will be required to take measures to manage cyber risks and report major security incidents • The NIS Directive is expected to enter into force in August 2016 • EU Member States will have 21 months to adopt the necessary national provisions • Following this period, EU Member States have six months to identify operators of essential services • assess whether services are essential for the maintenance of critical social and economic activities
  • 34. Scope Applies to separate devices, medical devices related end-to-end services or groups of networked medical devices
  • 35.
  • 36. www.axonlawyers.com THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 M +31 6 47 180 683 E erik.vollebregt@axonlawyers.com @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com