F062 GDPR, MDR, and what you can do about you medical data (Jovan Stevovic)
In May 2020, Medical Device Regulation goes into effect. Digital health companies providing software intended for medical use will need to comply with new requirements. According to Jovan Stevovic, CEO and Co-Founder of Chino.io, companies are much better prepared for MDR than they were for GDPR.
Listen in iTunes.
In general, medical devices are products or equipment intended for medical use. These include long-term corrective contact lenses, surgical lasers, defibrillators, hearing aids, diagnostic ultrasound machines, hip-joint implants, prosthetic heart valves, to name a few examples.
There are three classes of medical devices: Class I Class IIa and IIb, and Class III. The classification depends on the intended use. Medical devices Class I have the lowest perceived risk for health, those in Class III the highest. MDR also defines software which is designed for medicinal purposes, to be a medical device.
To clarify: cybersecurity, data protection, data privacy are different things
GDPR focuses on data protection. The law introduced new rights for users, who can now object to the way their data is being processed or can even request deletion of their data under the right to be forgotten. Data privacy revolves around human rights violation, in simple terms "to see when people monitor you too much," says Jovan Stevović. Data security manages data storage, encryption and management of data, whereas cybersecurity is broader and deals with firewalls, cyberattacks, etc. Many companies may work on cybersecurity but not data security. In healthcare, worries about all of the mentioned above surround especially medical devices, IoT and cyberattacks on protocols for devices.
GDPR and its consequences
Since going into effect in 2018, fines have been imposed under GDPR. The problem is, the height of fines depends on the regulation authority, observes the CEO of Chino.io. According to his observation, a company in one country can get fined much more compared to a company in another state with a similar offence. Fines may seem disproportionate to the violation, because of lack of harmonization among regulators regarding definitions of gravities of violations. "There is also still work to be done on GDPR to make it healthcare specific. At the moment, it is very general compared to HIPPA in the US, which is very specific," comments Stevović.
Some companies are still too ignorant about GDPR, says Jovan Stevovic. Hence, education of entrepreneurs is one of the first tasks for GDPR consultants such as Chino.io. Smaller companies tend to skip requirements at the beginning of their app development, which can cause them a lot of problems in later development. Larger players struggle with processes and connecting legal, quality assurance and other teams.
On the users' side, as observed by Jovan Stevović, people are executing their right to be forgotten and have initiated lawsuits against companies violating their privacy. Unlike before, now privacy policies and terms of services need to be simplified and clear, and most of all, granular, meaning that at least basic function of specific service needs to be available to the user who declined to agree to profiling for marketing activities, etc. On the opposite side Jovan Stevović believes many companies are well prepared for MDR. The upcoming law Is also helping in awareness around data protection and privacy as it mentions GDPR several times, certification authorities are increasingly demanding documentation on security and privacy.
Some questions addressed:
- In one of your posts on Medium you wrote that you were always interested in health data security, which is why in 2014 you founded Chino.io. Can you explain where the interest in health data security comes from?
- Let's clarify the difference between cybersecurity, data security and data protection and data privacy. Which regulation refers to what?
- Chino.io offers technology and consulting to ensure applications are GDPR and HIPAA compliant. What are the most common questions customers turn to you for?
- GDPR is about to turn two years old in May, what have you been observing in 2019? What kind of problems, what kind of unexpected occurrences etc.
- One of the threats of not complying with GDPR were high fines for companies. What was the highest fine for breaching GDPR rules so far?
- Comment: MDR is supposed to go into effect in 2020, the regulation was announced in 2017. Three years later, many organizations are pushing for a delay in putting the law in action. How do you see that? Are you prepared? Is anyone ever really prepared with unknowns that always appear after a law goes into effect?
- All eyes are on Germany regarding digital health implementation and regulation on the national level. What are your expectations?