The EU’s General Data Protection Regulation(GDPR) will go into full effect on May 25, 2018. While most of the GDPR affects the back end of medical device data handling, the Cloud, Databases, and transportation of data, some of the GDPR affects software on medical devices themselves.
The basic concept is that your patient’s data is no longer yours to process at will. Instead, the device now needs to be configured to protect patients’ data.
If the device is used by practitioners, each practitioner will need a way to signify that the patient understands. Then gives consent to the processing of their data that will take place on the medical device. Essentially, whoever controls the data on behalf of the patient is considered the Controller; if the Controller subcontracts processing to another service provider, that provider is considered the Processer. In any case, processing that takes place on medical devices is covered under GDPR in any case where the data subject is a member of an EU country or is visiting the EU.
Encrypting the data on devices at rest and in transit is paramount. Phones that draw data from and/or are updated by medical devices should be considered medical devices for purposes of compliance with General Data Protection Regulation.
Rights provided via General Data Protection Regulation are:
- Informed of the type of processing of their data that will be taking place
- Access and review the data that is being used to make decisions on the data subject
- The right to be forgotten once the service provided is completed
- The right to data portability, where the service provider must provide the data subject with their data in the electronic format
These rights have many specific processing requirements built around them and the relevant Supervisory Authorities, those organizations that enforce General Data Protection Regulation will have opinions on how these rights should be applied.