The challenges that wearable technology is facing are broad. They range from data security, trust issues, and incentivisation to regulatory and ethical hurdles. Regulations surrounding wearables are in flux. Some regulatory agencies view wearables as low-risk devices and avoid regulatory tagging. However, some are clearly ignorant of the potential security issues associated with wearable devices. Thus, wearable OEMs are increasingly becoming liable for the protection of public data.
Listed below are the key regulatory trends in wearable tech in the healthcare industry over the next two to three years, as identified by GlobalData.
All around the EU, concerns of protecting mHealth data—generated through body-worn fitness gadgets—are increasingly becoming vital. To avoid the risk of data manipulation and misuse, the General Data Protection Regulation (GDPR) framework makes it mandatory for wearable users to be aware of what data is being accessed by which app. Meanwhile, the supply chain stakeholders—including OEMs—are being compelled to stringently follow the rigorous concept of “data protection by design and default.”
Owing to the unavailability of 100% secure systems to protect data, the “data protection by design and default” approach intends to reduce the proportion of data loss in events of breach or malfunction. Under the approach, GDPR overtly necessitates that the only personal data processed are those necessary for each specific purpose of the processing. This requirement includes the amount of data collected, the storage time, the level of processing, and the accessibility of the data. Facing previous challenges in preventing personal data, companies such as Fitbit and Google have swiftly redesigned their privacy policies.
Apple, Samsung, and other wearable OEMs are also adopting newer dynamic policies. For enterprise adoption, GDPR mandates employers to perform a Data Privacy Impact Assessment (DPIA) to assess the necessity and proportionality of their technology plans. DPIA demonstrates the employer’s risk assessment pertaining to the use of wearables. It also supervises the balance between employee privacy and the protection of business interests. As the European wearables market is still in the early stages, these regulations are certain to undergo amendments as adoption paces up in the coming years.
Low-risk general wellness wearable technology including fitness and smartwatches is normally not subject to regulation by the FDA. However, recent releases like QardioCore and AliveCor’s Kardia products have been granted clearance by the FDA. This is because they act as mobile ECG sensors to detect heart disease, anxiety, and more. This represents a move forward by the FDA where it is stepping up its regulatory oversight to provide guidance. The FDA views wearable devices as “general wellness” products that promote wellness and present very low risk to the user’s safety. Therefore they refrain from regulating wearable devices.
Taking security and privacy concerns into account, wearable OEMs are either self-regulating or fitting into medical device compliance guidelines. Although wearables are not defined under any US Federal law, Protected Health Information (PHI) is subject to regulation by the Office for Civil Rights (OCR). Any wearable OEM found sharing PHI with Covered Entities such as health plans, health care clearinghouses, and healthcare providers is punishable by the OCR. This also applies to third-party partners of both wearable OEMs and Covered Entities.
Cloud service providers partnering with wearable business associates have to provide Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance as an add-on feature, as well as to sign Business Associate (BA) contracts as part of the deals. US wearable OEMs are thus enjoying more relaxed operational conditions in their domestic markets compared to in the EU. Any data collected using the wearable device is protected by HIPAA only when shared with medical establishments.
Digital vs. Traditional Healthcare
Traditional regulation of medical devices relies on them meeting conformity standards. Manufacturers supply safety and efficacy data from extensive clinical trials to regulators. However, these traditional means of assessing safety and efficacy are being overtaken by the pace of technology development.
Regulators have accepted that traditional healthcare with its existing regulatory process does not fully support digital change. This is especially true where there is currently little harmonisation or convergence of medical device guidance or regulations. This fragmentation is challenging for companies in the sector. Many are either designing devices to avoid the complex regulatory process, or taking advantage of ongoing developments and designing devices to fit in existing regulatory guidelines.
As wearable technology matures, there is an opportunity for tech companies, developers, and healthcare bodies to be more involved in the design of future regulatory frameworks. Companies will then have more of an influence on the regulatory outcome.
Data Security as a Critical Issue
Data security trends include the changing nature of cyber threats, the evolution of key cybersecurity technologies, industry growth drivers, healthcare governance trends, and cybersecurity trends in healthcare. Ransomware, insider and privilege misuse, denial of service attacks, “hacktivist” groups, and online fraud have all significantly increased in the past five years. During one recent healthcare breach, as many as 79 million patient medical records were affected. Breached patient records tripled in 2018 compared to 2017, with 51% of violations a repeat offence, continuing the trend of at least one health data breach per day (JAMA, 2018).
Consequently, threats to patient information undermine public trust. While more recent regulations have responded with the introduction in the EU of the Directive on Security of Network and Information Systems (NIS). This was adopted by the European Parliament in July 2016 aiming to harmonise EU cybersecurity regulations. The General Data Protection Regulation (GDPR) came into effect in May 2018. It acts to protect and empower EU citizen data privacy and enforce structural changes in the way that organisations approach customer data privacy and protection. Under GDPR, non-compliant organisations could suffer fines of 4% of their annual turnover or €20M ($22.3M), whichever is highest.
Privacy by design
In the US, cybersecurity regulations are less strict at the federal level compared to Europe. The National Institute of Standards and Technology (NIST), a unit of the US Department of Commerce, has a code of best practices called the NIST Cybersecurity Framework, however, this is not mandatory.
Currently, 42 out of 50 states have introduced more than 240 bills related to cybersecurity, so adhering to standards is improving and changing. Tech vendors are being compelled to adopt “privacy by design” during product development and “Privacy-as-a-Service” over the product life cycle. Users are advised to update their devices with the most recent firmware. For medical devices, there is no specific regulation in place, just guidance over assets, threats, and vulnerabilities.
This is an edited extract from the Wearable Technology in Healthcare – Thematic Research report produced by GlobalData Thematic Research.