Regulations surrounding wearables are in flux. While some regulatory agencies view wearables as low-risk devices and avoid regulatory tagging, some are clearly ignorant of the potential security issues associated with wearable devices. Thus, wearable original equipment manufacturers (OEMs) are increasingly becoming liable for the protection of public data.
Listed below are the key regulatory trends impacting the wearable technology industry, as identified by GlobalData.
European Union (EU)
All around the EU, concerns of protecting mHealth data—generated through body-worn fitness gadgets—are increasingly becoming vital. To avoid the risk of data manipulation and misuse, the General Data Protection Regulation (GDPR) framework makes it mandatory for wearable users to be aware of what data are being accessed by which app. Meanwhile, supply chain stakeholders—including OEMs—are being compelled to stringently follow the rigorous concept of ‘data protection by design and default’.
GDPR overtly necessitates that the only personal data processed are those necessary for each specific purpose of the processing. This requirement includes the amount of data collected, the storage time, the level of processing, and the accessibility of the data. Facing previous challenges in preventing theft of personal data, companies such as Fitbit and Google have swiftly redesigned their privacy policies.
Apple, Samsung, and other wearable OEMs are also adopting newer dynamic policies. For enterprise adoption, GDPR mandates employers to perform a Data Privacy Impact Assessment (DPIA) to assess the necessity and proportionality of their technology plans. DPIA supervises the balance between employee privacy and the protection of business interests.
Low-risk general wellness wearable technology including fitness and smartwatches is normally not subject to regulation by the US Food and Drug Administration (FDA); however, recent releases like QardioCore and AliveCor’s Kardia products have been granted clearance by the FDA as mobile electrocardiogram (ECG) sensors to detect heart disease, anxiety, and more. The FDA views wearable devices as ‘general wellness’ products that promote wellness and present very low risk to the user’s safety, thus they refrain from regulating wearable devices. Wearable OEMs are either self-regulating their offerings or fitting into medical device compliance guidelines.
Although wearables are not defined under any US Federal law, Protected Health Information (PHI) is subject to regulation by the Office for Civil Rights (OCR). Any wearable OEM found sharing PHI with Covered Entities such as health plans, healthcare clearinghouses, and healthcare providers is punishable by the OCR. This also applies to third-party partners of both wearable OEMs and Covered Entities. Thus, cloud service providers partnering with wearable business associates are directed to provide Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance as an add-on feature, as well as to sign Business Associate (BA) contracts as part of the deals.
Digital vs. traditional healthcare
Traditional regulation of medical devices relies on devices meeting conformity standards and manufacturers supplying the safety and efficacy data from extensive clinical trials to regulators. However, these traditional means of assessing safety and efficacy are being overtaken by the pace of technology development. Regulators have accepted that traditional healthcare with its existing regulatory process does not fully support digital change, where there is currently little harmonisation or convergence of medical device guidance or regulations.
This fragmentation is challenging for companies in the space, which are either designing devices to avoid the complex regulatory process or taking advantage of ongoing developments and designing devices to fit in existing regulatory guidelines. As wearable technology matures, there is an opportunity for tech companies, developers, and healthcare bodies to be more involved in the design of future regulatory frameworks
Data security as a critical issue
Data security trends include the changing nature of cyber threats, the evolution of key cybersecurity technologies, industry growth drivers, healthcare governance trends, and cybersecurity trends in healthcare. Ransomware, insider and privilege misuse, denial of service attacks, ‘hacktivist’ groups, and online fraud have all significantly increased in the past five years.
Recently regulations have been put in place, such as the introduction in the EU of the Directive on Security of Network and Information Systems (NIS), adopted by the European Parliament in July 2016, that aim to harmonise EU cybersecurity regulations. The GDPR, which came into effect in May 2018, acts to protect and empower EU citizen data privacy and enforce structural changes in the way that organisations approach customer data privacy and protection. Under GDPR, non-compliant organisations could suffer fines of 4% of their annual turnover or €20m ($22.3m), whichever is highest. In the US, cybersecurity regulations are less strict at the federal level compared to Europe.
Tech vendors are being compelled to adopt ‘privacy by design’ techniques during product development and ‘Privacy-as-a-Service’ over the product lifecycle. Users are advised to update their devices with the most recent firmware and to avoid accessing malicious versions of legitimate applications. For medical devices, there is no specific regulation in place, just guidance over assets, threats, and vulnerabilities.
This is an edited extract from the Wearable Technology in Mining – Thematic Research report produced by GlobalData Thematic Research.