Clin Res Cardiol (2021)
DOI DOI https://doi.org/10.1007/s00392-021-01843-w
Experiences with General Data Protection Regulations and Remote Monitoring of Implantable Rhythm Devices
M. Willing1, C. Saatjohann2, B. Rath1, S. Schinzel2, L. Eckardt1, J. Köbe1
1Klinik für Kardiologie II - Rhythmologie, Universitätsklinikum Münster, Münster; 2Labor für IT-Sicherheit, Fachhochschule Münster, Steinfurt;

Introduction: 
Implanted medical rhythm devices constantly generate data, which is processed by different manufacturers. As part of the GDPR (General data protection regulation), patients can request information about the processing and storage of their data. The aim of this study was to assess the availability of patients‘ clinical data. 

 

Methodology:                                                                                                                                                                                                                                                                                                                                                                                                                                The study is part of a mutual project of cardiologists and cyber security experts evaluating modern medical device security. For the analysis of patients’ personal data storage, we sent Subject Access Requests (SARs) after patient consent to manufacturers of implantable rhythm devices.  

Results: 
The response time of the manufacturer to the request was one month. One company explained that in terms of the device, the company does not store or process personal patient data. In case of Home Monitoring Services, a different legal entity processes  data by order of the individual hospital. The manufacturer emphasized that, in general, the physician has the role of the data controller. The second inquiry was sent to another company entity with the same postal address as the prior contacted one, responsible for the Home Monitoring Services. The answer to the second SAR was again one month with the correct response. 

One manufacturer requested an additional identification of the patient. According to Article 12 of the GDPR, such identity confirmation can be claimed if the controller has reasonable doubts concerning the identity. After sending the copy of the ID card, our patient received the answer at the end of the one month time period of our initial request via an unencrypted email. According to Art. 9 (GDPR), medical data is categorized as data with a special need for protection. In general, emails are not encrypted by default and do not fulfill the privacy standards if no additional safeguard like End-to-End encryption is used. The answer stated that the personal data is generally stored on U.S. servers, which conforms to GDPR by an active certification for the so-called Privacy Shield. The statement was in contrast to the consent form explaining the storage of data in Ireland. For the Article 20 inquiry, we received seven ECG reports as PDF files. Via web-interface, we confirmed that more than seven EGMs were stored. 

 

Conclusion: 

Our small case series on GDPR and Remote Rhythm Devices shows uncertainty on SARs. As more patient inquiries may occur in the future, more transparency on data handling is mandatory, especially as knowledge on security aspects amongst clinical cardiologists is scarce due to the complexity of cyber security aspects. 
https://dgk.org/kongress_programme/jt2021/aP1289.html