In this Newsletter
Regulations & Guidelines
Recommendations for hosting sensitive information systems in the cloud
The National Agency for the Security of Information Systems (ANSSI) provides guidelines for hosting sensitive information systems (SI) in the cloud, emphasizing the importance of using SecNumCloud-qualified services for security and compliance. These recommendations highlight the need for a thorough risk management approach, including impact assessments and risk analyses, particularly for critical systems handling sensitive data. Selecting appropriate cloud services based on system sensitivity and threat levels is crucial to safeguard against cyber threats.
Official publication of the EU Act
The EU Artificial Intelligence (AI) Act was published in the Official Journal of the European Union on July 12, 2024, as “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence.”While the AI Act will generally apply starting on August 2, 2026, the exact milestones are quite nuanced and complex, with some provisions applying as early as February 2, 2025.
Data Protection Authorities' role in AI Act framework
The European Data Protection Board (EDPB) suggests that Data Protection Authorities (DPAs) should be designated as Member State Authorities (MSAs) for overseeing high-risk AI systems in areas like law enforcement and justice. Additionally, Member States should consider appointing DPAs as MSAs for other high-risk AI systems that may impact individuals' rights and freedoms regarding data processing. DPAs should serve as single points of contact for the public and other authorities, with clear procedures for cooperation between MSAs and other regulatory bodies, including the EU AI Office.
Hashing data alone does not make it truly anonymous - FTC guideline
The Federal Trade Commission (FTC) monitors companies to ensure their data privacy claims align with their actual practices, emphasizing that hashing does not make data truly anonymous as it can still identify users. Despite warnings, companies like Nomi and BetterHelp have been found using hashed data to track individuals, leading to FTC action for deceptive privacy claims. The FTC remains vigilant in protecting user privacy, particularly concerning persistent identifiers like email addresses and device IDs that can still be used for tracking.
New data privacy Bill - Rhode Island
Rhode Island became the nineteenth US state overall and the seventh state in 2024 to enact a comprehensive privacy law, The Future of Privacy Forum sums up. The law will take effect starting in 2026. The law includes familiar terminology and core obligations, such as controller/processor responsibilities, rights of access, correction, deletion, portability, express consent for processing sensitive data, and disclosure requirements, but lacks data minimisation requirements or an obligation for controllers to recognize universal opt-out mechanisms.
New EU Regulation to enhance safety standards for substances of human origin by 2027
To enhance the quality and safety standards for substances of human origin for medical use, a new EU regulation has been published and will take effect in 2027. This regulation, replacing previous directives on blood, tissues, and cells, aims to provide comprehensive protection for recipients, donors, and children born through medical assistance. Key changes include expanded scope covering various human-origin substances, stricter oversight by competent authorities, and improved coordination among EU member states. The regulation also introduces a digital platform for monitoring and reporting on those substances.
UK Government announces new AI, data protection, and cyber security legislation
The UK government is set to introduce new legislation focusing on AI regulation, data protection, cyber security, and product safety. Key proposals include a Regulatory Innovation Office to oversee AI regulation, the Digital Information and Smart Data (DISD) Bill to enhance data sharing and establish digital verification services, and a Cyber Security and Resilience Bill to strengthen digital protections. These measures aim to align with EU standards and modernize regulatory frameworks, with a focus on protecting public interests and supporting technological advancements.
Data Breach & Cybersecurity
75% of cloud network intrusions due to weak credentials and misconfigurations in 2024
Google Cloud's latest Threat Horizons Report highlights that weak credentials and misconfigurations were responsible for 75% of cloud network intrusions in the first half of 2024. Weak or no credentials accounted for 47% of attacks, a slight decrease from the previous year, while misconfigurations jumped to 30%. The report emphasizes the persistent challenge of poor identity governance, with many attacks exploiting legitimate credentials, underscoring the importance of robust security measures like multifactor authentication.
UnitedHealth's response to Change Healthcare ransomware attack: financial impacts and regulatory scrutiny
In July 2024, UnitedHealth is still dealing with the aftermath of a February ransomware attack on its subsidiary, Change Healthcare. The breach disrupted U.S. healthcare billing and exposed the data of millions, with some data surfacing on the dark web. UnitedHealth paid a $22 million ransom and is now notifying affected individuals. The company faces increased medical costs and scrutiny from antitrust regulators, including investigations by the Department of Justice and potential action by the FTC over business practices.
Security and compliance concerns are driving the shift to hybrid cloud
UK organizations are increasingly transitioning from on-premises environments to managed hosting services, favoring private and hybrid cloud models over public cloud options. This shift is driven by the need for stronger security and compliance with regulations, as highlighted by the 2024 ISG Provider Lens report. Service providers are aiding this transition by offering solutions like disaster recovery and modern computing technologies, while UK data centers are becoming connectivity hubs, offering advanced infrastructure.
4.3 Million impacted by HealthEquity data breach
HealthEquity is notifying 4.3 million individuals about a data breach involving personal and health information compromised through a third-party vendor. The breach, identified on March 25, involved unauthorized access to an unstructured data repository, exposing information such as names, Social Security numbers, and payment details. HealthEquity has taken steps to mitigate the breach and is offering affected individuals free credit monitoring services while encouraging vigilance against potential misuse of their information.
Artificial Intelligence
As AI marches into medicine, investors eye security, privacy startup
Investors are increasingly supporting startups that enhance health AI products with privacy and security services, anticipating new regulations. Despite the deployment of AI tools in healthcare, there are concerns about data security, prompting calls for responsible AI use standards. Government agencies and industry groups are working on regulations to address bias and safety in medical AI, but the timeline is uncertain. In the meantime, investments focus on AI governance, data security, and compliance to mitigate risks and shape future standards.
Roche's AI-Powered glucose monitoring system approved in Europe
Roche has received European approval for its AI-powered continuous glucose monitoring system, the Accu-Chek SmartGuide, for adults with Type 1 and Type 2 diabetes. The system includes a wearable sensor that tracks blood sugar every five minutes, two smartphone apps for data management, and predictive algorithms to forecast glucose changes and prevent hypoglycemia. Roche plans to launch the system in select European markets, offering a significant tool for better diabetes management and control.
Biotech & Health tech
Lilly becomes the latest pharma to tap OpenAI for help, this time for antibiotic work
OpenAI is partnering with major pharmaceutical companies like Moderna, Sanofi, and now Eli Lilly, to accelerate drug discovery and development, particularly in fighting drug-resistant pathogens. Lilly's Chief Information Officer, Diogo Rau, highlighted that generative AI technology could aid in creating new antimicrobials and specialized technologies. The collaboration aligns with Lilly's $100 million commitment to the AMR Action Fund, aiming to develop new antibiotics by 2030, though specifics on how OpenAI's technology will be utilized were not disclosed.
Health tech startup Commure bets on AI for medical notes in $139M deal
Health tech startup Commure is acquiring AI medical scribe company Augmedix for $139 million, strengthening its software offerings for healthcare systems. This acquisition will take publicly traded Augmedix private and expands Commure's reach in the AI-powered medical documentation market, enhancing productivity tools for providers, including those in acute care and emergency settings. The deal follows Commure's purchase of Athelas and aligns with their mission to use AI and machine learning to streamline healthcare operations and improve revenue cycle management.
Machine learning for causal prediction of treatment outcomes
Causal machine learning (ML) provides flexible, data-driven methods to predict treatment outcomes, such as efficacy and toxicity, enhancing drug assessment and safety. It allows for estimating individualized treatment effects, enabling personalized clinical decision-making. The approach can be applied to both clinical trial and real-world data, but careful implementation is necessary to avoid biased predictions; key components and steps for reliable use in clinical settings are discussed.
Data Governance
ICO Annual Report 2023-2024
The ICO report reveals critical findings on data protection issues, including the misuse of personal data by tracing agents, privacy concerns with period and fertility apps, and a controversial migrant tagging pilot. The report emphasizes the importance of protecting personal data and provides detailed insights into the ICO's actions and recommendations. This summary highlights the urgency of the issues discussed and serves as a call to read the full report for comprehensive understanding and implications for data protection practices.
Navigating complex regulations: the intersection of the EU AI Act and medical device compliance
The EU is introducing a comprehensive AI Act that will regulate the development and deployment of AI systems, adding to existing regulations like the MDR and IVDR, which govern medical devices. These regulations set high standards for safety and compliance, particularly for high-risk AI systems, including those in the medical sector. Otto Lindholm from Dottir Attorneys explores the overlap between these regulations and highlights the need for strategic compliance planning for manufacturers navigating these complex regulatory landscapes.
NIST releases a tool for testing AI model risk
The National Institute of Standards and Technology (NIST) has re-released a testbed called Dioptra, a modular, open-source tool designed to measure the risks of AI models, particularly how malicious attacks like data poisoning can degrade their performance. Dioptra, initially released in 2022, helps companies and researchers assess AI risks by simulating threats and benchmarking models. This tool, part of broader U.S. and U.K. efforts to ensure AI safety, can identify potential weaknesses in models, though it currently only supports models available for local download.
Medtech compliance - not regulation - is stifling innovation
The belief that FDA regulations stifle innovation in the medtech industry is challenged by the argument that outdated compliance practices are the real hindrance. Modernizing these practices towards a developer-first approach can improve efficiency, speed up product development, and maintain high safety standards. By embedding compliance into the development process, medtech companies can streamline audits, reduce costs, and accelerate the introduction of innovative medical devices, ultimately benefiting patient care and safety.
Podcasts
Top 3 podcasts :
- Exploring AI Safety
- Neurodata Talks
- Faisal Mahmood : AI's Transformation of Pathology
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #20
🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Newsletter #18
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.