•
Ensure that personal data are securely stored and managed using best practice cryptography mechanisms.
•
Make systems resilient to outages of power and network connectivity ensuring a clean recovery in both scenarios.
•
Examine system telemetry data to detect security anomalies (e.g login attempt failures)
•
Make it easy for users to view and delete user data
•
Make installation and maintenance of devices easy including set up, software update, etc. informing about the correctness of each procedure.
•
Validate input data to detect/prevent security issues.
The objectives listed in the CSA (Article 51), the catalogue of Security Functional Requirements and Security Assurance Requirements of the Common Criteria and the EN 303645 provides an appropriate framework for ensuring the provision of secure, reliable and trusted services for AHA.
4.3 Medical device regulation & health laws The US, the EU, Canada and Australia have all enacted medical device regulations. A crucial question is whether a specific AAL technology meets the statutory definition of a “medical device” under these laws (Durkin, 2018). In general, the intended use of the technology, demonstrated through such things as labelling claims and advertising materials, is the decisive factor for whether an AAL technology can be classified as a medical device (Colonna, 2019). If an AAL device is intended to be used for medical purposes rather than to promote general health or wellness then it will likely be regulated, unless it presents very low risk (Roth, 2013). Medical purposes include things like diagnosing a disease or treating or preventing a disease whereas wellness purposes include things like promoting a healthy lifestyle (Ell, 2017). Classifying software raises particular challenges in each jurisdiction mainly because it lacks a concrete, physical form and can have many different functionalities (Colonna, 2019). Here, it must be emphasized that the classification of particular software as a “medical device” or as a simple software has a huge impact: if the latter is the case then the more general requirements for information society services/products will apply and not the much more stringent requirements for medical devices (Mantovani & Bocos, 2017). If an AAL technology is classified as a medical device then it will be given a risk class, at least in the EU and the US. The higher the risk class, the more rigorous the scrutiny of the technology and hence, the more expensive and the more delayed it will be entering the market. Sometimes an AAL technology can be classified as higher risk in one jurisdiction than another because of the difference in the laws, which creates compliance concerns. This can happen due to the different classification rules that exist in various jurisdictions (Colonna, 2019).
24
