New SDK Release: Build secure medical apps faster with our tools for EHRs, devices, and patient-doctor solutions. Explore CardinalSDK

Back to blog

Navigating The EU`s AI Act: A Clearer Guide

post illustration

The European Union is taking a big step forward in regulating Artificial Intelligence with its groundbreaking AI Act.

Agreed upon in December 2023, this law is the first-ever comprehensive framework in the world for governing how AI is developed and used.

This guide is designed to help businesses and organizations understand the complexities of the AI Act.

It will explain the Act’s main goals, how it classifies AI systems based on risk, and what it means for different players involved. By understanding these aspects, you can ensure your AI development follows the rules and leverages this technology responsibly within the EU.

Balancing Innovation and Safety with the AI Act

The AI Act aims to strike a balance between two important things: encouraging innovation in the AI sector and reducing the potential risks that come with this powerful technology.

Here are the core principles the Act focuses on:

  • Safety and well-being: The Act prioritizes keeping people safe and well by banning manipulative and harmful AI applications.
  • Fundamental rights: It safeguards essential rights like privacy, non-discrimination, and fairness throughout the development and use of AI.
  • Transparency and explainability: The Act emphasizes the need for AI systems to be transparent and explainable, allowing users to understand how the system arrives at its decisions.
  • Human oversight: It highlights the importance of maintaining human control over high-risk AI systems to prevent unintended consequences.
  • Accountability: The Act establishes clear lines of responsibility for those who develop and deploy AI systems.

Not All AI is Created Equal: Understanding Risk Categories

The AI Act classifies AI systems into four categories based on risk, and each category has its own set of requirements:

  • Banned AI: Certain types of AI are considered unacceptable and are completely outlawed. This includes systems used by governments for social scoring, real-time mass surveillance in public spaces, and AI designed to manipulate human behavior using subliminal techniques.
  • High-Risk AI: This category covers systems that pose significant risks to safety, fundamental rights, or livelihoods. Examples include AI used in facial recognition, hiring processes, credit scoring, essential services, and self-driving cars. These systems face stricter requirements, including risk assessments, data management plans, mechanisms for human oversight, and robust monitoring after deployment.
  • Limited-Risk AI: AI systems with minimal risk fall into this category. These include chatbots, spam filters, and some image/video recognition applications. While there are still some obligations, the regulatory burden is lighter compared to high-risk systems.
  • AI Used as a Component: When AI is embedded within a larger system (like a self-driving robot), the overall risk of the system determines the applicable regulations.

Knowing what risk category your AI system falls into is crucial for determining the compliance requirements you need to meet.

Key Requirements for High-Risk AI

Developing and deploying high-risk AI systems requires following a set of strict requirements outlined in the AI Act. Here’s a breakdown of some key aspects:

  • Risk Management: Comprehensive risk assessments are mandatory to identify, analyze, and mitigate potential risks associated with the AI system.
  • Data Governance: High standards for data governance are essential. This includes ensuring the data used is high quality, relevant, representative, and secure. Measures to prevent bias and discrimination in the data are also crucial.
  • Human Oversight: Strong human oversight mechanisms need to be implemented to ensure the responsible use of the AI system and intervene when necessary.
  • Technical Documentation: Detailed technical documentation explaining the system’s functionality, training data, and decision-making processes is required.
  • Transparency and Explainability: The Act emphasizes the need for AI systems to be transparent and explainable. Users should be able to understand how the system arrives at its decisions.
  • Post-Market Monitoring: Continuous monitoring of the AI system’s performance after deployment is necessary to identify and address any emerging risks or unintended consequences.

These requirements necessitate a proactive approach to AI development and deployment. Businesses should consider compliance from the very beginning to avoid delays and potential sanctions.

Support and Guidance for Navigating the AI Act

The EU Commission recognizes the need to support businesses in complying with the AI Act. Here’s what they’re offering:

  • Clearer Rules: The Commission will develop harmonized standards for specific high-risk AI applications. This provides clarity and consistency for businesses across the EU, making it easier to understand compliance expectations.
  • Independent Review: Notified Bodies will be designated as independent assessors. These bodies will evaluate high-risk AI systems before they can be placed on the market, ensuring they meet all the requirements.
  • Testing Ground: The Commission may establish a regulatory sandbox scheme. This sandbox would provide a controlled environment for businesses to pilot innovative AI applications before full deployment. This allows for testing and refinement while minimizing risks.

These resources can be valuable tools for businesses navigating the AI Act. Additionally, seeking guidance from legal and compliance experts specializing in AI regulations is highly recommended.

The Road Ahead: A Global Conversation on AI Governance

The EU AI Act is likely to be a game-changer, influencing how other regions approach AI regulation.

This could lead to a more harmonized global approach to AI governance, fostering collaboration and knowledge sharing between countries. However, some challenges remain:

  • Global Alignment: It will be crucial to ensure consistency between different regulatory frameworks. This will prevent a patchwork of regulations that could hinder businesses operating internationally and create an uneven playing field.
  • Innovation vs. Regulation: Finding the right balance between encouraging innovation and implementing effective regulations is key. Overly restrictive rules could stifle the development of beneficial AI applications, while weak regulations could pose risks.
  • Enforcement Mechanisms: Establishing robust enforcement mechanisms, which will involve clear procedures and penalties for violations, will be essential for ensuring compliance with the AI Act and fostering trust in AI technologies.
  • Adapting to Change: The AI landscape is constantly evolving, and new challenges will inevitably emerge. Regulatory frameworks need to be flexible and adaptable to address these evolving risks effectively.

Open dialogue and collaboration between policymakers, industry leaders, academics, and civil society will be crucial to navigating these complexities and developing a future-proof framework for responsible AI development and deployment.

The Impact on Businesses: Embracing Responsible AI

The AI Act presents both challenges and opportunities for businesses operating within the EU. Here’s a breakdown of the potential impacts:

  • Compliance Costs: Meeting the requirements for high-risk AI systems will likely involve additional costs for businesses. These costs might include hiring compliance specialists, conducting risk assessments, and implementing robust data management practices.

However, the long-term benefits of responsible AI development can outweigh these costs. Businesses that prioritize responsible AI can build trust with customers and partners, potentially leading to a competitive advantage.

  • Market Differentiation: Demonstrating compliance with the AI Act can become a way to stand out from competitors. Businesses that can showcase their responsible AI practices can build trust and attract customers who value ethical AI development.
  • Focus on Responsible AI: The Act incentivizes businesses to prioritize responsible AI development practices. This means focusing on designing and deploying AI systems that are fair, transparent, and accountable. In the long run, this can lead to more ethical and trustworthy AI applications.
  • Building Expertise: Businesses may need to develop in-house expertise on AI regulations or partner with specialists to navigate the compliance landscape effectively. Understanding the regulations will be crucial for ensuring compliance and avoiding delays or sanctions.

By proactively embracing responsible AI practices and integrating compliance considerations into their development processes from the outset, businesses can ensure they are well-positioned to thrive in the new regulatory environment ushered in by the AI Act.

This concludes our guide on the EU’s AI Act. Remember, staying informed and seeking expert guidance will be crucial for navigating the complexities of this new regulatory landscape.

Back

Terms of use

www.iCure.com

1. RECITALS

ICure SA is incorporated in Geneva, Switzerland, with a registered office at Rue de la Fontaine 7, 1211 Geneva, Switzerland registered in the commercial registry under CHE-270.492.477 (“iCure”).

These Terms of Use constitute a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and iCure SA (“we,” “us” or “our”), concerning your access to and use of the https://www.icure.com website as well as any other media form, media channel, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the “Website”).

When you accept, these Terms form a legally binding agreement between you and iCure. If you are entering into these Terms on behalf of an entity, such as your employer or the company you work for, you represent that you have the legal authority to bind that entity.

PLEASE READ THESE TERMS CAREFULLY. BY REGISTERING FOR, ACCESSING, BROWSING, AND/OR OTHERWISE USING THE iCURE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, DO NOT ACCESS, BROWSE, OR OTHERWISE USE THE ICURE WEBSITE.

iCure may, in its sole discretion, elect to suspend or terminate access to, or use of the iCure to anyone who violates these Terms.

All users who are minors in the jurisdiction in which they reside (generally under the age of 18) must have the permission of, and be directly supervised by, their parent or guardian to use the Website. If you are a minor, you must have your parent or guardian read and agree to these Terms of Use prior to you using the Website.

The original language of these Terms and Use is English. In case of other translations provided by iCure, the English version shall prevail.

2. INTELLECTUAL PROPERTY RIGHTS

The Content of the documentation stated on this Website is ours. All Marks, Content that concern iCure cannot be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

Provided that you are eligible to use the Website, you are granted a limited license to access and use the Website and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Website, the Content, and the Marks.

3. USER REPRESENTATIONS

By using the Website, you represent and warrant that:

  1. All registration information you submit will be true, accurate, current, and complete; you will maintain the accuracy of such information and promptly update such registration information as necessary.
  2. You have the legal capacity, and you agree to comply with these Terms of Use.
  3. You are not under the age of 13.
  4. Not a minor in the jurisdiction in which you reside, or if a minor, you have received parental permission to use the Website.
  5. You will not access the Website through automated or non-human means, whether through a bot, script, or otherwise.
  6. You will not use the Website for any illegal or unauthorized purpose.
  7. Your use of the Website will not violate any applicable law or regulation.

4. PROHIBITED ACTIVITIES

You may not access or use the Website for any purpose other than that for which we make the Website available. The Website may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved between you and iCure.

As a user of the Website, you agree not to:

  1. Publishing any Website material in any other media.
  2. Selling, sublicensing, and or otherwise commercializing any Website material.
  3. Publicly performing and or showing any Website material.
  4. Using this Website in any way that is or may be damaging to this Website.
  5. Using this Website in any way that impacts user access to this Website.
  6. Using this Website contrary to applicable laws and regulations, or in any way may cause harm to the Website, or to any person or business entity.
  7. Engaging in any data mining, data harvesting, data extracting, or any other similar activity in relation to this Website.
  8. Using this Website to engage in any advertising or marketing.

5. NO WARRANTIES

This Website is provided “as is,” with all faults, and iCure expresses no representations or warranties, of any kind related to this Website or the materials contained on this Website. Also, nothing contained on this Website shall be interpreted as advising you.

6. LIMITATION OF LIABILITY

In no event shall iCure, nor any of its officers, directors, and employees shall be held liable for anything arising out of or in any way connected with your use of this Website whether such liability is under this agreement. iCure, including its officers, directors, and employees shall not be held liable for any indirect, consequential, or special liability arising out of or in any way related to your use of this Website.

7. INDEMNIFICATION

You hereby fully indemnify iCure from and against any and/or all liabilities, costs, demands, causes of action, damages, and expenses arising in any way related to your breach of any of the provisions of these Terms.

8. SEVERABILITY

If any provision of these Terms is found to be invalid under any applicable law, such provisions shall be deleted without affecting the remaining provisions herein.

9. VARIATION OF TERMS

iCure is permitted to revise these Terms at any time as it sees fit, and by using this Website you are expected to review these Terms on a regular basis.

10. ASSIGNMENT

iCure is allowed to assign, transfer, and subcontract its rights and/or obligations under these Terms without any notification. However, you are not allowed to assign, transfer, or subcontract any of your rights and/or obligations under these Terms.

11. ENTIRE AGREEMENT

These Terms constitute the entire agreement between iCure and you in relation to your use of this Website and supersede all prior agreements and understandings.

12. GOVERNING LAW & JURISDICTION

These Terms shall be governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of law provisions.

The parties shall attempt to solve the matter amicably in mutual negotiations. In case of a non-amicable settlement that has been found between the parties, the Court of Geneva will be competent.

13. PRIVACY

Please refer to our Privacy Policy and Cookie Notice for the Data that we collected from the contact form and the Matomo cookie.

IMAGE ATTRIBUTION

In the development of our website, we have incorporated various icons to enhance visual appeal and convey information effectively. We extend our sincere appreciation to the talented designers and contributors who have generously shared their work with the community. Below is an acknowledgment of the resources we have utilized:

SVG Repo: A repository SVG icons. We integrated their icons into our website. Specifically:

  1. Work by author vmware, Key Badged SVG Vector under MIT License
  2. Work by author Twitter, Cloud SVG Vector under MIT License
  3. Work by author Garuda Technology, Node Js SVG Vector and React SVG Vector under MIT License

Thanks to the authors who contributed to the: SVGRepo, Unsplash, Maxipanels community.

iCure features logos from various products, libraries, technologies, and frameworks that our project interacts with. It is important to note that iCure does not hold any proprietary rights to these logos or the products they represent.

iCure SA

Contact: contact@icure.com

Last update: February 20th, 2024.

Information Security Policy

www.iCure.com

1. Introduction

The iCure universe is built on trust. Guaranteeing the confidentiality of the data that are entrusted to us is our highest priority.

The Information Security Policy of iCure abstracts the security concept that permeates every activity and abides by the ISO 27001:2013 requirements for Information Security, so that we ensure the security of the data that iCure and its clients manage.

Every employee, contractor, consultant, supplier and client of iCure is bound by our Information Security Policy.

2. Our Policy

iCure is committed to protecting the confidentiality, integrity and availability of the service it provides and the data it manages. iCure also considers protecting the privacy of its employees, partners, suppliers, clients and their customers as a fundamental security aspect.

iCure complies with all applicable laws and regulations regarding the protection of information assets and voluntarily commits itself to the provisions of the ISO 27001:2013.

3. Information Security Definitions

Confidentiality refers to iCure’s ability to protect information against disclosure. Attacks, such as network reconnaissance, database breaches or electronic eavesdropping or inadvertent information revealing through poor practices.

Integrity is about ensuring that information is not tampered with during or after submission. Data integrity can be compromised by accident or on purpose, by evading intrusion detection or changing file configurations to allow unwanted access.

Availability requires organizations to have up-and-running systems, networks, and applications to guarantee authorized users’ access to information without any interruption or waiting. The nature of data entrusted to us requires a higher-than-average availability.

Privacy is the right of individuals to control the collection, use, and disclosure of their personal information. Our privacy policies are based on the GDPR(https://gdpr-info.eu/) and can be augmented by added requirements of specific clients or law areas.

4. Risk Assessment

The main threats iCure is facing as a company are:

  1. Data Theft;
  2. Data Deletion;
  3. Denial of Service attacks;
  4. Malware;
  5. Blackmail and Extortion.

As providers of a solution used by developers active in Healthcare, we also have to anticipate the risks of:

  1. Attacks on our clients’ data, which could lead to major social damages and a loss of trust in our solution;
  2. Abuse of our solution by ill-intentioned clients, that could impact the quality of the service provided to the rest of our clients.

The motivation of the attackers in the latter cases can range from financial gain to political or ideological motivations.

A last risk is linked to the nature of the healthcare data we handle. We must ensure, that the data we handle are not used for purposes other than those for which they were collected:

A piece of data collected from a patient for the purpose of a medical consultation should not be available to third parties, not even a government agency.

5. Risk Management

The main principles we apply to manage the risks we face are:

  1. Confidentiality by design: All sensitive data is encrypted end-to-end before being stored in our databases. We do not have any access to the data we store. Our client’s customers are the only ones who can decrypt the data we store.
  2. Anonymization by design: Healthcare information that has to be stored unencrypted is always anonymized using end-to-end encryption scheme. This means that the link between the healthcare and administrative information must be encrypted.

Those two principles allow us to minimize the risks of data theft, blackmail, extortion, and coercion by government agency.

  1. Multiple real-time replicas, with automatic failover: We use a distributed database architecture to ensure that our data is available at all times. We use a master-master architecture, each data is replicated at least 3 times. Snapshots are taken every day to ensure that we can restore the data in case of a malevolent deletion event.
  2. Automatic password rotations: no single password can be used for more than 48 hours. Passwords are automatically rotated every 24 hours. In case of a password leak, we can limit the window of opportunity for an attack.

Those two principles allow us to minimise the risks of data deletion, denial of service attacks, and malware.

  1. Minimization of the attack surface: we deploy our systems in the most minimal way. We only expose the network services that are strictly necessary.
  2. Strict dependency management: we only use open-source software that is regularly updated and audited by the community. We favor dependency management software and providers that minimize the risk of supply chain poisoning.

Those two principles allow iCure to minimise the risks of intrusion by vulnerability exploit or supply chain attacks, two risks that could lead to data theft or data deletion.

6. Further Information

This policy is valid as of November 10th, 2022. For futher information please connect with us at privacy@icure.com

Impressum

iCure SA

Place de la Bourse-aux-Fleurs 2, Case postale 45, 1022 Chavannes-près-Renens, Switzerland

CHE-270.492.477

cookie

Deze website gebruikt cookies

We gebruiken slechts één cookie-applicatie voor intern onderzoek naar hoe we onze service voor alle gebruikers kunnen verbeteren. Het heet Matomo en slaat de informatie geanonimiseerd en voor beperkte tijd op in Europa. Voor meer details verwijzen we u naar onze Privacybeleid en .

Quality Policy

www.iCure.com

At iCure SA, we are committed to excellence in all aspects of our work. Our quality policy is designed to provide a framework for measuring and improving our performance within the QMS.

1. Purpose of the Organization

The purpose of the QMS is to ensure consistent quality in the design, development, production, installation, and delivery of Data processing, security, archival, technical support and protection solutions for medical device software, while ensuring we meet customer and regulatory requirements. The document applies to all documentation and activities within the QMS. Users of this document are members of the iCure Management Team involved in the processes covered by the scope.

2. Compliance and Effectiveness

We are committed to complying with all applicable regulatory and statutory requirements, including ISO 13485: 2016 and ISO 27001:2013. We strive to maintain and continually improve the effectiveness of our quality management system.

3. Quality Objectives

Our quality objectives are set within the framework of this policy and as defined by our Software Development Lifecycle and are reviewed regularly to ensure they align with our business goals. These objectives serve as benchmarks for measuring our performance and guide our decision-making processes.

4. Communication

We ensure that our quality policy is communicated and understood at all levels of the organization. We encourage every member of our team to uphold these standards in their daily work whether they are employees, contractors, consultants, suppliers, clients or any other person involved in building our medical data management software.

5. Continuing Suitability

We regularly review our quality policy to ensure it remains suitable for our organization. This includes considering new regulatory requirements, feedback from customers, and changes in our business environment. By adhering to this policy, we aim to enhance customer satisfaction, improve our performance, and contribute to the advancement of medical technology

iCure SA

Contact: contact@icure.com

Last update: April 17th, 2024