By Ruoxin Su & Oguzhan Yesiltuna, 27th August, 2024
Increasing Importance of Cybersecurity in Medical Devices
As the digital transformation of healthcare continues to accelerate, the importance of robust cybersecurity for medical devices has never been more critical. Medical devices, from wearable health monitors to advanced diagnostic tools, are increasingly connected to networks, making them susceptible to cyber threats. A successful cyber-attack on a medical device can compromise patient safety, lead to data breaches, and disrupt healthcare services.
In the EU, ensuring the security of these devices is a complex challenge that intersects with various regulatory frameworks. This blog post provides a brief overview of the current regulatory landscape for cybersecurity in medical devices within the EU. It has been preliminarily explored in our deliverable for the EU-funded CYMEDSEC project under the supervision of Prof. Paul Quinn.
Relevant EU Regulatory Frameworks
Medical Devices Regulation (2017/745) (MDR) and In Vitro Medical Devices Regulation (2017/746) (IVDR)
The MDR and IVDR provides a comprehensive framework for the regulation of medical devices within the EU. Although the definition of cybersecurity is not provided in its text, Annex I of the MDR outlines the General Safety and Performance Requirements for medical devices, including requirements for manufacturers to ensure medical devices are designed and manufactured in a way that reduces risks associated with cybersecurity. The MDR requires manufacturers to set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, and mandates risk management processes that encompass cybersecurity risks throughout the device’s lifecycle. The cybersecurity element is also embedded into requirements for detailed technical documentation, conformity assessment procedures and post-market surveillance of medical devices.
Network and Information Systems Directive (2016/1148) (NIS Directive) and NIS 2 Directive (2022/2555)
NIS 2 Directive repealing the NIS Directive and has been in effect since 16 January 2023 lays down rules on adoption of national cybersecurity strategies by Member States, cybersecurity risk-management measures and reporting obligations for entities of critical sectors, cybersecurity information sharing, and supervisory and enforcement obligations for Member States. NIS 2 Directive lists “Health” and “Manufacturing” among the sectors of high criticality and other critical sectors respectively and expands its applicable scope to include a broader range of entities in the healthcare sector, such as manufacturers of certain medical devices. It establishes requirements on cybersecurity risk-management measures and reporting obligations for entities falling into this expanded list.
Cybersecurity Act (2019/881)
The Cybersecurity Act is part of the EU’s overall cyber ecosystem and aims to enhance the cybersecurity of ICT products, processes and services. It provides a formal definition of cybersecurity in the EU law and lays down a framework for European cybersecurity certification schemes of ICT products, processes, and services. Particularly, cybersecurity certification is believed to play a critical role in providing a certain level of trust and security in ICT products, such as electronic medical devices, which is already used and likely to be widely used in the near future.
General Data Protection Regulation (2016/679) (GDPR)
The GDPR applies to the processing of personal data by medical devices. The rules regarding processing of data concerning health (Article 9), data protection by design and by default (Article 25), security of processing (Article 32), and data protection impact assessment (Article 35) are particularly relevant to the field of medical devices and cybersecurity. Manufacturers and operators must ensure that personal data is processed securely and in compliance with GDPR principles, such as data minimization, purpose limitation, and the rights of data subjects. Additionally, cyber threats and attacks against healthcare systems usually result in data breaches negatively affecting patients and users.
Data Act (2023/2854)
The Data Act entered into force on 11 January 2024 and will become applicable in September 2025. It sets rules for all sectors that aim to facilitate access to and the use of IoT product data by consumers, businesses and governments, covering connected medical devices and in vitro medical devices.
Evolving regulatory framework in the EU
Even though not yet in force, upcoming pieces of legislation at the EU level also play a unique role in the ever-changing regulatory landscape of medical device cybersecurity, such as European Health Data Space (e.g. electronic health record system security requirements, secure processing environment), and Artificial Intelligence Act (AI Act) (e.g. cybersecurity requirements for high-risk AI systems).
A Complex Landscape with Room for Improvement
Although the EU has made significant strides in regulating medical device cybersecurity through various legislative frameworks, this evolving landscape presents complexities that require attention. Overlaps between certification mechanisms under the CSA, MDR, and AI Act that create uncertainties for manufacturers and voluntary participation schemes left to Member States that might lead to fragmentation and regulatory shopping are glaring examples. By tackling such complexities, the EU can ensure a robust framework that fosters innovation while maintaining the highest standards of cybersecurity for medical devices. Streamlining regulations and promoting collaboration are crucial for a future-proof approach to protecting patients and data.
Under the ongoing four-year CYMEDSEC project, the above EU regulatory frameworks surrounding the topic of cybersecurity for medical devices will be further explored and analyzed in our next benchmark deliverable. Together with the project partners from different Member States, we will also dive into the related national regulatory frameworks corresponding those at the EU law level to assist the development of CYMEDSEC tools for enhanced cybersecurity in healthcare systems.
Credit: Image created by Pixlr
