The Challenges of Regulating Medical Devices Cybersecurity in the EU
E. Biasin - KU Leuven Centre for IT & IP Law – imec
E. Kamenjasevic - KU Leuven Centre for IT & IP Law – imec
-- Cybersecurity in healthcare has increasingly become important
Ensuring cybersecurity in the healthcare sector is a growing concern due to the increased digitalisation of healthcare service providers. Hospitals’ assets, including both the IT infrastructure and connected-to-network medical devices, are targets requiring to be critically protected now more than ever before, since a successful cyber-attack may cause significant disruptive effects for the provision of essential healthcare services, and it may put at severe risk the health and safety of patients. For these reasons, regulatory authorities worldwide have started addressing medical device cybersecurity as a new priority.
The complexity in regulating cybersecurity and healthcare in the EU
The complex aspects inherently characterising the healthcare sector may bring challenges. In fact, cybersecurity regulation is a difficult task, as it requires taking into account different horizontal policy fields and the EU and Member States vertical levels of requirements. Medical devices regulation is also a difficult task, as it is a multi-level legal framework characterised by specialisation and fragmentation.
In the case of medical devices, the EU Medical Devices Regulation (MDR) contains cybersecurity-related requirements. This regulation, however, is not the only legislation in the EU setting cybersecurity requirements for medical devices. Other pieces of law, such as the Directive on security of network and information systems (NIS Directive), the Cybersecurity Act, the General Data Protection Regulation (GDPR), the Radio Equipment Directive (RED), foresee some cybersecurity requirements interacting with the MDR. Their interaction, nonetheless, is not always clear for practitioners, so we deemed it deserved more attention also from a theoretical point of view.
The regulatory challenges: our findings
In our book chapter ‘Cybersecurity of Medical Devices: Regulatory Challenges in the EU’, we started from these assumptions to research how the interaction between the above-mentioned legislation could lead to regulatory challenges.
In our analysis, we found four main regulatory challenges. These may be essentially summarised as follows. The first regulatory challenge concerns the CSA. We observed that the certification schemes foreseen in CSA might bring regulatory overlapping vis-à-vis the certification requirements that are already foreseen in the MDR. Second, we pointed out that the voluntariety of the CSA certification may lead to fragmentation risks across the EU. Third, we observed that the interaction of security requirements between the MDR and the RED leaves some loopholes that could result in regulatory uncertainty. Forth, we envisaged duplication in requirements concerning notification of medical devices security incidents with regard to the GDPR and the NIS Directive.
To mitigate such risks, we proposed concise recommendations to the EU regulator. We suggested, amongst others, clarifying the scope of application of CSA for certification mechanisms. Furthermore, we recommended the EU regulator provide further guidance on the application of RED, with reference to its interaction with the MDR and other laws applicable to the cybersecurity of medical devices. Finally, concerning incident notifications, we underlined how cooperation between competent national authorities is essential to achieve timely respect of the requirements and avoid compliance duplications.
Conclusion (and further avenues of research)
The adequate level of cybersecurity and resilience of medical devices is a crucial element for maintaining the daily provision of healthcare services. The regulation of cybersecurity, however, comes with its challenges. Our book chapter studied MDR cybersecurity requirements by considering the GDPR, NIS Directive, CSA, and RED. Next to these, upcoming legislative reforms – such as the draft AI Act and the draft ‘NIS2 Directive’ – are proposing additional cybersecurity requirements that could also affect medical devices. These provisions and their interaction with those stemming from the studied legislation should be further analysed.