More on EU medical devices cybersecurity regulation
In a previous post I promised more on cybersecurity, so here it is.
Spoiler alert: the conclusion of this post is that cyber security requirements for medical devices in Europe are currently an overlapping patchwork of different statutes with little attention for system and network security. So the conclusion is: there is nothing specific, except the security requirements in the EN 62304 harmonized standard for Medical device software — Software life-cycle processes. Compared to what the FDA is currently working on the EU is seriously lagging behind, which is strange considering the ambitions that the EU has in eHealth, which will necessitate a lot of medical devices being networked into the Internet of Everything.
Personal data rules
That doesn’t mean that there are no general rules that manufacturers of medical devices must observe in the EU that touch upon cybersecurity. Currently there is quite an acquis being built up in terms of privacy by design obligations for networked devices that process personal data. This is the main approach to cybersecurity for medical devices in the EU at the moment.
Why the personal data nexus? Obviously, medical devices that form part of the internet of things (IoT) will process sensitive personal data in the form of personal health data. In addition to privacy by design requirements that I blogged about earlier, the Article 29 WP has now also issued guidelines for IoT devices that do focus on system security.
But, we are still not there because we are still waiting for the GDPR to drop, which will provide a framework for processing of personal health data that will apply throughout the EU. The Article 29 WP guidelines, as helpful as they are, remain non-binding guidelines.
The NIS directive is a new piece of legislation that will have particular relevance for companies that provide medical devices as a service or provide information society services that consist of monitoring, readout of devices at a distance, etc.
The Parliament has proposed to exclude software developers and hardware manufacturers from the scope of the directive. However, as I have observed many times now, medical devices manufacturers less and less mere widget pushers these days. As a consequence any medical device manufacturer that operates a service in relation to medical devices would be caught under the NIS directive. And the directive is not final yet, so things may still change.
Presentation to summarise
The whole above story is a summary of my below presentation at the MD Project Active Devices event on 9 December that raised some eyebrows in the audience and provoked comments that it’s impossible to meet all these requirements without considerable additional resources.
[slideshare id=42690752&w=425&h=355&style=border: 1px solid #CCC; border-width: 1px; margin-bottom: 5px; max-width: 100%;&sc=no]
The time to act is yesterday
Excuse me? Humbug you say? Medical devices is an industry in which hackers do not operate? All the succesful hacks that have happened so far took place only under controlled circumstances in unlikely usability scenarios?
I’ll speak with you again when your company does an e.g. Sony by being hacked painfully publicly several times in a single year and losing massive amounts of sensitive data (because that’s what hackers are after these days) or has the dubious honour of being the first company faced with ransomware holding active implantable devices of patients hostage.
Thinking that this will not happen to you is one of the oldest security fallacies in the book. Having been caught out ignoring this will not look good on a company, especially if you trust the company’s devices literally with your life.
And don’t forget, all the above does not only apply to the new devices yet to be placed on the market, but also to the vast amount that is already out there, with hardcoded admin passwords and less than stellar security measures built in. This means that – literally – the time to act is yesterday.
So Happy New Year – something should and hopefully will happen when we roll the dice in EU cybersecurity policy next year. Otherwise it may well become painfully obvious why we need specific and clear rules for this.