Cybersecurity for medical devices in the EU
Download as PPTX, PDF8 likes11,550 views
This document discusses cybersecurity issues related to medical devices. It summarizes the FDA's approach to cybersecurity, which is based on the NIST cybersecurity framework. It also discusses the current and future EU regulations regarding medical devices and cybersecurity, noting that the future regulations do not specifically address cybersecurity. Finally, it outlines some general EU security regulations and standards that relate to medical devices, including those regarding data protection, risk management, and notification of security incidents.
Cybersecurity for medical devices in the EU
- 1. CYBERSECURITY FOR MEDICAL DEVICES MD Project event 9 december 2014 Erik Vollebregt www.axonadvocaten.nl
- 2. Agenda: 1. Introduction 2. FDA approach to cybersecurity measures 3. Current EU Medical Devices law 4. Future EU Medical Devices law 5. General EU security regulations and standards
- 3. Setting the scene • Homeland pacemaker hack; • FDA Guidelines on Premarket Submissions for Management of Cubersecurity in Medical Devices; • Proposals for MDR and IVDR; • EU Directive 95/46/EC on personal data protection; • EU Commission`s Green Paper on mHealth;
- 4. FDA approach to cybersecurity measures Based on US National Institute of Standards and Technology (NIST) cybersecurity framework: • identification of assets, threats and vulnerabilities; • assessment of the impact of threats and vulnerabilities on device • functionality and end users / patients; • assessment of the likelihood of a threat and of a vulnerability being exploited; • determination of risk levels and suitable mitigation strategies; • assessment of residual risk and risk acceptance criteria;
- 5. Are we doing anything in the EU? Biggest EVAH! About public utilities and communications infrastructure What are the medical devices companies and healthcare institutions doing?
- 6. EN 62304 § 5.2.2 Software requirements content re security Typical cybersecurity points, but only with respect to standalone software
- 7. Future EU Medical Devices law • nothing specifically new in the field of cybersecurity; • MDR Proposal, Annex I, point 14 does not addresses cybersecurity specificallu: • point 14.2 repeats point 12.1a of the MDD, which will remain linked to EN 62304 so future cybersecurity – for the moment – is more of the same • Any cybersecurity measure will need to come from harmonised standard
- 8. Future EU Medical Devices law • Delegated acts or common technical specifications are a good way to amend the general safety and performance requirements with cyber security requirements, as foreseen by the new regulations. • However, this option for delegated acts is proposed to be removed in the EU Parliament`s 1st reading of 2 April 2014.
- 9. General EU security regulations and standards • IEC 80001 – Application of risk management for IT-networks incorporating medical devices • Plays important role in Swedish competent authority Läkemedelsverket in 2009 in the first version of their guidance “Proposal for guidelines regarding classification of software based information systems used in health care”. • This is not a harmonised standard under the medical devices directives, because it is directed at clinical institutions and not to medical device manufacturers.
- 10. Draft NIS Directive Article 14 provides for market operator • security requirements and • incident notification duty ERGO: all (medical)devices that run software, that interconnect and process / transmit data
- 11. NIS Directive Duty to implement measures Notification duty Public disclosure of incidents Delegated acts
- 12. General EU security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sause ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510)
- 13. Personal data currently in the EU • Everybody agrees the current EU system is • Fragmented • Outdated • Unclear • But, it’s still a good system that has produced a lot of good practices, among others Article 29 WP opinions on security related subjects, e.g. WP 223 on IoT:
- 14. General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
- 15. Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
- 16. Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
- 17. Data protection: security case study CASE STUDY
- 18. Developments? • Unfortunately, we did not have yet a European version of the Homeland pacemaker hack that gets politicians moving – attention is at manageable safety issues in well understood implantables • EU Commission seems reluctant to update anything substantive in the medical devices guidance while medical device regulations are still in works. • DG Enterprise might be able to make a difference in cybersecurity for medical devices.
- 19. Background
- 20. THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 F +31 88 650 6555 M +31 6 47 180 683 E erik.vollebregt@axonlawyers.com @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com www.axonlawyers.com