Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
Across the digital health sphere, connected medical devices allow patients to leave hospital sooner and provide remote monitoring features which can be powerful tools for healthcare professionals. This is highly beneficial to patients who can often continue treatment in their own home and can cut costs for healthcare providers seeking to conserve crucial resources. Appropriate collection of patient data may even aid care elsewhere, improving outcomes as a result. Connectedness can bring a third dimension of functionality to digital health, but new risks appear as care has moved out of the secure space of the hospital and into the wider environment.
As healthcare embraces this approach globally, it makes sense to understand the risks which are associated. In this article we give an overview of cybersecurity risks that stakeholders should consider for digital health and medical devices, and we assess the regulatory frameworks currently in place in the EU and others due to come onstream.
Risks
Although the idea that bad actors can hijack medical devices sounds like a science fiction plot, breaches of medical IT systems have happened, and they have been occurring with increasing frequency:
There have not yet been any known incidents of medical devices themselves being hacked. However, in March 2019 the US Food and Drug Administration (FDA) warned that medical devices such as implantable heart defibrillators and home monitoring systems were vulnerable to attack.
More recently in 2022, the FBI “identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features. Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity”.
The FBI stated that medical device vulnerabilities are caused by hardware design and device software management. According to the FBI, vulnerable devices can be taken over by malicious hackers, device readings can be changed, overdoses delivered or devices can otherwise be used to endanger patient health. The devices most susceptible to attack are:
This threat is not entirely new of course. Back in 2007, Estonia, an early adopter digitalisation of its public services including telehealth, suffered a crippling cyber-attack which shut down its entire government system, severely impacting its telehealth operations.
In Ireland, the need for cybersecurity in healthcare became acutely apparent in May 2021 when the HSE suffered a major cyber-attack conducted by a criminal gang using “Conti” ransomware. Taking place at a critical point in the nation’s COVID-19 pandemic response, the cyber-attack affected 80% of the HSE’s IT infrastructure, encrypting critical services and patient records, as well as causing severe disruption in the form of cancelled outpatient appointments. Diagnostic and laboratory services were also heavily impacted. The shockwaves were also felt far beyond hospital campuses as information flows between medical devices and the HSE were shut down as part of the attack. In a post-attack review carried out by PwC, it was noted that while there was no attempt to infiltrate individual medical devices, it was technologically possible, and that infiltration of this kind presents a significant risk for the future. Amongst many recommendations arising from the attack, the HSE was advised to define a minimum-security standard for the networking of medical devices.
The Medical Device Regulation
Medical devices are regulated by sector specific legislation in the form of the Medical Device Regulation EU 2017/745 (MDR). Although the MDR does not use the term cybersecurity, medical devices must satisfy the General Safety and Performance Requirements (GPSR) set out in Annex I of the Regulation. The Medical Devices Coordination Group (MDCG) has elaborated in its guidance document on cybersecurity (MDCG 2019-6) and notes that the MDR:
“…lays down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access”.
The GPSR may enhance cybersecurity for medical devices, and the MDGG guidance aids stakeholders to a degree. However, on the implementation of measures, the MDCG’s approach has been said to lack specificity on what is required and, as guidance, it is non-binding.
Standards can also play an important role in assisting manufacturers in meeting the essential health, safety and performance requirements set out in applicable EU legislation such as the MDR. For example, ISO 14971:2019 “Medical devices – Application of risk management to medical devices” became a harmonised standard under the MDR in May 2021 and provides further detail for manufacturers on how to demonstrate compliance with the requirements contained in Annex I.
Alongside the software life-cycle standard IEC 62304 “Medical device software – Software life cycle processes”, the recently published IEC 81001-5-1 “Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle” (expected to be recognised by the EU Commission by May 2024) also directly addresses the relationship between healthcare organisations and medical device manufacturers and gives detailed guidance to manufacturers on how to ensure appropriate cybersecurity in healthcare IT systems.
The Network and Information Security Directive
In 2018, the Network and Information Security (NIS) Directive was implemented in Member States. The Directive harmonized national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU. Member States must:
The NIS 2 Directive
Although the NIS Directive was seen as a good starting point, some argued it was inconsistently applied across Member States resulting in divergent security and incident notification strategies. Under Article 23 of the NIS Directive, the European Commission conducted a review of the NIS Directive and developed a proposal for a revised directive “because of the increasing degree of digitalisation and interconnectedness of our society and the rising number of cyber malicious activities at global level”.
The NIS 2 Directive:
The NIS 2 Directive also broadens the scope of what healthcare entities should be protected, including laboratories, R&D and manufacturing activities for medicinal products as well as manufacturers of medical devices delivering critical services during a health emergency. Those entities must now “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information system.” Competent Authorities are empowered to supervise and enforce more stringent requirements of the NIS 2 Directive. In Ireland, surveillance and enforcement is the responsibility of the National Cyber Security Centre (NCSC).
The NIS 2 Directive was published in the Official Journal of the European Union on 27 December 2022 and will enter into force twenty days from that date. Member States will then have 21 months to implement it. Although it will not apply directly to medical devices as they are subject to sector specific legislation via the MDR, healthcare institutions will be bound by its terms and on that basis it its impact will likely be felt by medical device stakeholders.
The EU Cybersecurity Act
Although medical devices are exempted from a proposal for an EU Cyber Resiliency Act, the EU Cybersecurity Act (EUCA) has been in force across Member States since June 2021 and applies to healthcare settings. Under the EUCA, the European Union Agency for Network and Information Security (ENISA) will oversee enforcement of the EUCA at Member State level. National Competent Authorities are given the power to implement penalties which are “effective, proportionate and dissuasive” for breaches of the EUCA.
Other incoming legislation
Cybersecurity requirements also play an increasingly important role in draft legislation, providing for a safety regime for AI systems, the proposed legislation providing for the EU system of strictly liability for defective products, and fault-based liability claims for AI systems.
Conclusion
Against a background of enhanced convenience for patients and changing approaches to care, the European Commission is trying to deal with a particularly challenging problem posed by ever complex technology and multiple frameworks are coming onstream to deal with this risk.
Digital health stakeholders would be advised to:
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Directive (EU) 2016/1148 – Network and Information Security Directive
© Copyright 2006 – 2023 Law Business Research
Cybersecurity for Digital Health in the EU – Lexology
