Across the digital health sector, connected medical devices are enabling patients to leave hospitals sooner and provide remote monitoring capabilities that are powerful tools for medical professionals. This is very beneficial for patients who can often continue treatment at home, and can reduce costs for healthcare providers trying to conserve critical resources. Proper collection of patient data can also help care elsewhere resulting in improved outcomes. Connectivity can bring her three-dimensional capabilities to digital health, but new risks arise as care moves from the safe spaces of hospitals into the wider environment.
As healthcare adopts this approach globally, it makes sense to understand the associated risks. This article provides an overview of the cybersecurity risks that stakeholders need to consider for digital health and medical devices, and outlines the regulatory framework currently in place in the EU and the regulatory framework that will be introduced in the future. Evaluate.
The idea that a malicious person can take over a medical device sounds like a science fiction plot, but compromises of medical IT systems are occurring and happening with increasing frequency.
- French hospital treating 600,000 patients hit by ransomware attack (August 2022)
- UK National Health Service Ransomware Attack (August 2022)
- Irish Health Services Executive (HSE) Hits Massive Ransomware Attack (May 2021)
- Finnish Mental Health Facility Hits Data Breach, Extorts Users (October 2020)
There have been no known incidents of the medical device itself being hacked. However, in March 2019, the U.S. Food and Drug Administration (FDA) warned that medical devices such as implantable heart defibrillators and home monitoring systems were vulnerable to attack.
Most recently, in 2022, the FBI “We have identified an increasing number of vulnerabilities caused by medical devices running outdated unpatched software and devices that do not have adequate security features. Attackers adversely affect the operational capabilities, patient safety, data confidentiality, and data integrity of healthcare facilities.”
The FBI says medical device vulnerabilities are caused by the hardware design and software management of the device. Vulnerable devices could be hijacked by malicious hackers, device readings altered, overdosed and devices used to endanger the health of patients, according to the FBI there is. The most vulnerable devices are:
- intracardiac defibrillator
- mobile cardiac telemetry
- insulin pump
- an intrathecal pain pump, and
Of course, this threat is nothing new. Back in 2007, Estonia, an early adopter of digitizing public services, including telemedicine, suffered a devastating cyberattack that shut down the entire government system and severely impacted telemedicine operations. .
In Ireland, the need for cybersecurity in healthcare became acutely apparent in May 2021 when HSE was hit by a massive cyberattack by criminal gangs using the ‘Conti’ ransomware. A cyberattack at a key point in the country’s COVID-19 pandemic response impacted 80% of HSE’s IT infrastructure, encrypted critical services and patient records, and caused severe damage in the form of ambulatory appointment cancellations. caused a lot of confusion. Diagnostic and testing services were also significantly affected. The shockwave was felt far beyond the hospital campus, as the flow of information between medical equipment and HSEs was interrupted as part of the attack. A post-attack review conducted by PwC noted that although no attempts were made to compromise individual medical devices, it was technically possible and this type of compromise poses significant risks in the future. Among the many recommendations resulting from the attack, HSE was advised to define minimum security standards for networking medical devices.
medical device regulation
Medical devices are regulated by sector-specific legislation in the form of the Medical Devices Regulation EU 2017/745 (MDR). Although the MDR does not use the term cybersecurity, medical devices must meet the General Safety Performance Requirements (GPSR) set out in Annex I of the Regulation. The Medical Devices Coordination Group (MDCG) elaborates in their guidance document on cybersecurity (MDCG 2019-6), where the MDR states:
“… establishes specific new mandatory safety requirements for all medical devices incorporating electronic programmable systems and software that are themselves medical devices. It requires manufacturers to develop and manufacture products according to technology and to set minimum requirements for IT security measures, including protection against unauthorized access.”
GPSR has the potential to enhance cybersecurity for medical devices, and MDGG guidance will help stakeholders to some extent. However, regarding the implementation of measures, the MDCG’s approach is said to lack specificity as to what is needed and is not binding as guidance.
Standards can also play an important role in helping manufacturers meet the basic health, safety and performance requirements laid down in applicable EU legislation such as the MDR. For example, ISO 14971:2019 “Medical Devices – Application of Risk Management to Medical Devices” will become a harmonized standard under the MDR in May 2021 and will provide guidance on how to demonstrate compliance with the requirements contained in Annex I. Provide details to merchants.
Alongside the software life cycle standard IEC 62304 “Medical device software – Software life cycle processes”, the recently published IEC 81001-5-1 “Safety, effectiveness and security of health software and health IT systems – Part 5- 1: Security – Activities “in the product lifecycle” (to be approved by the EU Commission by May 2024) also directly address the relationship between healthcare organizations and medical device Provides detailed guidance to manufacturers on how to ensure security.
Network and Information Security Directive
In 2018, the Network and Information Security (NIS) Directive came into force in member states. The Directive harmonized national cybersecurity functions, cross-border cooperation and supervision of critical sectors across the EU. Member States should:
- Establish and prepare a computer security incident response team (CSIRT) and responsible national NIS agency
- Cooperate with other Member States on cybersecurity issues
- Develop a culture of security across sectors critical to infrastructure such as financial services, energy, transportation and healthcare.
NIS 2 Directive
The NIS Directive was seen as a good starting point, but some argued that it was applied inconsistently across Member States, resulting in different security and incident notification strategies. Under Article 23 of the NIS Directive, the European Commission carried out a review of his NIS Directive and prepared a proposal for a revised Directive. “Because of the increasing degree of digitization and interconnectedness of our societies, the number of cyber-malicious activities on a global level is increasing.”
NIS 2 Directives:
- Covering more sectors important to the economy and society
- explicitly covered “Given the increased security threats that have arisen during the COVID-19 pandemic, the healthcare sector, for example, by including medical device manufacturers,”
- Address supply chain security
- Hold top management accountable for cybersecurity non-compliance
The NIS 2 Directive also covers the scope of medical institutions to be protected, such as pharmaceutical laboratories, research and development, and manufacturing activities, as well as manufacturers of medical devices that provide essential services during health emergencies. spreading. These entities must “take appropriate and balanced technical and organizational measures to manage the risks posed to the security of their networks and information systems.” Competent authorities are empowered to oversee and enforce the stricter requirements of the NIS 2 Directive. In Ireland, oversight and enforcement is the responsibility of the National Cyber Security Center (NCSC).
The NIS 2 Directive will be published in the Official Journal of the European Union on 27 December 2022 and will enter into force 20 days after that date. Member States will then be given 21 months to implement it. Medical devices are subject to sector-specific legislation through his MDR, so they do not apply directly to medical devices, but medical institutions are bound by their terms, and the implications affect medical device stakeholders. There is a possibility.
EU Cybersecurity Law
Although medical devices are exempt from the proposed EU Cyber Resiliency Act, the EU Cybersecurity Act (EUCA) has been in force across Member States since June 2021 and applies to the healthcare environment. Under the EUCA, the European Union’s Network and Information Security Agency (ENISA) oversees the implementation of the EUCA at Member State level. National competent authorities are empowered to impose “effective, proportionate and dissuasive” penalties for violations of the EUCA.
Other Upcoming Laws
Cybersecurity requirements play an increasingly important role in the draft legislation, setting out a proposed law providing for AI system safety regimes, an EU system of strict liability for defective products, and liability claims based on negligence of AI systems doing.
- AI law proposal: The draft recital contains various references to the importance of cybersecurity. Article 15 also establishes specific cybersecurity requirements for “high-risk” AI systems, a category that includes medical devices.
- Proposed revised Product Liability Directive (PLD): It can influence how medical device stakeholders manage cybersecurity risk from a liability perspective. Under the revised PLD, damages caused by cybersecurity vulnerabilities may be indemnified without fault. Producers can also be held liable if they fail to update their software to address cyber vulnerabilities that emerge after the product goes into distribution, resulting in damage.
- Proposed AI Liability Directive (AILD): It includes a clause that provides for a rebuttable presumption of causation if a number of criteria are met, including “fault” on the part of the defendant. For “high-risk” AI systems, violations of cybersecurity requirements contained in the draft AI Act amount to “negligence” for the purposes of triggering this presumption.
Against the backdrop of increased convenience for patients and a changing approach to care, the European Commission is looking to address a particularly difficult problem posed by ever more complex technology, and to address this risk. Multiple frameworks are in the works.
We encourage digital health stakeholders to:
- Check out our product portfolio
- Understand product cybersecurity vulnerabilities
- Develop appropriate strategies to strengthen security where possible,
- Use the product to coordinate your approach with healthcare facilities