cybersecurity for medical devices in the eu

CYBERSECURITYFOR

MEDICAL DEVICES

MD Project event9 december 2014

Erik Vollebregtwww.axonadvocaten.nl

Agenda:

1. Introduction

2. FDA approach to cybersecurity measures

3. Current EU Medical Devices law

4. Future EU Medical Devices law

5. General EU security regulations and standards

Setting the scene

• Homeland pacemaker hack;

• FDA Guidelines on Premarket Submissions for Management of Cubersecurity in

Medical Devices;

• Proposals for MDR and IVDR;

• EU Directive 95/46/EC on personal data protection;

• EU Commission`s Green Paper on mHealth;

FDA approach to cybersecurity measures

Based on US National Institute of

Standards and Technology (NIST)

cybersecurity framework:

• identification of assets, threats and

vulnerabilities;

• assessment of the impact of

threats and vulnerabilities on

device

• functionality and end users /

patients;

• assessment of the likelihood of a

threat and of a vulnerability being

exploited;

• determination of risk levels and

suitable mitigation strategies;

• assessment of residual risk and

risk acceptance criteria;

Are we doing anything in the EU?

What are the medical

devices companies and

healthcare institutions

doing?

Biggest EVAH! About public utilities

and communications infrastructure

EN 62304 § 5.2.2 Software requirements content re security

Typical cybersecurity points,

but only with respect to

standalone software

Future EU Medical Devices law• nothing specifically new in the field of cybersecurity;

• MDR Proposal, Annex I, point 14 does not addresses cybersecurity specificallu:

• point 14.2 repeats point 12.1a of the MDD, which will remain linked to EN 62304 so

future cybersecurity – for the moment – is more of the same

• Any cybersecurity measure will need to come from harmonised standard

Future EU Medical Devices law

• Delegated acts or common technical specifications are a good way to

amend the general safety and performance requirements with cyber

security requirements, as foreseen by the new regulations.

• However, this option for delegated acts is proposed to be removed in the

EU Parliament`s 1st reading of 2 April 2014.

General EU security regulations andstandards

• IEC 80001 – Application of risk management for IT-networks

incorporating medical devices

• Plays important role in Swedish competent authority

Läkemedelsverket in 2009 in the first version of their guidance

“Proposal for guidelines regarding classification of software based

information systems used in health care”.

• This is not a harmonised standard under the medical devices

directives, because it is directed at clinical institutions and not to

medical device manufacturers.

Draft NIS Directive

Article 14 provides for market operator

• security requirements and

• incident notification duty

ERGO: all (medical)devices

that run software, that

interconnect and process /

transmit data

NIS Directive

Duty to implement

measures

Notification duty

Public disclosure

of incidents

Delegated acts

General EU security regulations andstandards: data protection• Protection against e.g. alteration and unauthorized access have

everything to do with cybersecurity, as these impact directly on safety

and performance of the device.

• Non harmonization of the Data Protection Directive is a big problem

because it leads to the situation of member states taking different views

on security terms requirements.

• Dutch NCA refers to ISO 27000 family as informal harmonised standard

• Dutch sause ISO 27002 mandatory standard in Dutch healthcare

market (NEN 7510)

Personal data currently in the EU

• Everybody agrees the current EU system

is

• Fragmented

• Outdated

• Unclear

• But, it’s still a good system that has

produced a lot of good practices, among

others Article 29 WP opinions on security

related subjects, e.g. WP 223 on IoT:

General EU security regulations andstandards• Currently authorities mainly approach cybersecurity issues via Data Protection

Directive, which features a secutiry regime in Article 17(1):

Privacy by design obligations for medical devices• WP 223: Controller has responsibility for security of IoT devices

• Parties purchasing OEM devices and solutions will want privacy by

design compliance warranties

Privacy by design obligations for medical devicesWP 223 on end of life devices and remote monitoring / measuring devices

Data protection: security case study

CASE

STUDY

Developments?

• Unfortunately, we did not have yet a European version of the Homeland

pacemaker hack that gets politicians moving – attention is at

manageable safety issues in well understood implantables

• EU Commission seems reluctant to update anything substantive in the

medical devices guidance while medical device regulations are still in

works.

• DG Enterprise might be able to make a difference in cybersecurity for

medical devices.

Background

www.axonlawyers.com

THANKS FOR YOUR ATTENTION

Erik Vollebregt

Axon Lawyers

Piet Heinkade 183

1019 HC Amsterdam

T +31 88 650 6500

F +31 88 650 6555

M +31 6 47 180 683

E erik.vollebregt@axonlawyers.com

@meddevlegal

B http://medicaldeviceslegal.com

READ MY BLOG:

http://medicaldeviceslegal.com