There are no regulations specifically aimed at securing connected objects at the European level, except a bill in England. However, this does not mean that the medical community has no security obligations regarding their IoT projects. Several regulations impact the security of these projects depending on the type of data or the information system that processes them.
These regulations impact only indirectly connected health objects. However, a European law soon came into force that could significantly affect connected medical devices: the Medical Device Regulation.
The distinction between connected wellness objects and connected medical devices has significant consequences from a regulatory perspective. The latter will not be regulated under the safety of related objects but under that of medical devices. Therefore, they will be subject to the Medical Device Regulation (or MDR), published in May 2017 and scheduled for implementation in May 2021 according to European Commission: “On 26 May 2021, the Medical Device Regulation will become fully applicable, following the transition period.”
Since the 1990s, manufacturers of medical devices have been required to affix a "CE" mark to market their products throughout Europe. To obtain this mark, they must be controlled by notified bodies that evaluate the quality and safety of the device.
Following several health scandals, the European Commission wished to thoroughly revise the regulations related to medical devices and therefore adopted the MDR in 2017. The latter innovate by integrating requirements about the IT security of devices integrating software, connected medical devices for example.
These cyber requirements apply to both the pre-marketing and post-marketing of the device.
If a manufacturer wants to market a new connected medical device, the cyber component will mainly concern technical documentation. It will need to present:
If the manufacturer meets all the requirements of the pre-marketing conformity check, he will be able to affix the "CE" mark to his medical device. The device can then be marketed in all countries of the European Union.
The MDR obligations don't end there. The manufacturer is going to have to monitor the device in its post-market phase. There are two essential requirements:
These two new requirements are likely to encourage manufacturers to increasingly connect medical devices to escalate incident reports as quickly as possible. As mentioned above, the implementation of the MDR, initially scheduled for May 26, 2020, was finally postponed to May 26, 2021, due to the health crisis.
This regulation will allow for greater security of medical devices, reducing the risk of attacks for both the patient and the practitioner.
To go further: Getting ready for the new regulations, European Commission