Connected health devices & cybersecurity: the Medical Device Regulation
Focus on the Medical Device Regulation.
Lack of specific regulations for connected objects
There are no regulations specifically aimed at securing connected objects at the European level, except a bill in England. However, this does not mean that the medical community has no security obligations regarding their IoT projects. Several regulations impact the security of these projects depending on the type of data or the information system that processes them.
The General Data Protection Regulation (better known as GPDR) imposes a security obligation regarding personal data.
The Network and Information Security (NIS) directive, which applies to Essential Service Operators (ESOs) also applies.
These regulations impact only indirectly connected health objects. However, a European law soon came into force that could significantly affect connected medical devices: the Medical Device Regulation.
Medical Device Regulation, from quality to safety
The distinction between connected wellness objects and connected medical devices has significant consequences from a regulatory perspective. The latter will not be regulated under the safety of related objects but under that of medical devices. Therefore, they will be subject to the Medical Device Regulation (or MDR), published in May 2017 and scheduled for implementation in May 2021 according to European Commission: “On 26 May 2021, the Medical Device Regulation will become fully applicable, following the transition period.”
Since the 1990s, manufacturers of medical devices have been required to affix a “CE” mark to market their products throughout Europe. To obtain this mark, they must be controlled by notified bodies that evaluate the quality and safety of the device.
Following several health scandals, the European Commission wished to thoroughly revise the regulations related to medical devices and therefore adopted the MDR in 2017. The latter innovate by integrating requirements about the IT security of devices integrating software, connected medical devices for example.
These cyber requirements apply to both the pre-marketing and post-marketing of the device.
Pre-market safety assessment
If a manufacturer wants to market a new connected medical device, the cyber component will mainly concern technical documentation. It will need to present:
- the technical characteristics of the product (network flows, software architecture, etc.);
- a cyber risk analysis taking into account the impact of these risks and the remediation measures concerning the security of the system;
- listing the minimum safety requirements for the defibrillator operating environment (the hospital information system);
- technical audit reports (penetration tests, code audits, etc.).
If the manufacturer meets all the requirements of the pre-marketing conformity check, he will be able to affix the “CE” mark to his medical device. The device can then be marketed in all countries of the European Union.
Post-marketing safety assessment
The MDR obligations don’t end there. The manufacturer is going to have to monitor the device in its post-market phase. There are two essential requirements:
- A material vigilance obligation: the manufacturer is obliged to report all serious incidents concerning medical devices to his national control authority. The reporting must be done within 2 to 10 days, depending on the seriousness of the incident.
- The medical device will have to have a unique identifier (IUD-ID) to provide safety reports to a database at the European level (EUDAMED).
These two new requirements are likely to encourage manufacturers to increasingly connect medical devices to escalate incident reports as quickly as possible. As mentioned above, the implementation of the MDR, initially scheduled for May 26, 2020, was finally postponed to May 26, 2021, due to the health crisis.
This regulation will allow for greater security of medical devices, reducing the risk of attacks for both the patient and the practitioner.
To go further: Getting ready for the new regulations, European Commission