The European Union Agency for Cybersecurity (ENISA) has warned that there is a danger of attacks on devices and digital health systems despite measures under Regulations (EU) 2017/745 and 2017/746 on medical devices and in vitro diagnostic medical devices (MDR and IVDR) to make more secure products.
The European Commission has attempted to enhance requirements for medical device companies in the MDR and IVDR in that all medical devices that incorporate electronic programmable systems and software that in themselves are medical devices are subject to the new rules.
There is a worry over the level to which the regulatory interventions can be imposed and keep medical technology safe from cyberattacks because some member states may not have the knowledge or the personnel to impose the cybersecurity rules outlined in the regulations after a product is approved.
Another problem brought to light with existing EU cybersecurity regulations is an inclination for existing harmonised standards to be horizontal instead of more specific vertical. However, ENISA is confident this will change, and policymakers will investigate the prospect of more vertical standards and more focused regulation. Until that happens there is the EU Directive on security of network and information systems (NIS Directive), the MDR/ IVDR and the Cyber Resilience Act (CRA).
Source: Medtech Insight (an Informa product)