The Euro­pean Union Agency for Cyber­se­cu­ri­ty (ENISA) has warned that there is a dan­ger of attacks on devices and dig­i­tal health sys­tems despite mea­sures under Reg­u­la­tions (EU) 2017/745 and 2017/746 on med­ical devices and in vit­ro diag­nos­tic med­ical devices (MDR and IVDR) to make more secure products. 

The Euro­pean Com­mis­sion has attempt­ed to enhance require­ments for med­ical device com­pa­nies in the MDR and IVDR in that all med­ical devices that incor­po­rate elec­tron­ic pro­gram­ma­ble sys­tems and soft­ware that in them­selves are med­ical devices are sub­ject to the new rules.

There is a wor­ry over the lev­el to which the reg­u­la­to­ry inter­ven­tions can be imposed and keep med­ical tech­nol­o­gy safe from cyber­at­tacks because some mem­ber states may not have the knowl­edge or the per­son­nel to impose the cyber­se­cu­ri­ty rules out­lined in the reg­u­la­tions after a prod­uct is approved. 

Anoth­er prob­lem brought to light with exist­ing EU cyber­se­cu­ri­ty reg­u­la­tions is an incli­na­tion for exist­ing har­monised stan­dards to be hor­i­zon­tal instead of more spe­cif­ic ver­ti­cal. How­ev­er, ENISA is con­fi­dent this will change, and pol­i­cy­mak­ers will inves­ti­gate the prospect of more ver­ti­cal stan­dards and more focused reg­u­la­tion. Until that hap­pens there is the EU Direc­tive on secu­ri­ty of net­work and infor­ma­tion sys­tems (NIS Direc­tive), the MDR/ IVDR and the Cyber Resilience Act (CRA). 

Source: Medtech Insight (an Infor­ma product)

Accom­pa­ny­ing this sub­ject we rec­om­mend the fol­low­ing con­tent on our website