With the ongoing digitization of the healthcare sector, we see improvements in patient care and demand for advanced technologies like connected medical devices. But with the increased use of IoT medical devices comes new and evolving risks to cybersecurity, privacy, and safety.
There should be clear and harmonized regulations to maintain the safety, security, and competitiveness of connected medical devices. Unfortunately, the European market remains fragmented due to the various cybersecurity requirements being published across the European and international markets. Here are the top ten things you should know about cybersecurity for medical devices in Europe:
1. In 2011, the International Medical Device Regulators Forum (IMDRF) was founded for regulators around the globe. The aim of the forum was to speed up the harmonization of international regulatory requirements for medical devices.
2. In December 2019, the Medical Device Coordination Group (MDCG) published a document on medical device cybersecurity with the primary goal to provide manufacturers with guidance based on the IMDRF principles and practices.
3. The MDCG guidance on cyber security explains the applicability of other cybersecurity frameworks and regulations regarding medical devices, including the General Data Protection Regulation (GDPR), NIS Directive, and the EU Cybersecurity Act.
4. In 2020, the IMDRF published Principles and Practices for Medical Device Cybersecurity. The document provides general principles and practices for the cybersecurity of medical devices. It also introduces key principles for the various product life cycle stages.
5. On May 26th, 2021, the medical device regulation (MDR) came into force in the EU. It specified, “If you are a manufacturer, authorised representative, importer or distributor of medical devices in the EU, or a regulatory affairs or quality management professional involved with medical devices, you need to know how to comply.”
6. The MDR contains a series of improvements to modernize the current system, including stricter previous control for high-risk devices such as certain aesthetic devices that present the same risk profile as analogous medical devices.
7. The MDR aims to improve transparency through a more comprehensive EU database on medical devices, including a system optimized with unique device identification and device traceability. A large part of the information, which includes the lifecycle of all medical device products available on the EU market, will be made available to the public.
8. To prevent market disruption, the MDR’s new rules contain several transitional provisions that will remain in place until 2025.
9. The MDR applies to the general safety and performance of medical devices available on the EU market. However, there is no harmonized cybersecurity standard under the MDR.
10. The Testing, Inspection and Certification (TIC) Council has made recommendations to EU policymakers on the need for harmonized adoption of cybersecurity standards and approach to risk assessment.