EU calls for state-of-the-art cybersecurity for digital medical technologies

Sector regulations, specifically the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), should “remain the primary avenue to providing state of the art cybersecurity of digital medical technologies and services and the safety and security of patients and users,” according to a position paper published 23 May by MedTech Europe, a trade group representing medical device and diagnostic companies.

As the group sees the situation, MDR and IVDR “lay out comprehensive, essential requirements for digital medical technologies and services” and “wholly account for cybersecurity throughout a medical device’s lifecycle.” MedTech Europe also pointed to a Medical Device Coordination Group text on cybersecurity, noting that it provides the “necessary guidance” on complying with MDR, IVDR, the Network and Information Security Directive (NIS1) and the General Data Protection Regulation.
Earlier this year, the EU adopted a revised directive on measures for a high common level of cybersecurity, NIS2, marking the start of a 21-month countdown to the deadline for member states to incorporate the provisions into their national law. MedTech Europe welcomed NIS2 in its position paper.

“These provisions provide a basis for medical device manufacturers to comprehend and implement the range of cybersecurity and data protection requirements across the entirety of a medical device’s lifecycle. As such, the framework helps to ensure cybersecurity of a medical device from their inception, design and development to the end of life and decommissioning of the device,” the trade group wrote.

MedTech Europe voiced its support for NIS2 as part of a discussion about ransomware. The trade group said it “welcomes legislative interventions aimed at reinforcing existing cybersecurity responsibilities and curbing tactics employed by potential cyber-attackers and cyber-criminals” but made the case that the law “should be combined with tangible investments in organizations’ security postures, resilience of digital tools and processes, and the investment in people and the skills necessary to deliver on such legislation.” MedTech Europe supports a public-private partnership approach to cybersecurity skills. RAPS.org