Embed Size (px)
Citation preview
CYBERSECURITYFOR
MEDICAL DEVICES
MD Project event9 december 2014
Erik Vollebregtwww.axonadvocaten.nl
Agenda:
1. Introduction
2. FDA approach to cybersecurity measures
3. Current EU Medical Devices law
4. Future EU Medical Devices law
5. General EU security regulations and standards
Setting the scene
• Homeland pacemaker hack;
• FDA Guidelines on Premarket Submissions for Management of Cubersecurity in
Medical Devices;
• Proposals for MDR and IVDR;
• EU Directive 95/46/EC on personal data protection;
• EU Commission`s Green Paper on mHealth;
FDA approach to cybersecurity measures
Based on US National Institute of
Standards and Technology (NIST)
cybersecurity framework:
• identification of assets, threats and
vulnerabilities;
• assessment of the impact of
threats and vulnerabilities on
device
• functionality and end users /
patients;
• assessment of the likelihood of a
threat and of a vulnerability being
exploited;
• determination of risk levels and
suitable mitigation strategies;
• assessment of residual risk and
risk acceptance criteria;
Are we doing anything in the EU?
What are the medical
devices companies and
healthcare institutions
doing?
Biggest EVAH! About public utilities
and communications infrastructure
EN 62304 § 5.2.2 Software requirements content re security
Typical cybersecurity points,
but only with respect to
standalone software
Future EU Medical Devices law• nothing specifically new in the field of cybersecurity;
• MDR Proposal, Annex I, point 14 does not addresses cybersecurity specificallu:
• point 14.2 repeats point 12.1a of the MDD, which will remain linked to EN 62304 so
future cybersecurity – for the moment – is more of the same
• Any cybersecurity measure will need to come from harmonised standard
Future EU Medical Devices law
• Delegated acts or common technical specifications are a good way to
amend the general safety and performance requirements with cyber
security requirements, as foreseen by the new regulations.
• However, this option for delegated acts is proposed to be removed in the
EU Parliament`s 1st reading of 2 April 2014.
General EU security regulations andstandards
• IEC 80001 – Application of risk management for IT-networks
incorporating medical devices
• Plays important role in Swedish competent authority
Läkemedelsverket in 2009 in the first version of their guidance
“Proposal for guidelines regarding classification of software based
information systems used in health care”.
• This is not a harmonised standard under the medical devices
directives, because it is directed at clinical institutions and not to
medical device manufacturers.
Draft NIS Directive
Article 14 provides for market operator
• security requirements and
• incident notification duty
ERGO: all (medical)devices
that run software, that
interconnect and process /
transmit data
NIS Directive
Duty to implement
measures
Notification duty
Public disclosure
of incidents
Delegated acts
General EU security regulations andstandards: data protection• Protection against e.g. alteration and unauthorized access have
everything to do with cybersecurity, as these impact directly on safety
and performance of the device.
• Non harmonization of the Data Protection Directive is a big problem
because it leads to the situation of member states taking different views
on security terms requirements.
• Dutch NCA refers to ISO 27000 family as informal harmonised standard
• Dutch sause ISO 27002 mandatory standard in Dutch healthcare
market (NEN 7510)
Personal data currently in the EU
• Everybody agrees the current EU system
is
• Fragmented
• Outdated
• Unclear
• But, it’s still a good system that has
produced a lot of good practices, among
others Article 29 WP opinions on security
related subjects, e.g. WP 223 on IoT:
General EU security regulations andstandards• Currently authorities mainly approach cybersecurity issues via Data Protection
Directive, which features a secutiry regime in Article 17(1):
Privacy by design obligations for medical devices• WP 223: Controller has responsibility for security of IoT devices
• Parties purchasing OEM devices and solutions will want privacy by
design compliance warranties
Privacy by design obligations for medical devicesWP 223 on end of life devices and remote monitoring / measuring devices
Data protection: security case study
CASE
STUDY
Developments?
• Unfortunately, we did not have yet a European version of the Homeland
pacemaker hack that gets politicians moving – attention is at
manageable safety issues in well understood implantables
• EU Commission seems reluctant to update anything substantive in the
medical devices guidance while medical device regulations are still in
works.
• DG Enterprise might be able to make a difference in cybersecurity for
medical devices.
Background
www.axonlawyers.com
THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
F +31 88 650 6555
M +31 6 47 180 683
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com
