New Guidance on Hot Topic Medical Device Cybersecurity

On January 6th 2020, the European Commission’s Medical Device Coordination Group (MDCG) published guidance on the cybersecurity for medical devices. The MDCG is an advisory body, created under Article 103 of the new Medical Regulation (specifically, Regulation (EU) 2017/745) and counting with members of all EU Member States.

The aim of said publication, which is particularly oriented towards manufacturers of medical devices, is to enhance the adoption of premarket and post-market cybersecurity requirements.

The enacted Regulations 745/2017 and 746/2017 on medical devices and on in vitro diagnostic medical devices, which entered into force in 2017, will apply progressively until May 2020 for medical devices and May 2022 for in vitro diagnostic medical devices. Consequently, the publication of this guide on cybersecurity precedes the final arrangements for the application of the new EU Regulations. One of the novelties featured in these regulations is the need for adjustment of medical devices (that include software and electronic programmable systems) to the technological challenges posed by cybersecurity risks.

According to the MDCG guide, manufacturers shall foresee the potential exploitation of cyber vulnerabilities, which may result from a reasonably foreseeable misuse, and reduce or remove such risks of misuse. In this sense, the MDCG guide exemplifies that health providers should adopt a risk management process, in conformity with the general cybersecurity best practices, for instance, by guaranteeing a good physical security that may prevent unauthorized physical access to medical devices.

It should be noted that taking into account cybersecurity concerns during the design phase of medical devices might help mitigate future problems in this domain. Said cybersecurity challenges shall be considered from an early moment of the manufacturing process and also across their entire life cycle.

As for the post-market side, the guide unveils the necessity of manufacturers to share and disseminate cybersecurity information and possible vulnerabilities. The post-market phase of medical devices is considered crucial, as cybersecurity vulnerabilities evolve over time and the previously implemented control mechanisms may be inadequate to maintain an acceptable benefit-risk level. In this sense, a post-market surveillance system shall be implemented, and it should include the collection of user experience from devices on the market, their review and the implementation of the necessary corrective measures.

The MDCG guide refers a set of other EU pieces of legislation, such as the NIS Directive, the GDPR and the EU Cybersecurity Act, that are relevant within the field of cybersecurity and that guide medical devices’ operators, who encounter the problem of protecting or processing personal data stored in medical devices.

The MDCG guide acknowledges the roles of all stakeholders (manufacturers, healthcare providers, patients, supplies, etc.) in guaranteeing a secured environment for the benefit of patients’ safety.

This Guide brings a useful and much needed guidance for medical device manufacturers and alike. In the near future, we can expect that further developments will take place. We will monitor these and report whenever appropriate.

The content of this information does not constitute any specific legal advice; the latter can only be given when faced with a specific case. Please contact us for any further clarification or information deemed necessary in what concerns the application of the law.