Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
CYBERSECURITY 
FOR 
MEDICAL DEVICES 
MD Project event 
9 december 2014 
Erik Vollebregt 
www.axonadvocaten.nl
Agenda: 
1. Introduction 
2. FDA approach to cybersecurity measures 
3. Current EU Medical Devices law 
4. Future EU Medic...
Setting the scene 
• Homeland pacemaker hack; 
• FDA Guidelines on Premarket Submissions for Management of Cubersecurity i...
FDA approach to cybersecurity measures 
Based on US National Institute of 
Standards and Technology (NIST) 
cybersecurity ...
Are we doing anything in the EU? 
Biggest EVAH! About public utilities 
and communications infrastructure 
What are the me...
EN 62304 § 5.2.2 Software 
requirements content re security 
Typical cybersecurity points, 
but only with respect to 
stan...
Future EU Medical Devices law 
• nothing specifically new in the field of cybersecurity; 
• MDR Proposal, Annex I, point 1...
Future EU Medical Devices law 
• Delegated acts or common technical specifications are a good way to 
amend the general sa...
General EU security regulations and 
standards 
• IEC 80001 – Application of risk management for IT-networks 
incorporatin...
Draft NIS Directive 
Article 14 provides for market operator 
• security requirements and 
• incident notification duty 
E...
NIS Directive 
Duty to implement 
measures 
Notification duty 
Public disclosure 
of incidents 
Delegated acts
General EU security regulations and 
standards: data protection 
• Protection against e.g. alteration and unauthorized acc...
Personal data currently in the EU 
• Everybody agrees the current EU system 
is 
• Fragmented 
• Outdated 
• Unclear 
• Bu...
General EU security regulations and 
standards 
• Currently authorities mainly approach cybersecurity issues via Data Prot...
Privacy by design obligations for 
medical devices 
• WP 223: Controller has responsibility for security of IoT devices 
•...
Privacy by design obligations for 
medical devices 
WP 223 on end of life devices and remote monitoring / measuring device...
Data protection: security case 
study 
CASE 
STUDY
Developments? 
• Unfortunately, we did not have yet a European version of the Homeland 
pacemaker hack that gets politicia...
Background
THANKS FOR YOUR ATTENTION 
Erik Vollebregt 
Axon Lawyers 
Piet Heinkade 183 
1019 HC Amsterdam 
T +31 88 650 6500 
F +31 8...
Prochain SlideShare
Chargement dans…5
×

Cybersecurity for medical devices in the EU

Presentation about EU cybersecurity requirements for medical devices

Cybersecurity for medical devices in the EU

  1. 1. CYBERSECURITY FOR MEDICAL DEVICES MD Project event 9 december 2014 Erik Vollebregt www.axonadvocaten.nl
  2. 2. Agenda: 1. Introduction 2. FDA approach to cybersecurity measures 3. Current EU Medical Devices law 4. Future EU Medical Devices law 5. General EU security regulations and standards
  3. 3. Setting the scene • Homeland pacemaker hack; • FDA Guidelines on Premarket Submissions for Management of Cubersecurity in Medical Devices; • Proposals for MDR and IVDR; • EU Directive 95/46/EC on personal data protection; • EU Commission`s Green Paper on mHealth;
  4. 4. FDA approach to cybersecurity measures Based on US National Institute of Standards and Technology (NIST) cybersecurity framework: • identification of assets, threats and vulnerabilities; • assessment of the impact of threats and vulnerabilities on device • functionality and end users / patients; • assessment of the likelihood of a threat and of a vulnerability being exploited; • determination of risk levels and suitable mitigation strategies; • assessment of residual risk and risk acceptance criteria;
  5. 5. Are we doing anything in the EU? Biggest EVAH! About public utilities and communications infrastructure What are the medical devices companies and healthcare institutions doing?
  6. 6. EN 62304 § 5.2.2 Software requirements content re security Typical cybersecurity points, but only with respect to standalone software
  7. 7. Future EU Medical Devices law • nothing specifically new in the field of cybersecurity; • MDR Proposal, Annex I, point 14 does not addresses cybersecurity specificallu: • point 14.2 repeats point 12.1a of the MDD, which will remain linked to EN 62304 so future cybersecurity – for the moment – is more of the same • Any cybersecurity measure will need to come from harmonised standard
  8. 8. Future EU Medical Devices law • Delegated acts or common technical specifications are a good way to amend the general safety and performance requirements with cyber security requirements, as foreseen by the new regulations. • However, this option for delegated acts is proposed to be removed in the EU Parliament`s 1st reading of 2 April 2014.
  9. 9. General EU security regulations and standards • IEC 80001 – Application of risk management for IT-networks incorporating medical devices • Plays important role in Swedish competent authority Läkemedelsverket in 2009 in the first version of their guidance “Proposal for guidelines regarding classification of software based information systems used in health care”. • This is not a harmonised standard under the medical devices directives, because it is directed at clinical institutions and not to medical device manufacturers.
  10. 10. Draft NIS Directive Article 14 provides for market operator • security requirements and • incident notification duty ERGO: all (medical)devices that run software, that interconnect and process / transmit data
  11. 11. NIS Directive Duty to implement measures Notification duty Public disclosure of incidents Delegated acts
  12. 12. General EU security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sause ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510)
  13. 13. Personal data currently in the EU • Everybody agrees the current EU system is • Fragmented • Outdated • Unclear • But, it’s still a good system that has produced a lot of good practices, among others Article 29 WP opinions on security related subjects, e.g. WP 223 on IoT:
  14. 14. General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
  15. 15. Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
  16. 16. Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
  17. 17. Data protection: security case study CASE STUDY
  18. 18. Developments? • Unfortunately, we did not have yet a European version of the Homeland pacemaker hack that gets politicians moving – attention is at manageable safety issues in well understood implantables • EU Commission seems reluctant to update anything substantive in the medical devices guidance while medical device regulations are still in works. • DG Enterprise might be able to make a difference in cybersecurity for medical devices.
  19. 19. Background
  20. 20. THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 F +31 88 650 6555 M +31 6 47 180 683 E erik.vollebregt@axonlawyers.com @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com www.axonlawyers.com

×