Cybersecurity for Medical Devices – a preliminary legal and ethical analysis
Dusko Milojevic1Cyberattacks targeting medical devices and hospital networks are among the major challenges nowadays. Successful cyberattacks may impede hospital operations, cause the loss of sensitive patients’ data, and compromise patient safety, to mention just a few severe ramifications of malicious attacks.
Our project addresses an ambitious goal of strengthening the cybersecurity of connected medical devices. KU Leuven is the lead beneficiary of Working Package 2 (WP2), “Legal, Ethical and Regulatory Issues”, which aims to provide a comprehensive overview of ethical and legal frameworks applicable to the development and deployment of the CYLCOMED technology. This blog aims to briefly outline the initial findings of WP2’s first deliverable, which establishes a first rough draft of the relevant ethical and legal frameworks.
Introduction
The medical device industry is considered one of Europe’s most innovative and fastest-growing sectors. Enhancement of patient health care and improvement of healthcare service provision has led to increased connectivity of medical devices. While it has provided multiple benefits on the one hand (e.g. remote monitoring and cost reduction), it has also extended the venue for cyberattacks on the other hand. European Union Agency for Cybersecurity (ENISA) Report on the threat landscape reveals that the health sector is thethird most targeted sector per number of incidents. Likewise, according to a recent FBI Internet Crime Complaint Center (IC3) report, healthcare and public health were the most targeted critical infrastructure sectors in the U.S. in 2022, with 210 officially reported attacks. Successful cyberattacks may impede hospital operations, cause the loss of sensitive patients’ data, compromise patient safety and consequently cause death, to mention just a few severe consequences of malicious attacks. For instance, IBM’s “Cost of a Data Breach Report 2023” has found that healthcare breach costs have been the most expensive industry for 13 consecutive years, increasing by 53.3% since the 2020 report. With the rise of cyber threats addressed at connected medical devices, the need to develop new security solutions is more evident than ever.
CYLCOMED in a nutshell
The CYLCOMED addresses the overall ambitious goal of strengthening the cybersecurity of connected medical devices (CMDs). Its performance and applicability will be demonstrated by implementing the developed tools in two dedicated pilots. While Pilot 1, “Cybersecurity in Hospital Equipment for COVID-19 ICU patients”, will be carried out as a digital twins simulation without the involvement of any human participants, Pilot 2 “, Cybersecurity for Telemedicine Platforms”, will be conducted as an observational study.
The CYLCOMED’s ultimate goal is twofold, namely, on the one hand, to improve the effectiveness and quality of personalised healthcare services, and on the other hand, to reduce risks and non-compliance costs. The project aims to identify gaps and introduce new requirements from innovative analysis schemes, establishing an adequate balance between patient benefits and cybersecurity risks. These analyses will also consider the impact on safety and security when CMDs are integrated with novel technological developments (e.g. AI, cloud computing, blockchain and 5G networks).
Complex legal framework
It is important to note that regulating the cybersecurity of medical devices appears to be a challenging endeavour and that medical device stakeholders operate in a highly complex legal environment. The EU laws establish a set of different requirements enshrined in the Medical Devices Regulation (MDR), In vitro Diagnostic Medical Devices (IVDR), the Cybersecurity Act (CSA), the Network and Information Systems Directive (NIS2), the General Data Protection Regulation (GDPR), and the Radio Equipment Directive (RED).
The MDR is the most crucial piece of legislation applicable to the cybersecurity of medical devices, which has been applicable since May 2021. It has come as one of the answers to the risks and challenges imposed by technological advancement in healthcare. MDR introduced, among other things, stringent requirements to ensure a high level of safety and performance of medical devices incorporating electronic programmable systems and software that is a medical device in itself. MDR requires a demonstration of compliance with the cybersecurity rules encompassed in the General and Safety Performance Requirements (GSPR) enlisted in Annex I (Article 5(2)). In order to provide device manufacturers with guidance on how to meet the requirements of MDR’s Annex I concerning cybersecurity, the Medical Device Coordination Group of the European Commission endorsed Guidance on cybersecurity for medical devices MDCG 2019-16 Rev.1 (MDCG Guidance).
MDCG Guidance covers a broad range of topics on its 46 pages. While it primarily provides manufacturers with the necessary guidance on meeting the relevant GSPR of MDR with regards to cybersecurity, it also gives some hints on addressing cybersecurity challenges to other players in the medical device supply chains (e.g. Integrators and operators). Being the first guidance on medical device cybersecurity, it was a significant step forward in facilitating the implementation of MDR cybersecurity requirements. However, the medical device cybersecurity landscape is a dynamic field that has undergone significant changes since the MDCG Guidance endorsement in 2019. Some scholars (Biasin & Kamenjasevic) have already aptly captured the areas of improvement in MDCG Guidance, such as clarification of the concept of “joint responsibility” and “improvement of terminological coherence”, to mention just a few that would be of help to all stakeholders concerned.
While medical device stakeholders operate in an already complex legal environment, new legislative initiatives bring additional layers of complexity and uncertainty. Currently, two legal frameworks are undergoing legislative procedure, which might affect medical device manufacturers: the AI Act Proposal and the Cyber Resilience Act (CRA Proposal). While the AI Act Proposal already contains norms that will address cybersecurity (Article 15) and recognises medical devices as one of its targets (Annex II), it is still unknown whether or not the CRA Proposal will apply to medical devices that fall under the MDR.
Ethical considerations
Our society is undergoing a rapid digital transformation due to technological advancements such as artificial intelligence, machine learning, robotics, and the Internet of Things. These emerging technologies pose various ethical challenges. While laws stipulate what must, can or cannot be done, ethical notions about good and bad behaviour lie behind these stipulations. New technologies are an example where ethics play a crucial role, paving the way to legal norms. The field of artificial intelligence is the most obvious example where ethics shapes legal solutions and plays a gap-filling function.
Since CYLCOMED’s Pilot 2, “Cybersecurity for Telemedicine Platforms”, will be conducted as an observational study by processing the personal data of pediatric patients, compliance with ethical standards is of paramount importance. Hence, the CYLCOMED design will comply with ethical principles set up by, among other things, the Clinical Trials Regulation (CTR), Guideline for Good Clinical Practice (GCP), Declaration of Helsinki and Declaration of Taipei, to mention just some of the ethical frameworks applicable to the CYLCOMED technological solutions.
Conclusion
Due to project complexity and sensitivity, the CYLCOMED has a dedicated legal and ethical work package (WP2) led by KU Leuven. The complexity of the CYLCOMED project stems from the fact that various legislative and ethical frameworks might fall into its scope and vice versa. The Blog post briefly outlined the main legal and ethical frameworks applicable to the CYLCOMED ecosystem that have been identified in KU Leuven’s first deliverable, whose aim was to establish a first rough draft of the relevant ethical and legal framework.
This article gives the views of the author(s), and does not represent the position of CiTiP, nor of the University of Leuven.- Dusko Milojevic is a PhD Researcher at the KU Leuven Centre for IT and IP Law (CiTiP). He holds an LL.M degree in Law from the University of Belgrade and an MSc in International Development from the University of Manchester. Dusko joined CiTiP on March 13, 2023, and works on CYLCOMED [Cyber securitY tooLbox for COnnected MEdical Devices]. ↩︎
