Out-Law News 1 min. read

Medical device regulations fall short on cybersecurity, report says


Medical device regulations do not provide sufficiently high standards on cybersecurity for connected health devices and systems, the Royal Academy of Engineering (RAE) has said.

In a new report (52-page / 2.38MB PDF), the RAE highlighted the potential of digital health to "transform health and social care best practice in the 21st century", but said there are cybersecurity risks, such as ransomware attacks, that put "the privacy and integrity of patient data" at risk.

Despite the cybersecurity risks, the RAE said organisations in the health sector sometimes lack awareness of their existence and of how to manage them.

The report contained a number of recommendations over how to bolster cyber resilience in the sector, including in respect of rules on medical devices.

"The regulation of health devices and systems has focused on patient safety, albeit not perfectly, but has not fully considered the possible impacts of poor cybersecurity on patient safety or privacy," the RAE said. "As new technologies and systems are created, and the threat environment evolves, vulnerabilities in connected health devices need to be addressed. It is therefore necessary to revisit regulatory frameworks for health devices to assess whether there is sufficient consideration of cybersecurity, and how appropriate levels of safety and resilience can be achieved."

"Medical device regulations will no longer be fit for purpose as systems evolve and the threat level changes. Greater focus is needed on cyber safety and resilience. In future, regulations must integrate safety, security and resilience and protect consumers. Government should ensure that the UK maintains its influence on the development of improved medical device regulations that integrate safety, security and resilience, and link to data protection regulation. It should also maintain influence on the development of international standards. It should review and extend existing safety regulations to better take account of issues associated with cyber safety and resilience," it said.

In its report, the RAE also said that the Department of Health and Social Care and the UK's National Cyber Security Centre should work with the medical device industry to "adapt and operationalise a general cybersecurity risk-management framework, tailored to the health sector’s specific requirements".

However, the task of identifying cybersecurity solutions in the health sector is hampered by the fact there is "little robust evidence or quantification of the current security risks and potential impacts in the NHS for connected health devices", it said.

The RAE called for new guidance to be developed to provide a "benchmark for regulatory compliance" on cybersecurity in the supply chain.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.