The Role of Cybersecurity in Medical Devices Regulation: Future Considerations and Solutions

Abstract

The cybersecurity of medical devices is paramount in a world where everything is increasingly digitised. Attention to how this important defence against malicious actors is regulated must, therefore, also increase. This paper uncovers how the cybersecurity of medical devices is currently regulated and how it can be improved going forward. First, the paper compares the regulation of medical device cybersecurity in the European Union, the United States and the United Kingdom (UK)—differentiating between Great Britain and Northern Ireland as per the current state of the law in the UK. Second, the paper develops a model of how cybersecurity shapes three key areas in the ecosystem of medical devices. These areas are the medical device itself; the structure between the surrounding institutional systems (such as manufacturers and healthcare providers); and the security of the data, the surrounding institutional system and the medical device. Third, based on a comparative analysis and a view of the system from above, the paper puts forward four recommendations on what future regulation should contain to properly regulate the cybersecurity of medical devices: technology specificity, circumvention protection, genuine privacy and security by design. The paper recommends that these four principles be followed. Technology specificity because it guarantees legislation that understands the necessary technical aspects to promote security and safety. Circumvention protection because preventing manufacturers and others from circumventing these requirements decreases risks to the health and wellbeing of patients. Finally, genuine privacy and security by design should be followed to align cybersecurity and privacy with current and future technical capacities.