New Cybersecurity Requirements for Medical Devices in the EU: The Forthcoming European Health Data Space, Data Act, and Artificial Intelligence Act

The regulation of cybersecurity for medical devices keeps evolving in the European Union (EU). In the past few years, new pieces of legislation have been added to the initial framework for medical device cybersecurity, including the Medical Device Regulation, the General Data Protection Regulation and the Cybersecurity Act. The Artificial Intelligence Act, the European Health Data Space Regulation and the Data Act are forthcoming laws that contain cybersecurity-related requirements applicable to medical devices. This article examines the requirements stemming from each of these, as well as their role vis-a-vis the existing legal framework. We observe that despite being comprehensive and wide ranging in their changes, these new regulations may be inadequate for the task of ensuring the cybersecurity of medical devices. In our view, this approach by the EU legislature is inadequate because it fails to foresee cybersecurity requirements in a way that is truly linked with the already existing cybersecurity laws. To help address this problem, the article offers a set of workable recommendations that EU legislators would be well advised to take on board in respect of specific regulations, as well as in general, when establishing cybersecurity-related requirements

Improved clinical investigation and evaluation of high-risk medical devices: the rationale and objectives of CORE-MD (Coordinating Research and Evidence for Medical Devices)

: In the European Union (EU) the delivery of health services is a national responsibility but there are concerted actions between member states to protect public health. Approval of pharmaceutical products is the responsibility of the European Medicines Agency, whereas authorizing the placing on the market of medical devices is decentralized to independent 'conformity assessment' organizations called notified bodies. The first legal basis for an EU system of evaluating medical devices and approving their market access was the medical device directives, from the 1990s. Uncertainties about clinical evidence requirements, among other reasons, led to the EU Medical Device Regulation (2017/745) that has applied since May 2021. It provides general principles for clinical investigations but few methodological details-which challenges responsible authorities to set appropriate balances between regulation and innovation, pre- and post-market studies, and clinical trials and real-world evidence. Scientific experts should advise on methods and standards for assessing and approving new high-risk devices, and safety, efficacy, and transparency of evidence should be paramount. The European Commission recently awarded a Horizon 2020 grant to a consortium led by the European Society of Cardiology and the European Federation of National Associations of Orthopaedics and Traumatology, that will review methodologies of clinical investigations, advise on study designs, and develop recommendations for aggregating clinical data from registries and other real-world sources. The CORE-MD project (Coordinating Research and Evidence for Medical Devices) will run until March 2024; here we describe how it may contribute to the development of regulatory science in Europe

Democracy disrupted? Continuing the debate on the (mis)use of personal data in political campaigning

This document supported the presentation given at the COMPACT Brussels Symposium on 'Disinformation in the European Elections 2019: The role of social media & technology trends', held at Permanent Representation of the Slovak Republic to the EU, Brussels. (October 21st, 2019). Panel: Role of social media platforms: How can data reliant platforms act responsibly?status: Published onlin

Ethical and legal aspects surrounding the protection of critical infrastructures in healthcare

This presentation was given at the 1st European Cluster for Securing Critical Infrastructures (ECSCI) Workshop. In light of research carried out in the first two years of SAFECARE project, the document outlines the ethical and legal aspects surrounding the protection of critical infrastructures in healthcare.status: Published onlin

Online Disinformation: fostering the debate. Reflections, concerns, regulatory challenges

This document supported the presentation given at the Conference 'Online Disinformation: Finding the silver bullet in the digital world' organised by ECAS at the European Economic and Social Committee, in Brussels. (November 12th, 2019) Panel: How far reaching is regulation?status: Published onlin

Open Source Hardware in Healthcare. A focus on medical devices and their qualification

'Open Source Hardware in Healthcare. A focus on medical devices and their qualification' is the title of the presentation given at the 4th Wikifactory Viral Response Roundtable. The Roundtable was held online on 4th June 2020, with the following thematic session: 'How to audit and secure accreditation for your COVID 19 product'. The presentation was given as part of the dissemination activities for H2020 project 'Made4You'. It outlines the main legal aspects of the development and replication of COVID-19 Open Source Hardware solutions.status: Published onlin

Cybersecurity in healthcare: what legal framework(s) in Europe?

This presentation has been given at the 'SAFECARE Awareness Event' (18 September 2018). The initiative was organised by the European Organisation for Security, aimed at gathering security practitioners, healthcare stakeholders and policy experts to discuss and exchange best practices on cyber and physical security for healthcare infrastructures. The presentation outlined the key aspects of the legal research performed so far within the SAFECARE research project.status: Published onlin

SAFECARE D7.2 Training Guide for Threat Response: Legal and Ethical Aspects for Healthcare Cybersecurity

As part of the SAFECARE Task 7.2 'Training guide for threat response', this presentation outlines ethical and legal frameworks concerning physical, cyber and integrated security in healthcare. The objective of this document is to give key informative notions on this issue for healthcare security practitioners and operators (including security operators, healthcare professionals, fire-fighters) which will take part in the project's pilot phases.status: Published onlin