TRENDING:

Endpoint Security , Internet of Things Security , Open XDR

Medical Device Cybersecurity: EU vs. U.S. Approaches

Attorneys Kim Roberts and Adam Solander Describe Regulatory Considerations Marianne Kolbasuk McGee (HealthInfoSec) • February 28, 2020     17 Minutes   
Medical Device Cybersecurity: EU vs. U.S. Approaches
Attorneys Adam Solander and Kim Roberts of King & Spaulding

In May, new medical device regulations, including cybersecurity requirements, will take effect in the European Union. How do they compare with requirements in the U.S.? Attorneys Kim Roberts and Adam Solander offer an analysis.

To help medical device manufacturers comply with the new EU cybersecurity requirements, the European Commission's Medical Device Coordination Group recently published new guidance.

"The new guidelines which the EC published in January were produced with the intention that they would provide manufacturers with guidance on how to fulfill all relevant requirements with regards to cybersecurity," Roberts says in a joint interview with Solander.

"They cover a wide range of cybersecurity aspects in the premarket and post-market stages of production. At the core is the requirement on manufacturers to incorporate updated practices as they design, develop and upgrade products across their lifecycle."

In the U.S., the Food and Drug Administration in 2014 issued cybersecurity guidance for the pre-market development of medical devices. And in October 2018, it issued a draft of updated guidance.

But the FDA has not yet issued a final version of that updated draft guidance.

SImilar Approaches

The FDA's approach is quite similar to the approach being taken in the EU, Solander says.

"The FDA at the core of any submission for the premarket of a device is the concept of the QSR .... or quality system regulations. Part of those [regulations] deal with cybersecurity vulnerability," he says.

"The FDA guidance documents released in 2014 really take a risk-based approach to cybersecurity in medical devices. One of the things they suggest is for manufacturers to adopt the National Institute of Standards and Technology's cybersecurity framework in order to manage security risk in the devices. The FDA's approach has been to put much of the onus on companies to create a risk-based approach and implement designs to protect the device."

In this joint interview with Information Security Media Group (see audio link below photos), Roberts and Solander discuss:

  • Similarities and differences in the EU and U.S. approaches to medical device cybersecurity requirements;
  • Potential consequences for non-compliance with the various regulations;
  • Other cybersecurity considerations for medical device makers.

At the law firm King & Spaulding, Roberts assists global corporations and large employers with their employment law and data privacy strategies in the United Kingdom and across Europe.

Solander, a data, privacy and security, healthcare and employee benefits partner at the firm, provides counsel on data breach and cybersecurity issues across various industries, particularly healthcare.

Previous
RSA 2020: Roundup of Key Themes
Next
Coronavirus Spread: Preparing for 'The Long Haul'



Around the Network

Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.