MedTech Europe’s vision for cybersecurity in the medical technology ecosystem – position paper

The digital ecosystem has dramatically changed the way in which healthcare is delivered to patients. Nowadays, medical technology companies concentrate not only on ensuring the safety and security of MDs and IVDs, but also on the protection of patients’ and users’ confidential data. As such, medical device manufacturers invest substantial resources in guaranteeing state of the art cybersecurity for all their products and services, ensuring the resilience of the digital health ecosystem.

In this position paper, MedTech Europe outlines three key areas of discussion for regulators, medical device manufacturers, healthcare systems and society-at-large.

Firstly, that the security of medical technologies continues to be regulated under sectoral legislation. The Medical Devices Regulation and the In Vitro Diagnostic Medical Devices Regulation (‘MDR’ and ‘IVDR’) lay out essential requirements for digital medical technologies and services, including Medical Device Software (MDSW) placed on the EU market. In addition, MDCG 2019-16 rev.1 guidance on cybersecurity, provides medical technology manufacturers with the necessary guidance on fulfilling the relevant General Safety and Performance Requirements of MDR and IVDR respectively, with regards to cybersecurity. It also provides guidance on how to comply with both the Network and Information Security Directive (‘NIS1’), and the General Data Protection Regulation (‘GDPR’), both of which apply to medical technology manufacturers.

Secondly, the paper underlines MedTech Europe’s commitment against ransomware, and other malicious interference with healthcare delivery in Europe. MedTech Europe welcomes legislative interventions aimed at reinforcing existing cybersecurity responsibilities and curbing tactics employed by potential cyber-attackers and cyber-criminals. The ongoing digital transformation of society and the lagging digitalisation of healthcare institutions and healthcare delivery continue to lead to healthcare being prime target for malign actors. MedTech Europe welcomed the revision of the Network and Information Security Directive (known as ‘NIS2’), as a means of reinforcing the digital resilience of states and businesses, while ensuring that they increase their investments in cybersecurity. While we welcome such legislative intervention, we believe that it should be combined with tangible investments in organisations’ security postures, resilience of digital tools and processes, and the investment in people and the skills necessary to deliver on such legislation.

Finally, the paper highlights MedTech Europe’s support for measures aimed at improving the level of overall digital literacy, and particularly, cybersecurity skills. The evolving cybersecurity threat landscape coupled with a significant European cybersecurity skills shortage is an untenable situation, and must be addressed. MedTech Europe supports a public-private partnership approach to confront these issues. We also applaud the European Commission’s efforts to improve the situation, particularly through the European Skills Agenda Digital Education Action Plan, as well as the recently published communication for a Cybersecurity Skills Academy.

Please find the full position paper below.