Dive Brief
MedTech Europe has set out its vision for cybersecurity in the medical technology ecosystem in a paper that argues for industry-specific legislation.

The trade group outlines three areas of discussion, starting with its belief that medtech security should be regulated under sectoral legislation such as the Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR).

Other parts of the paper address MedTech Europe’s preferred approach for tackling ransomware and support for actions to improve digital literacy in general and cybersecurity skills in particular.

Dive Insight
More connected medical devices have increased the risk that hackers will access confidential data or gain the ability to modify technologies in ways that put patients at risk. As the risks increase, medical device manufacturers “continue to invest significant resources in guaranteeing state of the art cybersecurity for all their products and services,” the trade group wrote.

Other groups including legislators and regulators also play a role in protecting devices and data. The position paper covers how the groups can work together, calling for a multi-stakeholder approach to ransomware, and investment in education and training in cybersecurity.

MedTech Europe argues that MDR and IVDR “should remain the primary avenue to providing state of the art cybersecurity of digital medical technologies and services.” The paper goes on to explain that the medtech industry itself “has an integral role to play in creating a more resilient shared healthcare ecosystem.”

The trade group’s case for continuing to rely on MDR and IVDR rests on the claim that the regulations “wholly account for cybersecurity throughout a medical device’s lifecycle.” Given that the regulations “lay out comprehensive, essential requirements for digital medical technologies and services” and the Medical Devices Coordination Group has provided guidance, MedTech Europe sees sectoral legislation as sufficient. One alternative approach would be to apply pan-industry security legislation to medtech, the paper argues.

Some European Union legislation already covers multiple industries and MedTech Europe supports those existing initiatives. For example, the trade group said the latest version of the Network and Information Security directive provides a basis for “manufacturers to comprehend and implement the range of cybersecurity and data protection requirements across the entirety of a medical device’s lifecycle.”

Reference：
https://www.medtechdive.com/news/medtecheurope-cybersecurity-rely-on-MDR-IVDR/651614/