EU’s medical technology trade association on Wednesday issued new recommendations to ensure a harmonized approach on medical devices and digital health technology cybersecurity.
The European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry (COCIR) developed a set of seven recommendations to EU authorities to help guide a harmonization strategy for cybersecurity in line with security requirements set via new or forthcoming legislative frameworks. The slew of new requirements and regulations formed part of EU regulators’ response to growing cybersecurity risks.
“We feel strengthened, but also concerned, by new regulatory developments in cybersecurity in Europe,” COCIR said. “Strengthened, because these deliver a clear expectation for vendors and operators. Concerned, because there is no harmonized approach towards security.” The group discussed the requirements introduced by the recent legislations and the challenges they posed to industry.
Industry faces a greater workload for compliance with the new European legislative frameworks—some of which specifically targeted data protection and cybersecurity. These include, the General Data Protection Regulation (GDPR) and the forthcoming Cybersecurity Act, among others. The EU’s Medical Device Regulation (MDR) introduces general and safety performance requirements as well. MDR will be entered into force 26 May 2020 as the first CE-marking legislation to introduce security requirements.
Medical device cybersecurity “cannot be addressed from an isolated viewpoint,” COCIR argued. “We need to broaden the discussions to ensure better harmonization and alignment to the European and national laws that set security requirements for products and services.”
The first recommendation requests regulators broaden the European discussion around good security practices across all regulatory frameworks. Setting up this broad discussion would help “reduce market access limitations, conflicting security requirements and unnecessary administration,” COCIR said. The following recommendation seeks to promote regulatory convergence between EU member states and industry. This would coincide with EU’ notified bodies’ participation in the International Medical Device Regulators Forum, which took up a new work item for a harmonized cybersecurity guide
Recommendations three and four look at developing guidance on the concept of security as a shared responsibility and adopting the EU’s new Manufacturer Disclosure Statement for Medical Device Security (MDS2) form, which is currently under review and reportedly expected for adoption this summer.
Recommendations five and six address the need for coordinating an approach to reporting security incidents and ensuring that market surveillance measures are in place and consistent and effective.
The final recommendation calls for a harmonized approach on a cybersecurity certification mechanism.
To learn more about the EU regulations for pharmaceuticals, medical devices and other products, join us in Brussels, 13-14, May at the RAPS Regulatory Conference Europe