EMERGO SUMMARY OF KEY POINTS:

• European regulators have published high-level cybersecurity recommendations for industries including medical devices involved in the Internet of Things (IoT) paradigm.
• The recommendations are partially intended to help companies meet upcoming European data privacy requirements under the General Data Protection Regulation, or GDPR.
• The European report cites US FDA guidance regarding medical device cybersecurity principles and recommendations.

A new set of critical infrastructure security recommendations from European regulators targets the Internet of Things (IoT), with significant implications for medical device manufacturers and health technology developers’ cybersecurity risk mitigation efforts ahead of a major data protection compliance deadline in 2018.

The new recommendations, issued by the European Union Agency for Network and Information Security (ENISA), cover a broad array of industries including healthcare and medical devices. The ENISA report stems from the rapid growth of the IoT paradigm, which has spurred new and rapidly changing security risks, across government sectors, industries and healthcare systems worldwide. The report may also help companies including interconnected medical device manufacturers comply with the European General Data Protection Regulation, a new data privacy law coming into force May 25, 2018.

“The rapid rate of change in IoT technology has outpaced the ability of the associated policy, legal, and regulatory structures to adapt, leaving no clear security framework to follow,” states ENISA in its report. “This has led most companies and manufacturers to take their own approach when designing IoT devices, causing interoperability issues between devices from different manufacturers, and between IoT devices and legacy systems.”

Key ENISA report recommendations

The ENISA report includes seven high-level recommendations targeting IoT security across all economic and government sectors:

• Promoting harmonized IoT security efforts and regulations for industry
• Boosting awareness of IoT security’s importance among industry, consumers, regulators and academia
• Defining secure hardware and software development lifecycles in the context of IoT
• Reaching consensus on interoperability across the IoT ecosystem
• Identifying and providing incentives for stakeholders to prioritize IoT security
• Establishing secure IoT product and service lifecycle management
• Clarifying liability issues among IoT industry and regulatory stakeholders

Recommendations targeting medical devices

Although the ENISA report covers a broad array of industries involved in aspects of IoT, specific recommended security measures and best practices are tied to medical device manufacturers.

Several IoT security measures cite US FDA guidance on post-market cybersecurity management for medical devices as a key reference document. These measures include privacy by design (page 64 of the report), which states that privacy should be a “guiding principle” in system design and development, and that privacy impact assessments should be conducted before new devices or applications are launched.

Other measures and best practices that cite the FDA guidance include risk and threat identification and assessment (page 65), as well as management of security vulnerabilities and incidents (page 80).

Again, the ENISA report’s frequent citation of FDA medical device cybersecurity guidance strongly suggests European regulators plan to take a similar if not complementary tack in addressing IoT security vulnerabilities and threats. Harmonized regulatory approaches to this complex and evolving challenge will in turn hopefully require less burdensome compliance efforts for industry.

ENISA’s report in the context of US cybersecurity efforts

Earlier in 2017, similar IoT cybersecurity recommendations focused on healthcare were published in the US, and legislation based on those recommendations is now under consideration in Congress.

Anura Fernando, Principal Engineer for Medical Systems Interoperability and Security at UL, serves as a member of the US Health Care Industry Cybersecurity (HCIC) Task Force that developed the US recommendations.

“The ENISA report does a great job of explaining the cybersecurity landscape for IoT in general, with solid recommendations based on technical concerns, economics and lifecycle considerations,” Fernando says. “It shows that the EU considers these issues important enough to dedicate resources to help set the stage for the General Data Protection Regulation.”

Justin Heyl, Cybersecurity Strategies and Innovation Director at UL, also notes that the ENISA report should help companies address upcoming GDPR compliance requirements.

“The European security report was much needed to help provide guidance for industry to meet GDPR requirements,” says Heyl. “Such guidance was especially needed because IoT has had a major effect on how personal data is collected and used.”

However, additional European regulatory guidance may be necessary specifically to support medical device companies address patient safety in the context of IoT, Heyl argues.

“Even though the ENISA report covers medical issues within the industry verticals and references US FDA post-market guidance, the concepts of how to approach patient safety with respect to risk-benefit analysis similar to FDA premarket guidance are so far absent.”

Related medical device cybersecurity and regulatory resources:

• Cybersecurity support for network-connected medical devices and software
• Regulatory consulting for mobile medical applications and devices
• Wireless compliance consulting for medical devices
• Whitepaper: Cybersecurity and US FDA medical device regulation
• Webinar: Mapping cybersecurity standards to US FDA medical device guidance