Kaspar Rosager Ludvigsen
University of Strathclyde (United Kingdom)
The Role of Cybersecurity in Medical Devices Regulation: Future Considerations and Solutions
The cybersecurity of medical devices is paramount in a world where everything is increasingly digitised. Attention to how this important defence against malicious actors is regulated must, therefore, also increase. This talk uncovers how the cybersecurity of medical devices is currently regulated and how it can be improved going forward.
First, the regulation of medical device cybersecurity in the European Union, the United States, and the United Kingdom (UK) are compared, differentiating between Great Britain and Northern Ireland as per the current state of the law in the UK.
Second, a model is developed of how cybersecurity shapes three key areas in the ecosystem of medical devices. These areas are the medical device itself; the structure between the surrounding institutional systems (such as manufacturers and healthcare providers); and the security of the data, the surrounding institutional system, and the medical device.
Third, based on a comparative analysis and a view of the system from above, the talk puts forward four recommendations on what future regulation should contain to properly regulate the cybersecurity of medical devices: technology specificity, circumvention protection, genuine privacy, and security by design. It is recommended that these four principles be followed. Technology specificity because it guarantees legislation that understands the necessary technical aspects to promote security and safety. Circumvention protection because preventing manufacturers and others from circumventing these requirements decreases risks to the health and wellbeing of patients.
Finally, genuine privacy and security by design should be followed to align cybersecurity and privacy with current and future technical capacities.
This talk is based on the published paper with same name as above, available here: https://lthj.qut.edu.au/article/view/3080. But the talk has additional considerations concerning new developments in EU Law, including the security proposed in the now almost final AI Act, which will directly impact medical devices, and the proposed new Product Liability Directive. Both the old and the new Product Liability Directive play a huge role for all types of products, but is of special importance due to vast liability it can confer on the user or manufacturer depending on which EU jurisdiction one finds themselves in. This applies directly to cybersecurity as well.
Kaspar has published in both top cybersecurity and law venues, and specialises in analysing and understanding cybersecurity, medical devices, and safety, in the context of law and cybersecurity. Kaspar also teaches Cybercrime at the Law School in the University of Strathclyde, and pro bono supports NGOs in Brussels regarding policy in the CS sphere.
