Taken from”The Legal Newspaper”, the legal information newspaper of the Wolters Kluwer Italia group and edited by Cedam, Utet Giuridica, Leggi d'Italia and Ipsoa.

The sector of medical devices has been the subject, in recent years, of a continuous process of development and innovation in order to support and facilitate activities related to the care and well-being of patients. In this context, the protection of personal data and the Cybersecurity they play a role of primary importance because they have direct implications for the good performance of the patient's care. The subject of this article will be the analysis of cybersecurity standards in the light of the new Regulation 2017/745/EU and the indications of Medical Device Coordination Group.

In recent years, there has been an exponential growth in the use of innovative software and technologies in the healthcare sector, aimed at supporting and supporting activities related to the care and well-being of patients. These technologies, which are part of the medical device category, make it possible to carry out the most diverse activities: from exchange of information among experts at remote monitoring of the patient, up to the management of reporting and diagnostic activities.

It is therefore of primary importance in the healthcare sector, more than anywhere else, the protection of personal data as a breach in cybersecurity of medical devices could have direct consequences on patients' health and on the good progress of care.

Medical devices, as defined by the new Regulation on Medical Devices (2017/745/EU), are “qany tool, appliance, equipment, software, plant, reagent, material or other article, intended by the manufacturer to be used on humans, alone or in combination, for one or more of the following specific medical purposes: diagnosis, prevention, monitoring, prediction, prognosis, treatment, or alleviation of diseases — diagnosis, monitoring, treatment, alleviation or compensation for an injury or disability — study, replacement or modification of anatomy or of a process or

physiological or pathological state — provide information through the exam in vitro of samples from the human body, including donated blood and tissue, and which does not exert in or on the human body the main action for which it is intended by pharmacological, immunological or metabolic means, but whose function may be assisted by such means.”

While the commercialization of medical devices is regulated in detail from a regulatory point of view, the culture of cybersecurity is still fragmented and often insufficient to ensure adequate safety standards. Among the factors that lead to this complexity, there is first of all a general lack of knowledge of cybersecurity requirements and an inadequate consideration of cybersecurity requirements in the process of designing and developing medical devices. To this is added a lack of uniform regulatory guidance on cybersecurity of medical devices.

In parallel with the described regulatory and regulatory context, there is a constant evolutionary process of the medical devices that constitute the network at the base of the new concept of smart hospitals.

It is therefore essential that medical device manufacturers are able to incorporate, right from the design phase of their products, basic requirements to ensure an appropriate safety standard to prevent possible cyberattacks.

The full article is published in ”The Legal Newspaper”.

‍