Medical Device Cybersecurity: EU vs. U.S. ApproachesAttorneys Kim Roberts and Adam Solander Describe Regulatory Considerations
In May, new medical device regulations, including cybersecurity requirements, will take effect in the European Union. How do they compare with requirements in the U.S.? Attorneys Kim Roberts and Adam Solander offer an analysis.
To help medical device manufacturers comply with the new EU cybersecurity requirements, the European Commission's Medical Device Coordination Group recently published new guidance.
"The new guidelines which the EC published in January were produced with the intention that they would provide manufacturers with guidance on how to fulfill all relevant requirements with regards to cybersecurity," Roberts says in a joint interview with Solander.
"They cover a wide range of cybersecurity aspects in the premarket and post-market stages of production. At the core is the requirement on manufacturers to incorporate updated practices as they design, develop and upgrade products across their lifecycle."
But the FDA has not yet issued a final version of that updated draft guidance.
The FDA's approach is quite similar to the approach being taken in the EU, Solander says.
"The FDA at the core of any submission for the premarket of a device is the concept of the QSR .... or quality system regulations. Part of those [regulations] deal with cybersecurity vulnerability," he says.
"The FDA guidance documents released in 2014 really take a risk-based approach to cybersecurity in medical devices. One of the things they suggest is for manufacturers to adopt the National Institute of Standards and Technology's cybersecurity framework in order to manage security risk in the devices. The FDA's approach has been to put much of the onus on companies to create a risk-based approach and implement designs to protect the device."
In this joint interview with Information Security Media Group (see audio link below photos), Roberts and Solander discuss:
- Similarities and differences in the EU and U.S. approaches to medical device cybersecurity requirements;
- Potential consequences for non-compliance with the various regulations;
- Other cybersecurity considerations for medical device makers.
At the law firm King & Spaulding, Roberts assists global corporations and large employers with their employment law and data privacy strategies in the United Kingdom and across Europe.
Solander, a data, privacy and security, healthcare and employee benefits partner at the firm, provides counsel on data breach and cybersecurity issues across various industries, particularly healthcare.