AAMI News February 2018

European Regulators Issue Cybersecurity Recommendations

ENISAThe E.U. Agency for Network and Information Security (ENISA) has published baseline security recommendations for the Internet and other healthcare technologies. The recommendations were released ahead of a major compliance deadline for a new data privacy law that will come into force on May 25 in all E.U. member countries.

The aim of these recommendations, according to ENISA, is to “provide insight into the security requirements of IoT, mapping critical assets and relevant threats, assessing possible attacks, and identifying potential good practices and security measures to apply in order to protect IoT systems.”

After compiling expert opinions and current best practices, the agency developed seven high-level recommendations:

  1. Promote harmonization of IoT security initiatives and regulations for the IoT industry.
  2. Increase awareness of the need for IoT cybersecurity.
  3. Define secure software and hardware development life cycle guidelines for IoT.
  4. Reach consensus on interoperability across the IoT ecosystem.
  5. Foster economic and administrative incentives for IoT security.
  6. Establish secure IoT product and service life cycle management.
  7. Clarify liability issues among IoT stakeholders.

The report, which references Food and Drug Administration guidance on postmarket cybersecurity management for medical devices, may also help manufacturers comply with the European General Data Protection Regulation (GDPR). The GDPR requires the implementation of appropriate “pseudonymization, encryption, redundancy, regular penetration tests, and intrusion detection measures,” as well as a continuous process for evaluating the effectiveness of the measures implemented.

However, additional regulatory guidance may be needed to help  medical device companies address patient safety issues in the context of cybersecurity, according to experts.