Cybersecurity and medical devices: the protection of patients’ health and safety from cyber vulnerabilities in Regulation (EU) 2017/745 and Artificial Intelligence Act

Abstract

Cybersecurity is an increasingly crucial issue with healthcare, especially due to the sector’s growing digitization and the rise of cyber threats that endanger the protection of personal data and, more generally, the health and physical integrity of patients. This paper focuses on a circumscribed aspect, namely the cybersecurity of medical devices, viewed as an essential component within the broader issue of cyber resilience in the healthcare sector. The analysis starts with Regulation (EU) 2017/745 on medical devices, aiming to clarify the defining aspects and, especially, the meaning of the term software, which allows to include AI-based products within its scope. Indeed, the definition and classification of medical devices represent crucial elements to determine the applicability or not to the specific device not only of the sectoral legislation, but also of the Artificial Intelligence Act. Finally, the contribution will focus on the measures aimed at ensuring the cybersecurity of medical devices, starting with those established in Regulation (EU) 2017/745, and ending with an examination of the novelties introduced by the AI Act.