Cyber security of digital healthcare solutions
DOI:
https://doi.org/10.46282/bpf.2025.08Keywords:
cyber security, digital products, healthcare, regulationAbstract
The aim of this paper is to analyze the growing legal requirements for cybersecurity in digital healthcare solutions in the context of current and future EU legislation. The focus is on electronic health record (EHR) systems, wellness apps, medical devices, and wearable products for health monitoring purposes—including those that do not fall under the scope of EU Regulation 2017/745 on medical devices (MDR) and EU Regulation 2017/746 on in vitro diagnostic medical devices (IVDR). The paper compares the requirements arising from Regulation EU 2024/2847 on cyber resilience (CRA), Regulation EU 2025/327 on the European Health Data Space (EHDS), as well as existing regulations on medical devices. Particular emphasis is placed on data security, vulnerability management, software updates, and system interoperability in the context of privacy and public health protection. The paper also highlights the legal challenges in regulating hybrid products that combine consumer electronics with health monitoring functions. The aim is to contribute to the expert discussion on an appropriate legal framework for cybersecurity in the field of telemedicine and digital health.
References
1. CEROSS Aaron, BERGMANN Jeoren, Tracking the presence of software as a medical device in US food and drug administration databases: retrospective data analysis JMIR Biomed Eng, 6 (4) (2021 Nov 3), Article e20652, [on-line]. Dostupné na: doi: 10.2196/20652,
2. CEROSS Aaron, BERGMANN Jeoren, Evaluating the presence of software-as-a-medical-device in the Australian therapeutic goods register Prosthes Multidiscip Digit Publ Inst, 3(3) (2021 Sep), pp. 221-228, [on-line]. Dostupné na: doi:10.3390/prosthesis3030022
3. ABBOU Benyamine , et al., When all computers shut down: the clinical impact of a major cyber-attack on a general hospital, Frontiers in Digital Health, Volume 6 – 2024 [on-line]. Dostupné na: https://doi.org/10.3389/fdgth.2024.1321485
4. FREYER Oscar , et al. Consideration of cybersecurity risks in the benefit-risk analysis of medical devices: scoping review J Med Internet Res, 26 (1) (2024 Dec 24), Article e65528, [on-line]. Dostupné na: doi: 10.2196/65528
5. STERN Ariel Dora , et. al, Cybersecurity features of digital medical devices: an analysis of FDA product summaries BMJ Open Br Med J Publ Group, 9 (6)(2019 Jun 1), Article e025374 [on-line]. Dostupné na: https://bmjopen.bmj.com/content/9/6/e025374
6. YAQOOB Tahreem, et al. Security vulnerabilities, attacks, countermeasures, and regulations of networked medical devices—a review IEEE Commun Surv Tutor, 21 (4)(2019), pp. 3723-3768, [on-line]. Dostupné na: 10.1109/COMST.2019.2914094
7. OSTERMANN Max , et al Cybersecurity in the HaH: Assessment of Patient Risks when using IoMT devices Zenodo (2024), [on-line]. Dostupné na: 10.5281/zenodo.14545326
8. SCHAPEL, Harm: ‘The New Approach to the New Approach: The Juridification of Harmonised Standards in EU Law.’ (2013) Maastricht Journal of European and Comparative Law, 20 (4): 521–33 [on-line]. Dostupné na: https://doi.org/10.1177/1023263X1302000404
9. VAN GESTEL, Rob a MICKLITZ Hans-W.: “European Integration through Standardisation: How Judicial Review Is Breaking Down the Club House of Private Standardisation Bodies” [2013] Common Market Law Review 145-182 [on-line]. Dostupné na: https://doi.org/10.54648/cola2013007;
10. ELIANTONIO Mariolina a COLOMBO Carlo, “Harmonized Technical Standards as Part of EU Law: Juridification with a Number of Unresolved Legitimacy Concerns?” [2017] Maastricht Journal of European and Comparative Law, 323-340 [on-line]. Dostupné na: https://doi.org/10.1177/1023263X17709753.
11. ANDROUTSOS Christos. , et al. MDCG 2019-16 Guidelines: Case Study-Based Assessment and Path Forward, I. Praça, S. Bernardi, P.R.M. Inácio(Eds.), Cybersecurity Cham, Springer Nature, Switzerland (2025), pp. 338-355, [on-line]. Dostupné na: doi: 10.1007/978-3-031-94855-8_22;
12. TAYLOR Steve, et al. A Way Forward for the MDCG 2019-16 Medical Device Security Guidance, Proc 17th Int Conf PErvasive Technol Relat Assist Environ, Association for Computing Machinery, New York, NY, USA (2024), pp. 593-599, [on-line]. Dostupné na: doi: 10.1145/3652037.3663894
13. LUDVIGSEN Kaspar Rosager, The role of cybersecurity in medical devices regulation: future considerations and solutions Law Technol Hum, 5 (2) (2023), pp. 59-77, [on-line]. Dostupné na: 10.5204/lthj.3080
14. FOOD AND DRUG ADMINISTRATION, Cybersecurity in medical devices: refuse to accept policy for cyber devices and related systems under section 524b of the fd&c act; guidance for industry and food and drug administration staff; availability, [on-line]. dostupné na: https://www.federalregister.gov/documents/2023/03/30/2023-06646/cybersecurity-in-medical-devices-refuse-to-accept-policy-for-cyber-devices-and-related-systems-under
15. FOOD AND DRUG ADMINISTRATION, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance for Industry and Food and Drug Administration Staff Document issued on June 27, 2025. [on-line]. Dostupné na: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Michal Rampášek
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
