The governance of safety and security risks in connected healthcare

Abstract

As healthcare is increasingly digitized and interconnected, medical systems are exposed to cybersecurity threats that can endanger patient health and safety. This paper examines how the convergence of safety and security risks in connected healthcare challenges the governance of medical systems safety in Europe. The analysis shows that the management of safety and security risks of medical systems requires the extension of existing governance mechanisms, including regulation, standards, and industry best practices, to combine both safety and cybersecurity in healthcare. It puts forward policy and industry recommendations for the improvement of medical systems cybersecurity in Europe, including pre-market certification and post-market monitoring and surveillance mechanisms, effective information sharing, vulnerability handling, and patch management. The paper draws comparisons with medical device cybersecurity guidelines in the United States, and with technical controls, standards, and best practices in the domain of industrial control systems security.