France sets up committee to combat cyber-attacks on medical device software

The French regulator for medicines and health products (ANSM) recently announced the creation of the first temporary specialised scientific committee (CSST) on cyber-security for medical device software.  The CSST is composed of external experts in information technology and cyber-security.  It provides recommendations to the ANSM's general director, intended for manufacturers of medical device software, with the aim of preventing cyber-attacks on medical devices that could jeopardise data or lead to misuse thereof.  The CSST's activities cover all types of medical device software, as well as related medical devices, whether embedded or autonomous, regardless of their risk class, and throughout their entire life cycle.

Today, an increasing number of medical devices are being used by healthcare professionals or by patients at home.  Such devices disseminate information on patients’ personal data (such as medical imaging and biological results) and the functioning of devices (such as the programming of active implantable devices), and even allow remote patient monitoring (through, for example, vital signs monitoring).

The ANSM stated that it aims, through this CSST initiative, to counteract the insufficient protection provided by the French and European legal frameworks against cyber-attacks on medical devices and to guarantee software security as well as the correct use of medical devices and related data.

A prior version of this post was originally published by the same authors in Practical Law – Life Sciences, October 2017 Issue (Thomson Reuters).

This post was originally co-authored by Patricia Carmona Botana.