Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

revised roadmap for reform (the “Roadmap”), which stated that new guidance will be pub - lished on cybersecurity requirements for soft - ware included as part of a medical device. The MHRA has produced a number of work packages in their proposed Software and AI as a Medical Device Change Programme, with Work Package WP5 dedicated to “Cyber Secure Medical Devices”. This work package focuses on ensuring that cybersecurity is adequately reflected in software as a medical device (SaMD) requirements and explains that secondary legis - lation will be developed to impose cybersecurity and IT requirements to guard against cybersecu - rity risks in medical devices and in vitro diagnos - tics (IVDs) that may result in device malfunction, loss or tampering with personal data, damage to the device, and ultimately injury to the patient. Guidance will be developed on cybersecurity issues in the life cycle management processes of medical devices and IVDs and on the report - ing of cybersecurity vulnerabilities. NHS Digital (the body responsible for informa - tion, data and IT systems in health and social care in the UK) has published a variety of guid - ance, including the Data Security and Protec - tion Toolkit, which is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems. This includes an incident reporting tool that incor - porates the notification requirements of the UK GDPR and the NIS Regulations. There is also a GDPR-focused document entitled “Respond to an NHS Cyber-Alert”, which explains the inter - section between medicine, personal data, and cybersecurity. At an EU level (albeit highly persuasive, rather than legally binding, from a UK perspective), the Medical Device Co-Ordination Group published

updated guidance in June 2020 on cybersecurity for medical devices, which is intended to assist medical device manufacturers in meeting the cybersecurity requirements in the EU’s Medical Devices Regulation and the In Vitro Diagnostic Regulation. According to the updated guidance, manufacturers must consider safety and cyber - security throughout the life cycle of a product – that is, they must integrate security “by design”. This concept closely aligns with the requirement of privacy by design under the UK GDPR. Manu - facturers must also perform increased post-mar - ket surveillance and vigilance. Such post-market surveillance should address the following: • operation of the device in the intended envi - ronment; • sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; • vulnerability remediation; and • incident response. The MHRA clearly stated in its Roadmap the regulations will move the UK towards greater alignment of the cybersecurity requirements for medical devices with the approach taken by the EU and other international regulators. Lastly, it is worth mentioning that – rather than taking a separate approach to any AI-enabled product – the UK’s approach to regulating cybersecurity risks resulting from AI is sector- specific. In the healthcare space, the MHRA has announced in its Policy Paper “Impact of AI on the regulation of medical products” of April 2024 that it will follow a principles-based approach in order to avoid constraining innovation, including the guidance on cybersecurity for AI as expect - ed to be published in spring 2025.

335 CHAMBERS.COM

Powered by