The French National Agency for Safety of Medicines and Health Products (Agence nationale de sécurité du médicament et des produits de santé or ANSM) has announced on its website in October 2017 the creation of a “temporary specialized scientific committee” (comité scientifique spécialisé temporaire CSST) on the cybersecurity of medical device software.
“The external experts that compose it are responsible for proposing recommendations to guarantee a minimum level of security of the software used in the medical field against the threats of digital abuse”.
An increasing number of medical devices, whether used by healthcare professionals in hospitals or at home by patients, are now connected. They can therefore share information via wireless links (Bluetooth, Wifi) or by physical connection to an Internet network. The functionalities of these devices cover the exchange of data (medical imaging, biology results), the control of the device (programming of infusion pumps or active implantable devices), remote monitoring of the patient (vital signs monitoring) or product maintenance.
In France, the IT security of medical devices is addressed in various texts related to connected health, but the medical device, although cited, is not the main purpose of these texts. In the same way, the European regulation on medical devices does not cover, or insufficiently, the risk of IT attack of the medical device.
ANSM has therefore set up a CSST made up of external experts, chosen because of their various skills and experiences on the subject of information technology and cybersecurity.
It is responsible for proposing to the Directeur Général of the ANSM recommendations to the medical device manufacturers so that they can take the necessary measures to prevent any malicious attack against their medical devices and thus prevent compromising data and misuse of the medical devices they place on the market.”