HealthLawProf Blog

Editor: Katharine Van Tassel
Case Western Reserve University School of Law

Saturday, April 20, 2024

Cybersecurity of Internet of Things in the Health Sector: Understanding the Applicable Legal Framework

Federica Casarosa (European University Institute), Cybersecurity of Internet of Things in the Health Sector: Understanding the Applicable Legal Framework (2023):

Although digitalisation of healthcare is an ongoing process that dates back to more than two decades ago, it has gained more momentum with the recent Covid pandemic. Among recent developments in this sector is adoption of wearable devices based on internet of things technology. The possibility of connecting devices that can work outside the physical boundaries of a hospital and follow patients at home, i.e. during their day-to-day life, has several obvious advantages. However, digitalisation of the health sector through increased adoption of connected devices does not exclude vulnerabilities, in particular risks concerning the protection of patients’ data and the security of networks and data. In fact, connected devices can gather, process and store personal data regarding the health of patients. Failure to safeguard the integrity and security of these data may affect the patients’ identity and finances, and also put their lives at risk. The presence of an IoT device in a healthcare setting may affect, and reduce, the level of network security of the overall system as it may provide an access point for an unlawful hacking attack. Although IoT technologies in the health sector are becoming more and more pervasive, the European legal framework applicable to them is not clearly define. This is extremely relevant in case of cybersecurity, where the legal point of reference are General the Data protection Regulation, addressing the measures and requirements applicable in case of data breaches, and the Medical Device Regulation, providing provisions focused on the security of data applicable to IoT defined as medical devices. The most recent interventions that address both the aspects of health data processing and cybersecurity are then the proposed Cyber Resilience Act and the Health Data Space Regulation. The two acts provide for measures and requirements applicable to IoT from two different perspectives, yet, they add complexities and some inconsistencies that may hamper the effectiveness of the overall cybersecurity framework.

| Permalink


Post a comment