France’s medicines regulator, the Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), has released draft guidelines, currently subject to a public consultation, setting out recommendations for manufacturers designed to help prevent cybersecurity attacks to medical devices. Notably, the draft guidelines are the first instance of recommendations released by a national regulator in Europe that apply cybersecurity considerations specifically to medical devices. The full ANSM draft guidelines, ‘Cybersécurité des dispositifs médicaux intégrant du logiciel au cours de leur cycle de vie’ (‘Cybersecurity of medical devices integrating software during their life cycle’) published 19 July 2019, is available in French here, and in English here.

The draft guidelines note that while the European regulatory framework (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746) has been modified “in line with technological developments” (e.g. “data exchange, monitoring, risk prediction and control software”) to include software within the definition of a medical device, and accompanying security and performance requirements specific to such medical devices incorporating software, the “[medical device and in vitro diagnostic medical device r]egulations do not explicitly refer to or elaborate on the notion of cybersecurity”. For the purposes of the guidelines, ‘cybersecurity’ is described as “the full set of technical or organisational measures set up to ensure the integrity and availability of a [medical device] and the confidentiality of the information held on or output by this [medical device] against the risk of targeted attacks.

In overview, the draft guidelines require manufacturers to undertake risk assessments using both IT and medical device risk management methodology, and then align these approaches as part of manufacturers’ implementation of quality management systems. The recommendations are subdivided into areas representing different parts of the product life cycle, including: software design activity; initialization (first use); monitoring (post market management); and medical device software end of life.

The draft guidelines also make reference to the French ‘General Security Framework’ from which “the criteria of availability, integrity and confidentiality are the baseline objectives to fulfil in terms of security” and that “various documents and tools provided by the ANSSI [the French National Security Agency] are also applicable to [medical devices].” Further, the draft guidelines introduce a criterion of ‘auditability’ to be additionally addressed by medical device manufacturers.

ANSM has shared its work within this area with the European Commission in the hope that “the [European] regulations evolve to integrate [ANSM’s work]” as it is the first time that such recommendations have been drafted in the EU. The draft guidelines are currently subject to public consultation until 30 September 2019.

Photo of Sarah Cowlishaw Sarah Cowlishaw

Advising clients on a broad range of life sciences matters, Sarah Cowlishaw supports innovative pharmaceutical, biotech, medical device, diagnostic and technology companies on regulatory, compliance, transactional, and legislative matters.

Sarah is a partner in London and Dublin practicing in the areas of EU…

Advising clients on a broad range of life sciences matters, Sarah Cowlishaw supports innovative pharmaceutical, biotech, medical device, diagnostic and technology companies on regulatory, compliance, transactional, and legislative matters.

Sarah is a partner in London and Dublin practicing in the areas of EU, UK and Irish life sciences law. She has particular expertise in medical devices and diagnostics, and on advising on legal issues presented by digital health technologies, helping companies navigate regulatory frameworks while balancing challenges presented by the pace of technological change over legislative developments.

Sarah is a co-chair of Covington’s multidisciplinary Digital Health Initiative, which brings together the firm’s considerable resources across the broad array of legal, regulatory, commercial, and policy issues relating to the development and exploitation of digital health products and services.

Sarah regularly advises on:

  • obligations under the EU Medical Devices Regulation and In Vitro Diagnostics Medical Devices Regulation, including associated transition issues, and UK-specific considerations caused by Brexit;
  • medical device CE and UKCA marking, quality systems, device vigilance and rules governing clinical investigations and performance evaluations of medical devices and in vitro diagnostics;
  • borderline classification determinations for software medical devices;
  • legal issues presented by digital health technologies including artificial intelligence;
  • general regulatory matters for the pharma and device industry, including borderline determinations, adverse event and other reporting obligations, manufacturing controls, and labeling and promotion;
  • the full range of agreements that span the product life-cycle in the life sciences sector, including collaborations and other strategic agreements, clinical trial agreements, and manufacturing and supply agreements; and
  • regulatory and commercial due diligence for life sciences transactions.

Sarah has been recognized as one of the UK’s Rising Stars by Law.com (2021), which lists 25 up and coming female lawyers in the UK. She was named among the Hot 100 by The Lawyer (2020) and was included in the 50 Movers & Shakers in BioBusiness 2019 for advancing legal thinking for digital health.

Sarah is also Graduate Recruitment Partner for Covington’s London office.