Skip to main content Skip to main navigation menu Skip to site footer

The Role of Cybersecurity in Medical Devices Regulation: Future Considerations and Solutions


The cybersecurity of medical devices is paramount in a world where everything is increasingly digitised. Attention to how this important defence against malicious actors is regulated must, therefore, also increase. This paper uncovers how the cybersecurity of medical devices is currently regulated and how it can be improved going forward. First, the paper compares the regulation of medical device cybersecurity in the European Union, the United States and the United Kingdom (UK)—differentiating between Great Britain and Northern Ireland as per the current state of the law in the UK. Second, the paper develops a model of how cybersecurity shapes three key areas in the ecosystem of medical devices. These areas are the medical device itself; the structure between the surrounding institutional systems (such as manufacturers and healthcare providers); and the security of the data, the surrounding institutional system and the medical device. Third, based on a comparative analysis and a view of the system from above, the paper puts forward four recommendations on what future regulation should contain to properly regulate the cybersecurity of medical devices: technology specificity, circumvention protection, genuine privacy and security by design. The paper recommends that these four principles be followed. Technology specificity because it guarantees legislation that understands the necessary technical aspects to promote security and safety. Circumvention protection because preventing manufacturers and others from circumventing these requirements decreases risks to the health and wellbeing of patients. Finally, genuine privacy and security by design should be followed to align cybersecurity and privacy with current and future technical capacities.

Published: 2023-11-21
Pages:59 to 77
Section: Symposium: Regulatory Futures and Medical Devices
How to Cite
Ludvigsen, Kaspar Rosager. 2023. “The Role of Cybersecurity in Medical Devices Regulation: Future Considerations and Solutions”. Law, Technology and Humans 5 (2):59-77.

Author Biography

University of Edinburgh
United Kingdom United Kingdom

Kaspar is a Danish Lawyer, and an interdisciplinary Postdoctoral Research Fellow at the University of Edinburgh (Edinburgh Law School), who works in the intersection between law and cybersecurity, with additional expertise in EU Law, medical devices, supply chain security, Private Law, and a fair bit more. Kaspar teaches Cybercrime (The Strathclyde Law School) and is finishing his PhD in Law and Cybersecurity (Department of Computer & Information Sciences) at the University of Strathclyde. Furthermore, Kaspar is a well cited author, including by the European Parliament, and provides expertise to NGOs and public authorities per request.

Open Access Journal
ISSN 2652-4074