Enhanced cybersecurity for networked medical devices through optimisation of guidelines, standards, risk management and security by design

The EU Horizon Project CYMEDSEC, which commenced in November 2023, aims to advance the cybersecurity of connected medical devices (MDs) and in vitro diagnostic devices (IVDs). As the digital transformation of healthcare accelerates, the project addresses the increasing need for secure and resilient technologies. CYMEDSEC integrates regulatory science, technical innovation, and real-world validation. The project responds to a swiftly evolving Internet of Medical Things (IoMT) landscape, where regulatory frameworks struggle to keep pace with innovation. Existing guidance—such as MDCG 2019-16—fails to adequately address secure software development, authentication, and access control. There is minimal support for incorporating cybersecurity into benefit-risk analyses or for managing dynamic threats in home-based care settings. Legal and ethical concerns, including data protection and digital equity, remain insufficiently addressed.

To tackle these gaps, CYMEDSEC pursues three core objectives: (1) reviewing and revising relevant standards and guidance documents, (2) developing a cybersecurity-focused benefit-risk analysis toolbox, and (3) validating security-by-design methodologies in complex infrastructures such as 5G and cloud computing. These objectives are supported by real-time monitoring and OTA update mechanisms to enhance resilience. CYMEDSEC’s interdisciplinary consortium encompasses legal, clinical, industrial, and academic expertise. Its Open Science approach ensures early dissemination through preprints, publications, open-source tools, and FAIR datasets. The project’s early results include regulatory gap analyses, a STRIDE-based general attack model, a secure system architecture for IoMT, and technology demonstrators that are rigorously tested.

Beyond academic impact, CYMEDSEC aims to streamline regulatory pathways and accelerate innovation in the EU digital health industry. Its tools are being integrated into product pipelines and standardisation efforts, including a CEN Workshop Agreement. Case studies conducted in real-world clinical environments generate evidence to inform future regulatory guidance. With strong legal oversight and adaptive risk management, the project remains agile in a shifting policy landscape. It contributes directly to Europe’s digital sovereignty by aligning innovation with regulatory and societal needs.

In its first reporting period, CYMEDSEC achieved significant progress across its key areas. In Work Package 1, a thorough regulatory gap analysis was conducted using systematic review protocols. The findings highlighted shortcomings in EU cybersecurity guidance and laid the groundwork for regulatory recommendations. In Work Package 2, legal and ethical frameworks based on GDPR, the EHDS, the Cyber Resilience Act, and AI Act have been developed. Tools such as the Legal Obligations Impact Assessment Questionnaire support partner compliance. Early findings from sociological case studies have been published in a peer-reviewed journal. Work Package 3 concentrated on integrating cybersecurity into benefit-risk analysis (BRA). A systematic review indicated that current BRA practices for innovative medical devices are limited, while a scoping review underscored that the incorporation of cybersecurity in the BRA is peripheral. The project is currently developing an open-source toolbox to facilitate structured, risk-based regulatory decisions. Standardisation activities under Work Package 4 resulted in a draft CEN Workshop Agreement on continuous cybersecurity monitoring, informed by previous WPs. This aims to harmonise standards across AI-enabled and networked device ecosystems. Work Package 5 addressed technical gaps in secure device management, particularly in Hospital-at-Home settings. Demonstrators for real-time monitoring and OTA updates were created and evaluated. Legal and ethical aspects of data sharing were also examined. Work Package 6 progressed the architecture for secure IoMT systems. Based on STRIDE analysis, the project designed a secure edge gateway with hardware-level isolation and protections against side-channel attacks. Preparations for case studies under Work Package 7 were finalised, including pilot planning, data protection documentation, and device procurement. Coordination with clinical partners ensures readiness for the next project phase. Work Package 9 oversaw project coordination, quality assurance, and risk management. Key infrastructure, including the management handbook and data governance protocols, was implemented to ensure compliance and collaboration.

CYMEDSEC’s scientific analyses under WP1 are the first of their kind and have challenged existing EU guidance, demonstrating the need for clearer requirements regarding secure software development and Software Bill of Materials (SBOMs). These insights are informing ongoing efforts to standardise and reform regulations. Early publications in WP2 provide a previously unexplored perspective on human factors and ethical considerations in healthcare cybersecurity. The work conducted in WP3 highlights gaps in current BRA methodologies and indicates that the development of new approaches is necessary. Innovative concepts and considerations have been proposed through academic publications, which have informed the development of new BRA methodologies that will be incorporated into practical open-source tools for manufacturers. WP4’s standardisation contributions—including the draft CEN Workshop Agreement—offer a new perspective on the specific lifecycle security and interoperability considerations of IoMT devices. The demonstrators developed in WP5 illustrate the opportunities associated with the implementation of IoMT technology into the emerging Hospital-at-Home care model. Developments in WP6 have contributed security-by-design innovations for Iomt. While not officially started, WP7 has already generated innovative output, including a submitted publication about Visual Language model-enhanced care robots.