Cybersecurity of AI medical devices: risks, legislation, and challenges

Medical devices and artificial intelligence systems rapidly transform healthcare provisions. At the same time, due to their nature, AI in or as medical devices might get exposed to cyberattacks, leading to patient safety and security risks. This book chapter is divided into three parts. The first part starts by setting the scene where we explain the role of cybersecurity in healthcare. Then, we briefly define what we refer to when we talk about AI that is considered a medical device by itself or supports one. To illustrate the risks such medical devices pose, we provide three examples: the poisoning of datasets, social engineering, and data or source code extraction. In the second part, the paper provides an overview of the European Union's regulatory framework relevant for ensuring the cybersecurity of AI as or in medical devices (MDR, NIS Directive, Cybersecurity Act, GDPR, the AI Act proposal and the NIS 2 Directive proposal). Finally, the third part of the paper examines possible challenges stemming from the EU regulatory framework. In particular, we look toward the challenges deriving from the two legislative proposals and their interaction with the existing legislation concerning AI medical devices' cybersecurity. They are structured as answers to the following questions: (1) how will the AI Act interact with the MDR regarding the cybersecurity and safety requirements?; (2) how should we interpret incident notification requirements from the NIS 2 Directive proposal and MDR?; and (3) what are the consequences of the evolving term of critical infrastructures? [This is a draft chapter. The final version will be available in Research Handbook on Health, AI and the Law edited by Barry Solaiman & I. Glenn Cohen, forthcoming 2023, Edward Elgar Publishing Ltd]

Dissecting liabilities in adversarial surgical robot failures: A national (Danish) and European law perspective

Being connected to a network exposes surgical robots to cyberattacks, which can damage the patient or the operator. These injuries are normally caused by safety failures, such as accidents with industrial robots, but cyberattacks are caused by security failures instead. Surgical robots are increasingly sold and used in the European Union, so we decide to uncover whether this change has been considered by EU law, and which legal remedies and actions a patient or manufacturer would have in a single national legal system in the union. We first conduct a case study, where we analyse which legal remedies a patient can make use of, if they are injured by a surgical robot caused by a cyberattack in the national legal system. We also explore whether cybersecurity and cyberattacks are considered by the upcoming Medical Device Regulation of the EU. We show that the selected national legal system is adequate. This is because of its flexibility and in a certain approach even to ignore the distinction between safety and security to the benefit of the patient, and in one situation to remove liability from the manufacturer by erasing its status as party. Otherwise, unless the operator or other parties have made the cyberattack more likely to occur, the manufacturer is liable. We find that the regulation does not directly consider security defects, requiring interpretation and use of guidance to show it. Due to the risk cyberattacks pose on medical equipment, we find this to not be adequate. We further find that the regulators of medical devices, including surgical robots, will not necessarily have adequate staff or rules of enforcement, as this has been left to the member states to solve. But, we also find, due to the comprehensive number of rules that can be applied cumulatively, together with the possibility for further rules and compliance later on, that these issues could be solved in the future.