ArXiv Preprint
Medical devices and artificial intelligence systems rapidly transform
healthcare provisions. At the same time, due to their nature, AI in or as
medical devices might get exposed to cyberattacks, leading to patient safety
and security risks. This book chapter is divided into three parts. The first
part starts by setting the scene where we explain the role of cybersecurity in
healthcare. Then, we briefly define what we refer to when we talk about AI that
is considered a medical device by itself or supports one. To illustrate the
risks such medical devices pose, we provide three examples: the poisoning of
datasets, social engineering, and data or source code extraction. In the second
part, the paper provides an overview of the European Union's regulatory
framework relevant for ensuring the cybersecurity of AI as or in medical
devices (MDR, NIS Directive, Cybersecurity Act, GDPR, the AI Act proposal and
the NIS 2 Directive proposal). Finally, the third part of the paper examines
possible challenges stemming from the EU regulatory framework. In particular,
we look toward the challenges deriving from the two legislative proposals and
their interaction with the existing legislation concerning AI medical devices'
cybersecurity. They are structured as answers to the following questions: (1)
how will the AI Act interact with the MDR regarding the cybersecurity and
safety requirements?; (2) how should we interpret incident notification
requirements from the NIS 2 Directive proposal and MDR?; and (3) what are the
consequences of the evolving term of critical infrastructures?
[This is a draft chapter. The final version will be available in Research
Handbook on Health, AI and the Law edited by Barry Solaiman & I. Glenn Cohen,
forthcoming 2023, Edward Elgar Publishing Ltd]
Elisabetta Biasin, Erik Kamenjasevic, Kaspar Rosager Ludvigsen
2023-03-06
