Advancing EU-Focused Healthcare IoT Security Standards to Support the Cyber Resilience Act (CRA)
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
My project under the CYBERSTAND Specific Service Procedure (SSP) focuses on contributing to the development of cybersecurity standards for Internet of Things (IoT) devices in healthcare that align with the Cyber Resilience Act (CRA).
My ambition is to support the improvement of security measures for connected medical devices by:
1 Collaborating with European Standardization Organizations (SDOs)
Engaging with CEN/CENELEC JTC 13, ISO/IEC JTC1 SC27, and other relevant bodies.
Contributing technical specifications and aligning with EU cybersecurity frameworks.
2 Addressing Cybersecurity Gaps in Healthcare IoT
Supporting improvements in fragmented security standards, unpatched vulnerabilities, and interoperability issues.
Promoting patient data privacy and security through compliance with EU laws.
3 Engaging with Stakeholders and Gathering Feedback
Conducting virtual workshops with healthcare providers, SMEs, and EU regulators.
Integrating feedback to refine security standards and facilitate real-world adoption.
4 Delivering Key Contributions
Supporting the draft and final technical specifications for IoT security in healthcare.
Providing reports on progress, stakeholder feedback, and standardization impact.
5 Advancing CRA Implementation and EU Technological Sovereignty
Contributing to reducing reliance on non-EU technology providers.
Helping strengthen EU leadership in cybersecurity standardization.
What is the expected result and impact of this activity?
Enhanced Cybersecurity Standards for Healthcare IoT
Supporting new horizontal and vertical cybersecurity standards.
Contributing to security protocols for encryption, authentication, and GDPR compliance.
Alignment with the Cyber Resilience Act (CRA)
Helping ensure compliance with EU regulatory frameworks.
Supporting secure-by-design principles, lifecycle security, and interoperability.
Stakeholder Engagement and Practical Adoption
Encouraging collaboration with EU regulators, healthcare providers, SMEs, and device manufacturers.
Refining standards through workshops and technical discussions.
Contributions to Standardization Organizations (SDOs)
Participating in CEN/CENELEC JTC 13, ISO/IEC JTC1 SC27.
Submitting technical contributions to improve cybersecurity frameworks.
Publication of Key Deliverables
Contributing to interim and final reports on standardization outcomes.
↳Helping develop security guidelines for industry-wide adoption.
Expected Impact
↳ Improved Cybersecurity in Healthcare Infrastructure
↳ Helping enhance security for wearables, monitors, and medical imaging devices.
↳ Supporting risk reduction for patient safety and data integrity.
↳ Harmonization of EU Standards
Contributing to more coherent, EU-wide security requirements.
↳ Helping standardize secure software updates and access controls.
↳ Strengthening EU Leadership in Cybersecurity
↳ Positioning the EU as a key player in defining IoT cybersecurity best practices.
↳ Supporting European technological sovereignty.
Facilitating Compliance for SMEs
↳ Helping to develop guidelines and toolkits to assist SMEs in complying with CRA requirements.
↳ Lowering barriers to market entry and innovation.
Protection of Patient Data and Privacy
↳ Supporting GDPR-compliant data protection for IoT medical devices.
↳ Strengthening trust in digital healthcare solutions.
↳ Encouraging Digital Health Innovation
↳ Supporting secure and interoperable digital health ecosystems.
↳ Helping facilitate the adoption of AI and remote monitoring technologies.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
My work under the CYBERSTAND SSP focuses on key aspects of the Cyber Resilience Act (CRA), including:
1. Horizontal Standards for Security Requirements
Secure-by-Design Principles: Contributing to a security-first approach for IoT medical devices.
Security of Digital Products: Helping ensure products are free from known vulnerabilities at market entry (CRA Standard 2).
Secure Configuration Guidelines: Supporting best practices for device configuration (CRA Standard 3).
Vulnerability Management: Helping define secure update mechanisms (CRA Standard 4).
Access Controls: Promoting strong authentication measures (CRA Standard 5).
Confidentiality and Integrity: Supporting patient data protection (CRA Standards 6 and 7).
Privacy and GDPR Compliance: Contributing to limiting personal data processing to the intended purpose (CRA Standard 8).
Security Logging & Incident Reporting: Supporting monitoring and reporting frameworks (CRA Standard 13).
2. Horizontal Standards for Vulnerability Handling
Secure Patching and Firmware Updates: Helping improve continuous protection.
Real-Time Vulnerability Detection: Supporting early warning mechanisms.
Security Disclosure and Incident Response: Contributing to clear protocols for reporting and mitigation.
