Medical and Diagnostic devices are increasingly being connected to the internet, and this implies that they are being exposed to cyber threats that ultimately could affect the well-being of patients.
The European health care system is moving toward personalised, distributed, and home-based services. This is made possible via new and improved connected medical devices (CMDs) and in vitro diagnostic devices, connected to the internet (together, CMDs), that support health care providers in terms of reduced cost (fewer hospital beds) and improved service.
Also, patients are expected to enjoy improved quality of life in terms of reduced travel time and less stress via treatment at a place of their choice. However, for these benefits to be fully realised, the cybersecurity of CMDs needs to be ensured.
NEMECYS project will develop tools and procedures to help device manufacturers, integrators and health care providers to ensure cyber security by design for connected medical and diagnostic devices.

NEMECYS will support practitioners such as device manufacturers, connected device system integrators, health care providers and cybersecurity communities who together deliver benefits to patients and the wider public, through advances in the cyber security of connected devices.

NEMECYS helps practitioners to

  • comply with Medical Device (MD) regulations;
  • to be able to apply proportionate MD cybersecurity (too little security risks exposure, too much is costly and can obstruct clinical care) and
  • build in cybersecurity by design for both MDs and the connected scenarios they operate in.

This is achieved by

  • providing recommendations for best practice and guidelines for MD cybersecurity by design, along with compliance assurance tooling;
  • providing a risk-benefit scheme to address cybersecurity risk balanced with clinical benefit; and
  • providing a set of specific tools to address MD cybersecurity by design and their deployment in connected scenarios.

The main objectives of the NEMECYS project are:

  • review relevant Medical Device (MD) guidelines, under the scope of providing recommendations for improvement. In consultation with domain experts, four case studies will be used to identify gaps, recommendations to address the gaps, and identify best practice for the domain of Connected Medical Devices.
  • investigate proportionate risk-benefit schemes extending existing state-of-the-art background, and provide cybersecurity risk assessment tools to accommodate connected medical device situations.
  • deliver tools and toolboxes targeted at three user types that reflect the lifecycle of Connected Medical Devices (CMDs):
    • at design time, supporting CMD Manufacturers,
    • during integration into connected multi-stakeholder scenarios, supporting CMD System Integrators and
    • in the operation of these scenarios, supporting Operators such as hospitals or care providers.

The technological outcome of the NEMECYS project will be tool-supported methods, facilitating

  • semi-automatic Connected Medical Device (CMD) compliance,
  • risk/benefit analysis,
  • data privacy of software using AI/ML technology (when used as a medical device),
  • secure integration of CMDs in connected scenarios,
  • CMD management and vulnerability detection.

The NEMECYS tools and methods will be driven and validated by four case studies in relevant connected medical device scenarios.