Health-ISAC Hacking Healthcare 11-15-2024

Welcome back to Hacking Healthcare^®.

Confirmation Hearings Provide Glimpse of EU Tech & Cybersecurity Priorities 

From November 4 to 12 the individuals nominated to become commissioners of the various EU policy portfolios were subject to hours-long hearings from European Parliament committees looking to assess their credentials and policy stances. Final confirmation and approval for all the commissioners-designate may take a bit of time as negotiations and haggling among the EU parties behind the scenes will influence things, but we do have a general sense of where things are headed. Most importantly, what was said in these hearings provides a glimpse of what might be in store for the healthcare sector in terms of legal and regulatory approaches to cybersecurity and medical technologies. 

Let’s review what we learned over the past week and a half.

Henna Virkkunen 

The most influential confirmation hearing was likely the last one on the official agenda. Late on November 12, Henna Virkkunen sat for a lengthy confirmation hearing in her bid to become the Executive Vice President for Tech Sovereignty, Security and Democracy. The position is notable because the policy portfolio includes elements of cybersecurity, artificial intelligence, quantum computing, digital norms and standards, and other tech-related issues. In terms of healthcare-sector-related projects, European Commission President Ursula von der Leyen outlined several initiatives for Virkkunen to pursue in a Mission Letter published back in September,^[i] including:

• Reducing reporting obligations 
• Contributing to an action plan on cybersecurity of hospitals and healthcare providers
• Defending critical infrastructure from cyber threats
• Cracking down on cybercrime
• Boosting artificial intelligence (AI) innovation and application
• Improving the adoption of European cybersecurity certification schemes

What was said?

The questioning in the confirmation hearing was heavily shaded by the recent election results in the United States, with committee members eager to press Virkkunen on how she would deal with a Trump administration. While declining to be drawn in on too many details, Virkkunen’s responses provided a glimpse of how she may handle issues that could directly affect Health-ISAC members if she is confirmed, including:

• Legal & Regulatory Approach: In a headline-grabbing statement, Virkkunen expressed that “An ‘Act’ is not the answer to everything.”^[ii] She further outlined how the upcoming term may be guided more by simplifying the regulatory environment and assessing potentially unnecessary rules.
• Reporting Obligations: Aligning with the legal and regulatory approach, and noting the administrative burden on entities, Virkkunen declared she would strive to reduce reporting obligations. She specifically mentioned that on her first day in office she would have a list compiled of all the reporting obligations that organizations face. 
• Technology Sovereignty: Virkkunen expressed her “full commitment” to developing European technology sovereignty. This is to include ensuring that products used in critical infrastructure are secure and reliable. 
• Support for Ukraine: Virkkunen also stressed the importance of European security, the need to support Ukraine, and the threat posed by Russia. 
• AI in Pharma: Virkkunen stated that she wants “Europe to become an AI continent,” and she singled out the potential benefits of AI in the Pharmaceutical sector as an example of how an AI strategy might be applied. 

Olivér Várhelyi

Olivér Várhelyi was the other nominee that could have a significant impact on healthcare-sector cybersecurity and tech policy as the commissioner for Health and Animal Welfare. In her Mission Letter to Várhelyi in September, Von der Leyen outlined tasks including:^[iii] 

• Boosting the competitiveness, resilience, and security of health systems
• Proposing a Critical Medicines Act to address the severe shortages of medicines and medical devices and reduce dependencies relating to critical medicines and ingredients
• Proposing a new European Biotech Act, focusing on the need for a regulatory environment conducive to innovation in areas of health-technology assessment
• Evaluating the need for potential changes to medical-device legislation 
• Contributing to an action plan on cybersecurity of hospitals and healthcare providers
• Promoting the uptake of artificial intelligence, notably through clear and timely guidance on its use in the lifecycle of medicines

What was said?

Várhelyi is a controversial pick who has ruffled feathers among the EU parliament for past statements about his colleagues, his connection to Hungarian Prime Minister Viktor Orbán, and concerns over his policy stances on vaccines and abortions. While much of the hearing was spent addressing those issues, there were some responses that were much more relevant for medical devices:^[iv]

• Medical Device Regulation: Várhelyi suggested he would pursue measures to simplify procedures of the current framework, aim to have a review of the current regulation completed within 2025, and would follow it up with a legislative proposal. 
• Critical Medicines Act: While we noted this initiative in von der Leyen’s mission letter, Várhelyi proposed addressing this within the first 100 days on the new mandate.

 Action & Analysis
**Included with Health-ISAC Membership**

We will continue to track developments around this portfolio due to the potential for substantive changes to medical-device regulations, health-technology regulation, and the action plan on cybersecurity of hospitals and healthcare providers.