-
- Art. 3 FC
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 73 PRA
- Art. 73a PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
MEDICAL DEVICES ORDINANCE
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
COMMERCIAL REGISTER ORDINANCE
FEDERAL ACT ON COMBATING MONEY LAUNDERING AND TERRORIST FINANCING
- I. General
- II. Duty of care for health institutions (para. 1)
- III. Risk management for hospitals (para. 2)
- IV. Legal consequences of a breach of the duty of care
- Bibliography
- Materials
I. General
1 In recent years, hospitals and other healthcare facilities have increasingly become the target of cyberattacks. This trend of more and more cyberattacks on hospitals and healthcare facilities can be observed not only in Switzerland but worldwide. The motivation behind this is clear: a failure of a hospital's technical infrastructure (e.g. of life-supporting medical devices or the hospital information system) can have catastrophic consequences, which is why such targets appear particularly lucrative to cybercriminals. On the one hand, such cyberattacks can have devastating financial consequences for the healthcare facilities affected. On the other hand, they can have negative effects on patients, as life-supporting medical devices may be affected or because previously scheduled operations have to be postponed. This problem has been recognized and addressed as part of the revision of the Medical Devices Ordinance in 2020. With the revision of the Medical Devices Ordinance, which came into force on May 21, 2021, a new Art. 74 MedDO was created, which imposes specific cybersecurity due diligence requirements on healthcare facilities and hospitals.
2 Art. 74 MedDO must be distinguished from the corresponding data protection provisions under federal or cantonal law (e.g. Art. 8 FADP), which serve to protect personal data. Art. 74 MedDO, on the other hand, is not primarily intended to protect patient data, but to protect against the failure of the technical infrastructure of the healthcare facility due to electronic attacks on network-compatible medical devices. However, the two areas cannot be completely separated from each other, because a violation of Art. 74 MedDO can also result in a violation of the data protection security provisions (Art. 8 FADP), since numerous network-compatible medical devices (such as computer tomographs or ultrasound devices) also process patient data and some of this data is stored on the medical device.
3 In addition, the obligations under Art. 74 MedDO must be distinguished from the obligation of manufacturers to manufacture and market safe medical devices. According to Art. 6 para. 2 MedDO, medical devices must meet the general safety and performance requirements according to Annex I of Regulation (EU) 2017/745 (“EU MDR”). Annex I of the EU MDR defines in Nos. 17.2 and 17.4 general (safety) requirements in connection with cybersecurity for devices that incorporate electronic programmable systems, as well as software-only devices. In the case of devices that include software components or that are software-based, the software is developed and manufactured according to the state of the art, taking into account the principles of the software life cycle, risk management and information security (No. 17.2 of Annex I of the EU MDR). In doing so, the manufacturers shall specify minimum requirements in terms of hardware, IT networks characteristics and IT security measures, including protection against unauthorized access, required for the intended use of the software (No. 17.4 of Annex I of the EU MDR). These obligations with regard to cybersecurity – as the “first line of defense” against cyber attacks, so to speak – apply to the manufacturer and must be taken into account as early as the development stage of the medical devices. The obligations under Art. 74 MedDO, on the other hand, do not apply to the manufacturer, but to the user – i.e. the healthcare facility – and are in addition to the manufacturer's obligations. This means that the issue of cybersecurity is regulated by law not only at the manufacturer level but also at the user level, providing dual protection against cyberattacks. In practice, however, it has been shown that at the manufacturer level, cybersecurity efforts do not always meet user expectations. One of the reasons for this is that such network-compatible medical devices usually have an extensive software component that is adapted (and certified) to certain operating systems as part of the certification process. However, hospitals cannot carry out updates without the involvement of the manufacturers, and the manufacturers do not have the corresponding updates available in some cases because compatibility after the update would, under certain circumstances, require a re-certification of the medical device, which is not desired by the manufacturers. As a result, hospitals are sometimes forced to run medical devices on older software, which may serve as a gateway for cyber attacks. To counteract this, in such a case the medical device and the software must be isolated from the rest of the system so that access to the rest of the hospital system via this medical device is no longer possible.
II. Duty of care for health institutions (para. 1)
4 Art. 74 para. 1 MedDO requires health institutions to take all technical and organizational measures necessary according to the state of the art to ensure protection against electronic attacks and access in the case of network-compatible medical devices.
5 This duty of care applies to healthcare institutions in accordance with Art. 74 para. 1 MedDO. According to Art. 4 para. 1 let. k MedDO, a healthcare institution is any organization whose main purpose is to provide care or treatment to patients or to promote public health. This corresponds to the definition in Art. 2 no. 36 of the EU MDR and includes in particular hospitals (under private and public law), but also facilities such as laboratories and other (public) health facilities that support the healthcare system but do not directly treat or care for patients. The definition of a health facility also includes doctors' practices and other outpatient medical facilities, which is why they must also comply with the due diligence requirements of Art. 74 para. 1 MedDO if they use network-capable medical devices. However, Art. 74 para. 1 MedDO does not apply to healthcare facilities that primarily promote a healthy lifestyle, such as fitness studios, spas or wellness centers.
6 The due diligence requirement in accordance with para. 1 only applies to network-compatible medical devices. Network-capable means that the medical device can be integrated into a network with other devices, so that information can be virtually exchanged between the various network-capable products and accessed from different locations. In other words, the medical device is not only integrated into the internal system of the healthcare facility, but can also be accessed externally – via remote access. In this context, the explanatory report of the FOPH speaks of medical devices being directly and permanently connected to the internet and intranet. In many cases, external access is mandatory so that the manufacturer can provide appropriate (remote) support. There is an increasing merging between operational technology (e.g. medical devices) and (the rest of) the information technology within the healthcare facility. Practice shows that in modern medicine, numerous medical devices are network-compatible – medicine without digital networking is becoming increasingly unthinkable. Examples of such network-compatible medical devices are computer tomographs, mobile X-ray machines, devices for monitoring in intensive care units (e.g. patient monitoring systems), respirators and anesthesia machines, etc. It should also be noted that the term 'medical device' can also include software if it meets the requirements of a medical device in accordance with Art. 3 para. 1 MedDO – this is particularly likely to apply to patient monitoring software. In this respect, the duty of care in accordance with Art. 74 para. 1 MedDO also applies to software.
7 According to Art. 74 para. 1 MedDO, all technical and organizational measures must be taken that are necessary according to the state of the art to ensure protection against electronic attacks and access. The MedDO itself does not contain a definition of technical and organizational measures. However, the term “technical and organizational measures” is known from other areas of law, in particular from data protection law. For example, Art. 8 para. 1 FADP requires that controllers and processors must ensure data security appropriate to the risk by means of appropriate technical and organizational measures. In this context, technical measures are those measures that are directly related to an information system or data carriers. Organizational measures, on the other hand, are those that affect the system environment, in particular the people who use it, as well as the processes. The National Cybersecurity Center NCSC has issued recommendations for cybersecurity in the healthcare sector. These include both technical and organizational measures and are considered by the NCSC (BACS since January 1, 2024) to be minimum requirements. However, it should be noted that these recommendations do not specifically cover network-enabled medical devices, but rather the overall information security of a healthcare facility.
8 This understanding of technical and organizational measures from other legal areas can be applied to Art. 74 para. 1 MedDO: All measures that are directly related to the medical device, the IT infrastructure of the healthcare facility and the interface between the medical device and the IT infrastructure are considered to be technical measures. Examples of technical measures include: encryption, firewalls, backups, password protection, VPN for remote access, network segmentation, automatic desktop lock, etc. This also includes the implementation of periodic or manufacturer-prescribed (software) security updates and the manufacturer-prescribed or regular maintenance of the medical device. In particular, the BACS system refers to the following technical measures: (a) real-time monitoring of endpoints, (b) offline backups and disaster recovery, (c) network segmentation, (d) protection of authentication (e.g. through multi-factor authentication), (e) blocking dangerous e-mail attachments and (f) controlling the execution of files. The technical measures according to (b), (c) and (d) are considered mandatory by the BACS, while those according to (a), (e) and (f) are considered voluntary or “can” regulations. On the other hand, the organizational measures according to Art. 74 para. 1 MedDO are those measures that affect the environment of the medical device or the IT infrastructure, in particular the persons who use the network-compatible medical device or the associated IT infrastructure, as well as related processes. Examples of organizational measures include training, processes, guidelines, regulations and contracts. The BACS lists the following as organizational measures: (a) patch and lifecycle management and (b) real-time monitoring of the log data of the security perimeter, with the BACS considering these two measures to be mandatory. The importance of organizational measures should not be underestimated, since the best technical measures (such as strong password protection) are of little use if the operating personnel circumvent these measures (e.g. by placing a post-it with the password on the network-compatible medical device). Consequently, organizational measures (such as internal regulations and employee training) must be taken to ensure that the technical measures can be effective. The authors' experience shows that the following organizational measures in particular have been established in medical practice: guidelines, e-learning, training, internal blog on the topic of cybersecurity, etc. However, keeping an inventory of the network-compatible medical devices used and standardized security assessments of new device types, which are carried out before procurement, have also been established in practice as part of the organizational measures. In particular, the authors believe that larger hospitals will not be able to avoid creating clear responsibilities and dedicated functions with sufficient resources within the organization to address the issue of cybersecurity in order to comply with the legal duty of care. Smaller healthcare institutions must at least have external IT support that also includes cybersecurity in its specifications.
9 The technical and organizational measures to be taken must be based on the state of the art. This term is also not defined in more detail by the MedDO. However, “state of the art” is a term that is of great importance in the development of medical devices, as the generally recognized state of the art must be taken as a basis with regard to the general safety and performance requirements according to Chapter I of Annex I EU MDR. However, the EU MDR does not contain a general definition that would give this term more contours. The concept of “state of the art” is familiar to other Swiss law: according to Art. 3 para. 2 PrSG, products must correspond to the state of the art in terms of safety. According to Art. 5 para. 1 let. e PrHG, a manufacturer is not liable if it can be proved that the product defect could not be detected according to the state of the art at the time the product was placed on the market. From literature and case law on this concept in other Swiss law, it can be deduced that the state of the art must be determined according to objective criteria and must be recognized as reputable by the scientific community concerned. In any case, the specific instructions of the manufacturer regarding cybersecurity (as well as any updates to such instructions) – if there are any – must be observed for a particular medical device. In addition, it is advisable to follow the BACS recommendations on cybersecurity in the healthcare sector. These recommendations are considered by the BACS to be “best current practices” and can therefore – at least from the authorities' point of view – be used to substantiate the due diligence requirements of Art. 74 para. 1 MedDO, provided they relate to network-compatible medical devices. It can therefore be assumed that authorities and courts will consult these BACS recommendations in individual cases to assess the technical and organizational measures and compliance with due diligence, even though they are not legally binding. As far as international (self-regulatory) standards are concerned, ISO 27001 has established itself as the standard for information security management systems. In practice, many hospitals follow this standard even if they are not officially ISO-certified.
10 It is recommended that these requirements, which a network-enabled medical device must meet from a technical point of view, be incorporated into the healthcare facility's procurement process. When starting to procure network-compatible medical devices, the healthcare facility should be clear from the outset which technical and IT security-related standards the medical device to be procured must meet in order to ensure cybersecurity in each individual case. In May 2024, H+, the Association of Swiss Hospitals, in close cooperation with those responsible for cyber and information security at Swiss hospitals, published a fact sheet entitled “IT-Grundschutzanforderungen an Systeme – Informationssicherheit und Datenschutz” (IT-Grundschutz requirements for systems – information security and data protection), which defines “the minimum technical and organizational information security and data protection requirements of the hospital for systems”, in particular for all medical technology systems. This leaflet was issued with due regard to the duties of care arising from Art. 74 para. 1 MedDO, which is why healthcare facilities affected by Art. 74 para. 1 MedDO should refer to this leaflet for assistance, even if they are not hospitals. In general, however, guidelines and fact sheets issued by authorities (such as the BACS) or associations (such as H+) have no legal force and are therefore not legally binding for courts or users.
11 In contrast to Art. 5 para. 1 let. e PrHG, for example, Art. 74 para. 1 MedDO does not refer to a specific point in time with regard to the state of the art. Consequently, the understanding of the term “state of the art” is subject to temporal change. If the state of the art changes with regard to cybersecurity and the appropriate technical and organizational measures that should be implemented to effectively defend against cyberattacks, the healthcare institution must adapt the measures it has taken accordingly. Consequently, the healthcare institution must regularly review its technical and organizational measures to ensure cybersecurity, compare them with the current state of technology and, if necessary, adapt them to the current state of technology. At least for hospitals, this obligation also arises from para. 2 of Art. 74 MedDO, because part of an effective risk management system is also the periodic review of the risk and the appropriateness of the measures implemented against it. From a fundamental point of view, it must be noted that the topic of cybersecurity is an ongoing process and therefore never complete.
12 According to the wording of Art. 74 para. 1 MedDO, the healthcare institution must take all measures that are necessary to ensure the protection against electronic attacks and access. The wording of Art. 74 para. 1 MedDO differs in particular from that of the related Art. 8 FADP, which requires “data security appropriate to the risk” and thus legally establishes the principle of proportionality in the area of security for personal data, which is why, for example, implementation costs may also be taken into account when assessing appropriateness. This raises the question of whether the wording “all measures necessary to ensure protection” in Art. 74 para. 1 MedDO even allows for the principle of proportionality, in particular the element of reasonableness. In our opinion, this is the case, because absolute security against cyber attacks does not exist, which is why it can only ever be a matter of appropriate, but not absolute, protection. However, due to the legal interests at stake – the health of patients – the hurdle for assessing appropriateness is to be set higher than in data protection. Consequently, under Art. 74 para. 1 MedDO, the healthcare institution is only required to implement proportionate (i.e. appropriate, necessary and also reasonable) measures that take into account the importance of the legal interests at stake.
13 The technical and organizational measures must ensure protection against electronic attacks and access. In other words, the aim is to protect against cyberattacks, i.e. targeted attacks on the IT infrastructure and the (network-compatible) medical devices used by healthcare facilities by unauthorized persons. A distinction must be made between attacks in which the medical device itself is the actual target and attacks in which the medical device is used to gain access to the healthcare facility's wider IT infrastructure. Art. 74 para. 1 MedDO covers both types of attack and the technical and organizational measures must therefore also cover both types of attack. Typical cyber attacks include malware, phishing, zero-day exploits, DDoS attacks or attacks that affect the availability of systems (such as ransomware). According to the authors, ransomware attacks are generally the most dangerous, as they can result in the systems no longer being available, which can have serious consequences for both the hospital and the patients from an operational and medical point of view.
III. Risk management for hospitals (para. 2)
14 Unlike the obligations in Art. 74 para. 1 MedDO, which apply to all health institutions that use network-compatible medical devices, the obligations under Art. 74 para. 2 MedDO apply only to hospitals. According to Art. 4 para. 1 lit. l MedDO, hospitals are healthcare facilities in which inpatient treatment of illnesses or inpatient medical rehabilitation or inpatient medical procedures for aesthetic reasons are carried out by medical and nursing staff. The decisive criterion for distinguishing these from doctor's offices or other (outpatient) healthcare facilities is the inpatient treatment of patients. According to Art. 74 Para. 2 MedDO, such facilities must identify, evaluate and document the technical and organizational measures in accordance with the principles of a risk management system. This risk management system must be an integral part of the hospital's quality management system.
15 Practice shows that comprehensive risk management is also standard in hospitals. With regard to the principles of an effective risk management system, please refer to the relevant literature. Art. 74 para. 2 MedDO requires hospitals to identify, evaluate and document the technical and organizational measures taken in accordance with para. 1 with regard to the risk of “cybersecurity” as part of risk and quality management, thus introducing a statutory risk management requirement for hospitals, at least with regard to cybersecurity. In practice, however, this provision is likely to be of little significance, since risk management already played a crucial role for hospitals before Art. 74 para. 2 MedDO came into force and also covered the issue of cybersecurity – as a significant risk.
IV. Legal consequences of a breach of the duty of care
A. Consequences under civil law
16 In the event of non-compliance with the due diligence requirements set out in Art. 74 MedDO, the question arises as to the legal consequences. In particular, situations need to be considered in which a cyberattack causes life-supporting medical devices to fail, resulting in the death or serious injury of patients. In addition, numerous other constellations are also conceivable, such as the postponement of vital surgeries or the malfunction of medical devices. A fundamental distinction must be made here between private and public healthcare institutions. This classification determines which liability law applies. This distinction will not be discussed further here; instead, the reader is referred to the relevant literature and case law.
17 If a (private-law) contractual relationship exists between the hospital and the patient, the hospital's potential liability is governed by Art. 97 para. 1 CO: If the obligation cannot be fulfilled at all or cannot be properly fulfilled, the debtor must provide compensation for the resulting damage, unless he can prove that he is not at fault. The conditions for liability under Art. 97 para. 1 CO are therefore (a) breach of a contractual obligation, (b) damage arising therefrom, (c) adequate causal link between breach of contract and the damage incurred, and (d) fault (which is presumed under Art. 97 para. 1 CO). In the context of a breach of a contractual obligation, non-performance or improper performance – i.e. positive breach of contract – is of particular interest in the present case. Although the debtor provides a service, it does not have the quality specified in the contract or does not correspond to the care owed under the contract. In principle, a distinction is made between the actual primary and secondary obligations. The secondary obligations include, among other things, duties of conduct that have the purpose of supplementing the main service and ensuring its proper fulfillment or achieving the purpose of the contract, namely protection, care, advice, omission, information and education. Based on the above, the duties of care resulting from Art. 74 MedDO with regard to cybersecurity can be qualified as contractual ancillary duties, because they are behavioral duties intended to ensure the proper performance of the main service. It is therefore a duty of the hospital to protect the patient.
18 When specifically is there a breach of the duty of care resulting from Art. 74 Para. 1 MedDO? As explained above, this concerns appropriate protection against electronic attacks and access. This appropriate protection must be determined on the basis of an objective standard in each individual case. Information sheets and guidelines – such as those of the BACS or H+ – can be consulted for assistance in specifying this objective standard, but non-compliance with the recommendations contained in such guidelines or information sheets does not automatically constitute a breach of due diligence. In practice, however, affected companies are advised to follow the guidelines and fact sheets of expert groups and to design their safety precautions based on these recommendations.
19 A violation of the duty of care as per Art. 74 para. 1 MedDO can therefore – provided that the other liability requirements of Art. 97 CO are met – lead to the healthcare institution being held liable to the affected patient, whereby the affected patient must prove the liability requirements (Art. 8 CC). In practice, it may be difficult to prove a breach of duty of care due to a lack of insight into the IT infrastructure of the healthcare facility. The fact that an attack or access has taken place is not in itself sufficient to prove a breach of duty of care. Rather, it must be proven that the healthcare institution has not taken all (reasonable) technical and organizational measures to prevent such attacks or access. In this respect, it is to be demanded that the healthcare institution concerned, as part of its procedural obligation to cooperate in accordance with Art. 160 Para. 1 CPC, must hand over the necessary IT security documentation. If the healthcare institution unjustifiably refuses to cooperate and hand over the IT security documentation, the court must take this into account when considering the evidence (Art. 164 CPC).
B. Administrative consequences
20 In addition to the civil law consequences, the administrative consequences of a violation of Art. 74 MedDO must also be considered. As the enforcement authority, Swissmedic is responsible for market surveillance and the enforcement of medical device regulation (Art. 66 para. 1 TPA). The control within the framework of market surveillance includes, among other things, the fulfillment of the obligations of the economic operators (Art. 75 para. 1 MedDO), and thus also the implementation of the obligations resulting from Art. 74 MedDO. The Swissmedic hospital inspection in 2023 with regard to medical devices showed that the issue of cybersecurity was affected by deviations in 43% of the inspections. In particular, deficiencies were found in hospitals in the area of the associated processes and interfaces, as well as in risk management. The range of available administrative measures to remedy such deficiencies is not limited in principle, since Art. 66 para. 1 TPA stipulates that all administrative measures necessary for the enforcement of the TPA may be taken. Art. 66 para. 2 TPA contains a non-exhaustive list of certain measures that can be ordered by Swissmedic. In any case, the ordered measures must satisfy the principle of proportionality.
Bibliography
Baeriswyl Bruno, Kommentierung zu Art. 8, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum Datenschutzgesetz, 2. Aufl., Bern 2023.
Bielefeld Jörg, Kressin Bernhard, Zawilla Peter, Wirksame Organisations-, Risiko- und Compliance-Kultur zur Haftungsvermeidung, CB 2020, S. 205 ff.
Bühr Daniel Lucien, Good Governance von Aufsicht und Kontrolle im Unternehmen, SJZ 118 (2022), S. 7 ff.
Dinkel Erik, Cyber-Sicherheit in Spitälern, LSR 2/2023, S. 59 ff.
Fellmann Walter, Kommentierung zu Art. 5 PrHG, in Widmer Lüchinger Corinne/Oser David (Hrsg.), Basler Kommentar, Obligationenrecht I, 7. Aufl., Basel 2020.
Fuchs Philippe, Software als Medizinprodukt LSR 3 (2018), S. 183 ff.
Lienhard Andreas, Beweislast und Beweislastumkehr, ZZZ 53 (2021), S. 389 ff.
Long William/Blythe Francesca/Sommer Josefine, Cybersecurity and Medical Devices, LSR 1 (2021), S. 58 ff.
Pfaff, Dieter/Thomet, Ursula, Risikomanagement des Universitätsspitals Zürich, Expert Focus 12 (2017), S. 953 ff.
Sidiropoulos Alexia, Haftung für Gerätefehler bei der medizinischen Diagnostik und Behandlung, Sicherheit & Recht 1 (2020), S. 49 ff.
Stamm-Pfister Christa, Kommentierung zu Art. 8, in: Vasella David/Blechta Gabor P. (Hrsg.), Basler Kommentar, Datenschutzgesetz Öffentlichkeitsgesetz, 4. Aufl., Basel 2024.
Wiegand Wolfgang, Kommentierung von Art. 97, in: Widmer Lüchinger Corinne/Oser David (Hrsg.), Basler Kommentar, Obligationenrecht I, 7. Aufl., Basel 2020.
Materials
Bundesamt für Gesundheit, Erläuternder Bericht zur Totalrevision der Medizinprodukteverordnung und Verordnung über klinische Versuche mit Medizinprodukten, Juli 2020 («BAG, Erläuternder Bericht»).