Categories
Digital Health MedTech

Why AI in Healthcare Has a Security Problem

Every health AI model is a decision engine — and an attack surface.

The Risks (with Evidence)

  • Adversarial examples derail medical imaging AI — systematic review across radiology (European Journal of Radiology).
  • Data poisoning, inversion & extraction are recognised clinical AI risks with mitigations like audit trails and continuous monitoring (García-Gómez et al.).

Why Healthcare Is Special

  • High stakes, legacy networks, and fragile systems — the WannaCry ransomware attack disrupted NHS care at scale (UK National Audit Office).

Framework for Defence

  1. Threat modelling & asset inventory
  2. Data integrity controls
  3. Access isolation
  4. Logging & audit trails
  5. Drift monitoring
  6. Adversarial testing
  7. Rollback plan

Aligned with the EU AI Act’s high-risk obligations: risk management, logging, human oversight (European Commission).

In healthcare, AI isn’t “just software” — it’s safety-critical infrastructure.

Categories
Digital Health MedTech

From MRI to MedTech: Securing AI-Powered Devices

Your pacemaker is now an endpoint. Attackers read release notes too.

Why Devices + AI Are Tricky

  • Firmware–model coupling, edge inference, constrained compute, long lifetimes.
  • Risks mapped in Biasin et al.’s study on AI medical device cybersecurity (arXiv).

Case in Point

The 2017 firmware recall for ~465k Abbott (St. Jude) pacemakers shows the stakes, a patch was issued to mitigate RF cybersecurity vulnerabilities (Read more).

Regulatory Overlap

  • AI used for medical purposes typically lands in high-risk under the AI Act, layering obligations on top of MDR/IVDR (European Commission).
  • This includes logging, robustness, and human oversight.

Secure Design Patterns

  • Isolation/sandboxing
  • Secure boot + model integrity checks
  • Fail-safe fallback modes
  • Lightweight cryptography
  • Device logging & anomaly detection
  • OTA updates with rollback
  • Adversarial robustness testing

Ship devices with a patch plan, audit trail, and model provenance. Or don’t ship at all.

Categories
Digital Health MedTech

Pharma Beyond the Pill: AI, Patient Data & the Hacker’s Jackpot

Pharma wants real-world data; adversaries want it more.

Case Studies

  • MyFitnessPal breach (2018): 150m accounts compromised — a reminder of health data’s value (TIME).
  • Flo Health (2021): settled with US FTC for sharing sensitive reproductive data despite promising privacy (FTC).
  • Flo Health (2025): faced new lawsuits; a California jury also found Meta liable for collecting Flo user menstrual data without consent (Reuters).

Risk Hotspots

  • Insecure APIs/model endpoints
  • Sensor spoofing
  • Third-party SDK vulnerabilities
  • Cross-border transfers under GDPR special category rules

Mitigations

  • Privacy by design (minimise, pseudonymise, differential privacy)
  • Strong auth & rate limiting
  • TLS + encryption at rest
  • Transparency & explainability
  • Dependency vetting
  • Incident response aligned to GDPR & AI Act timelines

Your real-world data strategy is only as strong as your real-world security.

Categories
Digital Health MedTech

Startups at Risk: The AI Security Blind Spot in HealthTech Funding

VCs love TAM slides. Users love not being breached.

Why Startups Under-Secure

  • MVP pressure, scarce resources, misaligned incentives
  • Lack of security expertise on early teams
  • Investor pressure to scale fast

Investors Waking Up

  • Some VCs now include security diligence checklists.
  • EU accelerators and Horizon programs require security roadmaps.
  • Compliance overhead from AI Act + NIS2 makes neglect unsustainable (European Commission).

Diligence Questions

  • Threat model?
  • Training data integrity?
  • Drift detection?
  • Audit trails?
  • OTA security?
  • DPIA performed?

Minimal Security Stack

  • IAM with least privilege
  • Encrypted storage/transit
  • ML provenance tracking
  • Logging & audits from day one
  • Version gating
  • Light adversarial sweeps
  • Incident response playbook

Secure runway beats growth at any cost, especially in health.

Categories
Digital Health MedTech

Towards Trust: Can Europe Lead on Secure AI in Healthcare?

Europe wrote the rules. Now it has to monetise them.

The EU Stack

Why It Can Be a Moat

  • “Secure by design” branding
  • Regulatory export advantage
  • Procurement preference for certified solutions
  • Public trust premium

Risks & Tensions

  • Overregulation chilling startups (Harvard Petrie-Flom)
  • Fragmentation of enforcement across Member States
  • Standards lagging behind attack vectors

If Europe aligns security, standards, and procurement, trust becomes a market advantage — not a compliance tax.

Categories
Digital Health MedTech

FAQ: AI Security in Healthcare

Is AI safe to use in healthcare?

AI can improve diagnostics, treatment recommendations, and patient monitoring but without safeguards it can be manipulated. Adversarial attacks on medical imaging AI have been shown to cause misclassifications (European Journal of Radiology).

The EU recognises this: under the AI Act, most health AI is “high-risk” and must meet requirements for risk management, logging, transparency, and human oversight (European Commission).

What makes healthcare AI especially vulnerable?

  • High-value data: medical records and biomarkers can be monetised.
  • Legacy IT systems: hospitals often run outdated software.
  • Safety-critical use cases: an AI mistake can harm patients.

A striking example: the WannaCry ransomware attack (2017) disrupted the UK NHS, cancelling appointments and locking critical systems (UK National Audit Office).

What regulations apply to AI in healthcare in Europe?

  • AI Act (2024) high-risk AI systems must comply with strict risk, logging, and oversight rules (European Commission).
  • MDR/IVDR safety and performance rules for devices, including AI-powered ones.
  • NIS2 Directive (2023) cybersecurity rules for hospitals and health infrastructure (European Commission).
  • European Health Data Space (EHDS) secure EU-wide health data access and exchange from 2025 (European Commission).

What real-world health data breaches should I know about?

  • MyFitnessPal (2018): 150m accounts exposed (TIME).
  • Flo Health (2021): settled with US FTC for sharing sensitive reproductive data without consent (FTC).
  • Flo Health (2025): faced new lawsuits; a California jury also found Meta liable for illegally collecting Flo users’ menstrual data (Reuters).

These cases underline that health data is both sensitive and heavily scrutinised.

What can startups do to avoid AI security pitfalls?

  • Secure training data integrity
  • Audit trails from day one
  • Adversarial testing
  • Incident response plans
  • Data Protection Impact Assessments (DPIAs) under GDPR

Investors increasingly check these; a weak security posture is becoming a deal-breaker.

Can Europe lead on AI security in healthcare?

Yes, if it turns regulation into a competitive advantage.

Europe’s bet is that “trustworthy AI” will attract hospitals, regulators, and patients. If secure-by-design becomes the norm, EU firms may gain a global edge, provided compliance doesn’t strangle startups.

In healthcare, AI is only as valuable as it is trustworthy. Europe is trying to legislate that trust into existence.

Categories
Digital Health MedTech

AI Security in Healthcare: Europe’s Strategic Fault Line (and How to Win It)

AI in healthcare is often sold as a story of improved diagnostics, personalised therapies, and predictive medicine. But beneath that dream lies a fragile backbone: security. One breach, one exploited model, and reputations, finances, even lives are at stake.

In Europe, this tension is amplified. The Artificial Intelligence Act entered into force on 1 August 2024, putting health AI under new obligations (European Commission). At the same time, NIS2 extends cyber resilience rules to hospitals, while the European Health Data Space (EHDS) (in force from March 2025) will demand interoperable, secure data exchange.

This series of posts dissects that tension from five angles:

  1. Why AI in Healthcare Has a Security Problem: Overview of attack vectors, real-world risk, regulatory context.
  2. From MRI to MedTech: Securing AI-Powered Devices: How embedded and edge AI in devices create vulnerabilities.
  3. Pharma Beyond the Pill: AI, Patient Data & the Hacker’s Jackpot: Why pharma’s “beyond the pill” strategies are hacker magnets.
  4. Startups at Risk: The AI Security Blind Spot in HealthTech Funding: Why early-stage ventures often underinvest in security.
  5. Towards Trust: Can Europe Lead on Secure AI in Healthcare?: Can the EU turn trust and compliance into a competitive advantage?
  6. FAQ: AI Security in Healthcare

The future of health AI won’t be won on models — it’ll be won on trust.

Categories
Digital Health MedTech

Quantum Healthcare in Europe: Funding, Regulation and the Path to Market

Europe’s Quantum Moment

Europe is not just a consumer of quantum technologies, it’s investing heavily to become a global leader. The Quantum Technologies Flagship commits €1 billion over 10 years to research and commercial pilots.

Add Horizon Europe and EuroHPC’s hybrid supercomputers, and you get a uniquely European playbook: strong public co-funding, national champions, and cross-border infrastructure.

Key hubs include:

  • France: Pasqal, a neutral-atom hardware leader, and Qubit Pharma, focused on quantum drug discovery.
  • Germany: Fraunhofer institutes leading applied research and partnerships with IBM.
  • Finland: Algorithmiq, developing quantum algorithms for pharma and life sciences.

Regulation as Strategy

What makes Europe unique is not qubit counts but regulation as market infrastructure. For quantum healthcare, three frameworks matter most:

  • GDPR: mandates privacy and security by design, critical for sensitive genomic and clinical data.
  • Medical Device Regulation (MDR) & In Vitro Diagnostic Regulation (IVDR): quantum-enabled diagnostics must clear the same CE-marking hurdles as any AI-driven device.
  • AI Act: classifies healthcare AI (quantum or not) as “high-risk,” requiring transparency, bias monitoring, and human oversight.

For founders, this is not just a compliance burden but a potential export advantage: build under Europe’s strict rules, and your product is more likely to pass scrutiny in the US, UK, and Asia.

The Funding Landscape

European investors are cautiously optimistic. Quantum is a long game, but public–private models are de-risking the early stage. The European Investment Bank (EIB) has begun backing quantum startups, and national governments (e.g. France’s €1.8bn quantum plan) provide direct subsidies.

Still, private VC funding in Europe lags the US. The opportunity lies in co-investment: pairing deep-tech VCs with public grants to build resilient ventures that can survive the long runway to commercial ROI.

Strategic Takeaway

For Europe’s medtech and pharma founders:

  • Embrace regulation early: treat MDR, GDPR, and the AI Act as design inputs, not afterthoughts.
  • Leverage co-funding: combine EU and national grants with private capital to extend runway.
  • Anchor in hubs: partner with HPC centres, Fraunhofer, or national quantum labs to gain credibility.

Quantum healthcare in Europe won’t be won by the first to 1,000 qubits. It will be won by the first to regulation-ready, market-accessible solutions that can scale across 27 member states and then export globally.

Categories
Digital Health MedTech

Harvest Now, Decrypt Later: Why Healthcare Must Go Post-Quantum Today

The Threat

Healthcare runs on trust — but its digital backbone is fragile. A sufficiently powerful quantum computer will run Shor’s algorithm, breaking RSA and elliptic curve cryptography. That means everything from EHRs to connected pacemakers is at risk.

And the danger isn’t hypothetical. Adversaries are already engaging in “Harvest Now, Decrypt Later” (HNDL) — collecting encrypted medical data today to crack open once quantum machines catch up. Health records are especially valuable because they must remain confidential for decades, often a century.

The Urgency

The US NIST finalised the first post-quantum cryptography (PQC) standards in 2024, including CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium for signatures. The EU has yet to mandate PQC explicitly, but under GDPR’s requirement for “appropriate technical measures”, regulators will likely interpret compliance as requiring migration.

Medtech and pharma firms cannot afford to wait. Migration is not a patch but a multi-year transformation: inventorying cryptographic assets, building crypto-agile architectures, and upgrading every system from EHRs to clinical trial platforms.

The European Edge

Europe is not passive. The EuroQCI initiative aims to build a pan-European quantum communication infrastructure based on quantum key distribution (QKD) — an ultra-secure backbone for critical sectors, healthcare included.

But PQC migration remains the urgent first step. Quantum-secure comms infrastructure is years away; vulnerable encryption is a present reality.

Strategic Takeaway

For European healthcare organisations:

  • Start the migration now: waiting until Y2Q is too late.
  • Prioritise PQC vendors and services: the “picks and shovels” of the quantum security gold rush.
  • Engage boards early: GDPR fines (4% of global turnover) make PQC a board-level risk.

Quantum computing’s promise in drug discovery may take a decade. Its threat to healthcare cybersecurity is here today. The winners will be those who treat post-quantum cryptography not as R&D, but as critical infrastructure.

Categories
Digital Health MedTech

Europe MedTech & Digital Health Weekly Brief (Week of August 30–September 5, 2025, #5)

Hospitals want evidence, investors want traction: this week mixed the two: GI diagnostics, insulin delivery, genomics M&A. And sprinkled in fresh CE marks for surgical robots.

People on the move

Data4Life (DE), a digital health nonprofit backed by SAP founder, Hasso Plattner, appoints Dr. Ben Illigens as CEO to steer its health data and research initiatives. Data4Life is building open source platform Data2Evidence, which is based on the international OMOP data model.

“We are at a turning point where digital technologies are fundamentally transforming research and care. My goal is to strengthen Data4Life as a bridge between clinical research, technology, and practice,”
Dr. Ben Illigens.

Lottie (UK): George Hadjigeorgiou, cofounder of ZOE, a personalized nutrition health company, joins the board of Lottie as NED, signaling deeper crossover between consumer health and eldercare ops. Lottie is a UK’s marketplace for care homes and care services.

Money flows

Kaleido Insulin Pump visualisation - Source: https://hellokaleido.com/

ViCentra (NL) — $85M Series D; insulin patch pump maker (Kaleido) fuels next-gen device development and scale-up.  Round was led by new investor Innovation Industries, a leading European deeptech venture capital firm, with matching participation from existing investors Partners in Equity and Invest-NL, alongside continued support from EQT Life Sciences and Health Innovations.

Cyted Health (UK) — €37.5M Series B; GI molecular diagnostics to improve early detection and prevention of oesophageal cancer. Round aims to expand US commercialization while consolidating NHS footprint. Investment led by EQT Life Sciences, Advent Life Sciences and British Business Bank with continued support from existing investors Morningside and BGF.

ArcaScience (FR): $7M round led by The Moon Venture; AI “benefit–risk” intelligence platform for life-sciences R&D to clean, link and query messy evidence.

Aiomics (DE) — €2M pre-Seed; clinical-grade AI agents to reduce clinical documentation burden and improve care pathways.

M2Care (FR): €26M venture-studio raise from Bpifrance’s FTA2 fund to create/develop eight healthtech projects. Other investors in M2Care are Mérieux Développement (who actully created this incubator), Institut NAOS des Sciences de la Vie, Crédit Agricole Centre-Est. 

SeqOne (FR) aquired Congenica (UK), on undisclosed terms.
This merger creates a larger AI-powered genomics software group with strong UK presence.

On the press

One thing to remember

Evidence-first commercialisation is back: capital flowed to diagnostics and chronic-care delivery while robotics snagged CE marks. A cross-border genomics deal underlined that European buyers will pay for software that shortens time-to-impact. If you’re fundraising, pair outcomes data with a path to multi-market reimbursement; if you’re buying, look for software that accelerates clinical workflows, not just visibility.