New gui­dance docu­ment on cyber­se­cu­ri­ty for medi­cal devices

The “Gui­dance on Cyber­se­cu­ri­ty for medi­cal devices,” published in Decem­ber 2019 by the MDCG, is desi­gned to ser­ve as an aid for medi­cal devices manu­fac­tu­r­ers in com­ply­ing with cybersecurity-specific requi­re­ments, par­ti­cu­lar­ly tho­se found in Annex I of (new) Regu­la­ti­ons (EU) 2017/745 (the MDR) and (EU) 2017/746 (the IVDR)

For the most part, the gui­dance docu­ment pres­ents basic con­cepts in cyber­se­cu­ri­ty and makes clear that cyber­se­cu­ri­ty must be regard­ed as part of the fun­da­men­tal requi­re­ments for the gene­ral safe­ty and effec­ti­ve­ness of medi­cal devices. Accor­din­gly, the docu­ment makes refe­rence to the regu­la­to­ry requi­re­ments of the MDR and IVDR which are of rele­van­ce for medi­cal devices manu­fac­tu­r­ers while at the same time offe­ring hints for the imple­men­ta­ti­on of aspects rela­ting to cybersecurity.

The gui­dance docu­ment sta­tes that gene­ral IT secu­ri­ty is of cen­tral importance for all aspects of cyber­se­cu­ri­ty and that it is to be asses­sed depen­ding on the product’s risk, inten­ded use and ope­ra­ting envi­ron­ment. It also notes that the goals of pro­duct safe­ty, secu­ri­ty and effec­ti­ve­ness are to be kept in mind at all times when desig­ning secu­ri­ty mecha­nisms for medi­cal devices and in-vitro diagnostics.

A signi­fi­cant part of cyber­se­cu­ri­ty is risk pre­ven­ti­on. What this means for medi­cal device manu­fac­tu­r­ers is that secu­ri­ty mecha­nisms have to be imple­men­ted in the product’s deve­lo­p­ment pha­se, and not only in the manu­fac­tu­ring pro­cess.  Such mecha­nisms include, abo­ve all:

  • secu­re design,
  • a secu­ri­ty risk manage­ment system,
  • secu­ri­ty capabilities,
  • a stan­dar­di­zed secu­ri­ty risk assessment,
  • a secu­ri­ty bene­fit risk analysis,
  • mini­mum IT requi­re­ments, and
  • vali­da­ti­on and veri­fi­ca­ti­on throug­hout the pro­duct life cycle.

The gui­dance docu­ment also points out that cyber­se­cu­ri­ty aspects may be of rele­van­ce for docu­men­ta­ti­on and in draf­ting ins­truc­tions for use. Pro­duct docu­men­ta­ti­on must include e.g. secu­ri­ty requi­re­ments to ensu­re safe­ty and pro­duct effec­ti­ve­ness: this includes cyber­se­cu­ri­ty! In addi­ti­on, the ins­truc­tions for use which are pro­vi­ded with medi­cal devices must include infor­ma­ti­on rela­ting spe­ci­fi­cal­ly to cyber­se­cu­ri­ty, such as infor­ma­ti­on rela­ting to pro­duct instal­la­ti­on or step-by-step ins­truc­tions for deploy­ing secu­ri­ty updates. The spe­ci­fic shape which the­se requi­re­ments take in each case depends on the secu­ri­ty risk, the ope­ra­ting envi­ron­ment and the spe­ci­fic product.

In addi­ti­on to pre­ven­ti­on and docu­men­ta­ti­on requi­re­ments, medi­cal device manu­fac­tu­r­ers also have to satis­fy post-market sur­veil­lan­ce requi­re­ments, inclu­ding con­ti­nuous moni­to­ring and reme­dia­ti­on of cyber­se­cu­ri­ty vulnerabilities.

The spe­ci­fic (cyber­se­cu­ri­ty) requi­re­ments for each medi­cal device and manu­fac­tu­rer depend on the spe­ci­fic situa­ti­on in each case, par­ti­cu­lar­ly the product’s inten­ded use, reason­ab­ly fore­seeable misu­se and ope­ra­ting envi­ron­ment. For this reason, the gui­dance docu­ment notes that manu­fac­tu­r­ers should include cyber­se­cu­ri­ty ques­ti­ons in their risk assess­ments from the very begin­ning, in other words from the deve­lo­p­ment pha­se, and should con­ti­nue to do so throug­hout the product’s life cycle.

As medi­cal devices beco­me incre­asing­ly digi­ti­zed and con­nec­ted, this gui­dance docu­ment illus­tra­tes to manu­fac­tu­r­ers once again and with par­ti­cu­lar urgen­cy that cyber­se­cu­ri­ty is an essen­ti­al part of pro­duct safe­ty and one that may not be negle­c­ted at any point during the product’s life cycle if the pro­duct is to com­ply with regulations.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.