Guidance on Cybersecurity for medical devices

Findings
The MDR/IVDR enhance the focus on cybersecurity for devices incorporating electronic programmable systems and software. Cybersecurity risk is inherently linked to patient safety and effectiveness; manufacturers must reduce all risks, including security risks with safety impacts, to an acceptable level. The management of security risks should be integrated into the product’s overall Risk Management System. Due to the rapid change in the threat landscape, security maintenance is a critical, ongoing requirement across the entire product lifecycle. Other EU legislation, such as GDPR (data protection) and the NIS Directive (network security), also apply in parallel.

Recommendations
Manufacturers must follow a “Secure by design” strategy throughout the Design and Development phase, adopting a “Defense-in-Depth strategy”. This includes:
Risk Management: Conduct a Security Risk Assessment (using techniques like Threat Modelling) to identify vulnerabilities and their potential impact on safety and effectiveness.
Risk Control: Prioritize mitigating risks in this order: eliminate/reduce risks through safe design; take adequate protection measures (e.g., encryption, authentication, alarms); provide information for safety and training .
Minimum IT Requirements: Clearly set out the minimum hardware, IT network, and IT security requirements for the device’s operating environment and communicate these in the Instructions for Use. Devices should be as autonomous as possible in terms of security and avoid sole reliance on the operating environment.
Vigilance: Establish a robust Post-Market Surveillance (PMS) System to actively collect information, review data, and timely implement corrective actions (e.g., security updates/patches) for security vulnerabilities and incidents throughout the device’s lifespan. Manufacturers must report all serious incidents and Field Safety Corrective Actions (FSCA).

Regulatory Considerations
Manufacturers must ensure that technical documentation includes information demonstrating conformity with all general safety and performance requirements, including justification and verification/validation of security solutions. Instructions for Use must include information on residual risks related to IT security and detailed instructions for secure installation, configuration, operation, and deployment of security updates. The entire process is a continuous, iterative cycle, requiring regular updates to technical documentation, risk management, and clinical evaluation

1. Why digital?

2. Your core strategy

3. Engage regulators

4. Your validation strategy

5. Operationalize your tech

6. Refine your strategy