Digital transformation has swept through all aspects of the world over the past few decades, connecting many devices and systems. While this connectivity brings many benefits, it also can introduce significant risks. In this connected world cybersecurity has emerged as a critical consideration for medical device manufacturers. In the latest in our series on the EU Medical Device Regulations (MDR) we take a look at cybersecurity: What are the new requirements and how do they impact manufacturers?
Cybersecurity Requirements under MDR
The new cybersecurity requirements of the MDR came into effect from May 2021 and are designed to ensure the secure and safe use of medical devices within the EU. They encompass a range of obligations aimed at integrating cybersecurity into the design, development, and lifecycle management of medical devices. These can include the following:
Integration into design and development
Cybersecurity must be incorporated as an integral part of the device design and development process, ensuring that security considerations are addressed from the outset. Manufacturers should look to adopt practices such as threat modeling, secure coding, and regular security assessments. In addition, adhering to relevant standards and guidelines, such as ISO/IEC 27001, can help ensure robust cybersecurity integration.
Risk management throughout lifecycle
Manufacturers must implement appropriate measures to manage cybersecurity risks throughout the entire lifecycle of the device, from conception to disposal. This ensures that devices remain secure as new vulnerabilities emerge.
Information provision
Information on cybersecurity risks and measures must be provided in the instructions for use and technical documentation of the device. This enables users to understand and mitigate potential security threats. Providing clear and comprehensive information also helps users to operate the device correctly and what to do if there is a security issue.
Lifecycle maintenance
Devices must be kept updated and secure throughout their lifecycle, with manufacturers responsible for addressing vulnerabilities and ensuring ongoing security. New security patches and updates be consistently released to deal with any new threats. The ability to deploy updates effectively is essential for keeping connected medical devices secure during their lifespan.
MDCG Guidance on Cybersecurity
The Medical Device Coordination Group (MDCG) provides further insight on cybersecurity requirements through listing all General Safety and Essential Performance Requirements (GSPRs) related to cybersecurity in MDR Annex I. As we’ve looked at before, manufacturers are encouraged to consider the state-of-the-art when designing, producing, and updating their devices. With this, decisions on cybersecurity measures should be proportionate to potential security risks.
Critical GSPRs outlined in MDR Annex I include:
- Device performance
- Risk reduction
- Risk management systems
- Control measures
- Software interactions
Section 17.2 of Annex I specifically address cybersecurity requirements. It mandates that software in medical devices adheres to state-of-the-art practices throughout the development lifecycle, including verification, validation, and information security considerations.
Considering these stringent requirements, it is clear that medical device manufacturers are expected to be proactive in ensuring compliance with cybersecurity standards to safeguard both patients and data integrity.
As we continue our exploration of MDR compliance, look out for our next article, where we'll deal with post-market surveillance. We will be investigating how manufacturers can effectively monitor and assess the performance and safety of their medical devices in the post-market phase, ensuring ongoing compliance and patient safety.
For further support on your journey towards MDR compliance, reach out to our team of experts at Intertek Medical Notified Body. We’re dedicated to empowering you with the knowledge and resources you need to thrive in the complex world of medical device regulations.
---
/Passle/5e4a7839abdfeb03584d01f6/MediaLibrary/Images/2024-10-08-02-30-35-858-6704994bfd2bff2d4af50f79.png)
/Passle/5e4a7839abdfeb03584d01f6/MediaLibrary/Images/2024-10-08-22-14-00-384-6705aea8c71f57809f6e9769.png)
/Passle/5e4a7839abdfeb03584d01f6/MediaLibrary/Images/2024-10-14-15-56-58-336-670d3f4ac549ddd03f0a87d9.png)
/Passle/5e4a7839abdfeb03584d01f6/MediaLibrary/Images/2024-10-08-02-56-48-573-67049f70a07720d4d55dcea0.png)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2024-10-10-09-36-54-096-6707a03643243fcee4badf7a.jpg)