Cyber Security
Cybersecurity is a new area of emphasis in the MDR. Medical devices with incorporated software are vulnerable to various cyber security threats. This is because medical devices were not built with cybersecurity in mind. There were several demonstrations by the Whitehat hackers about the ease of exploiting their common vulnerabilities. The medical device industry is moving towards digital health applications. Hence, health-related and privacy data can be vulnerable to cyber-attacks. The motive for the cyber security attackers may be harming patients, privacy fines under GDPR (in EU) and HIPAA (in the US), and reputational damage. This has underscored the need for stricter regulations and guidance on cybersecurity.
Regulatory Requirements
There are multiple guidelines and documents available for cyber security. However, the EU MDR, provides the legal obligation for the regulatory compliance requirements. The critical standards to which cyber security confirmation is required are:
EU MDR Requirements
-
EU MDR Annex I
-
MDCG 2019-16: Guidance on Cybersecurity for Medical Devices
-
IMDRF: Principles and Practices for Medical Device Cybersecurity
Security Risk Analysis
-
ISO 14971-2019: Risk management to medical devices
-
AAMI TIR-57: Principles for Medical Device Security-Risk Management
Security by Design
-
IEC 62304: Medical device software: Software lifecycle processes
-
IEC TR 60601-4-5 (tailoring of IEC EN 62443-4-2): Product requirements for cybersecurity medical device requirements
-
IS0/IEC 80001-5-1 (tailoring of IEC EN 62443-4-1): Process standard for Cybersecurity, Health informatics safety, security and effectiveness
Building a cybersecurity team along with the IT team to comply with regulations is quite costly and time-consuming. Choosing a professional team having experience and knowledge of global security requirements is a complicated and challenging process. Hence, we recommend working with a third-party expert to support regulatory compliance and certification. We can support you in getting a cybersecurity test done by an independent, knowledgeable team having experience in cybersecurity testing of medical devices as per the different regulatory requirements with internationally recognized and measurable methodologies.