Cybersecurity for Medical Devices

Best practice guidelines and regulatory requirements


ISO 81001-1 defines cybersecurity as “a state where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the life cycle”

Current pitfalls

Modern medical devices benefit from improved cybersecurity features. However, many legacy devices still in use today, were not designed to bounce current cybersecurity threats and to meet today’s stringent requirements, potentially posing increased risks to patients’ safety. Manufacturers are required to ensure that medical devices placed on the EU and UK markets meet the new technology challenges related to cybersecurity risks. This best practice guideline allows you to access the reference documentation in order to fulfill the essential requirements for medical devices cybersecurity.

MDR and IVDR requirements

MDR and IVDR introduced stricter safety requirements for all medical devices incorporating electronic programmable systems and software, now considered medical devices themselves. The regulations require manufacturers to develop and manufacture medical devices in accordance with the state of the art taking into account risk management, information security and protection against unauthorized access. Cybersecurity requirements are listed in Annex I of MDR and IVDR: • Medical Device Regulation **(MDR) 2017/745 ** • In-vitro Diagnostic Regulation (IVDR) 2017/746 For additional information on the correspondence of these requirements between the two regulations and on cybersecurity activities to be conducted across the life cycle of medical devices, please refer to MDCG 2019-16. For guidance on qualification and classification of software in MDR and IVDR, please refer to MDCG 2019-11

To read the full publication click here