QA/RA Consulting, Auditing & Training


Let's get started

Medical Device Cybersecurity Requirements Under the EU MDR

The European Medical Device Regulation (MDR) introduced a more rigorous approach to medical device cybersecurity, making it a safety requirement for medical devices (and IVDs under the EU IVDR). With AI making its way into the healthcare space and more devices relying on connectivity to function, hackers are becoming more sophisticated in their techniques. Manufacturers can’t sleep on cybersecurity if they want to maintain compliance and prevent a cyber breach that could, at a minimum, damage their company’s reputation and, at worst, endanger patient privacy and safety.

In this article, we’ll explore the key components of the EU MDR’s cybersecurity provisions. We will also discuss the challenges manufacturers face in aligning their existing devices with the new cybersecurity requirements and the strategies employed to ensure a smooth transition.


Documents Addressing EU Device Cybersecurity Requirements

A tangle of regulations and standards intersect to inform cybersecurity (IT security) requirements for medical devices in the . Annex I of the MDR lays out general safety and performance requirements (GSPR) for devices that carry cybersecurity risks, specifically “devices that incorporate electronic programmable systems and software that are devices in themselves.”

The Medical Device Coordination Group (MDCG) published a guidance in 2020 that provides a roadmap for manufacturers to fulfill the GSPRs from Annex I as they relate to cybersecurity. The guidance addresses pre- and postmarket cybersecurity requirements and expands on MDR language regarding design and risk assessment for software devices, which we’ll discuss in more detail in a moment. The comprises several technical documents that harmonize international cybersecurity recommendations.

Other cyber- and data-specific regulations that require compliance beyond the MDR should also inform your cybersecurity activities:


Cybersecurity Across the Life Cycle

With so many regulations and directives to consider, it’s important to get an early start designing and executing a strategy for cybersecurity compliance. The right time to begin implementing security management is in the design phase, as the safest devices from a cybersecurity perspective are “secure by design.” From there, manufacturers should prepare to incorporate cybersecurity into all aspects of their pre- and postmarket activities, from risk management, technical documentation, and clinical evaluation to postmarket surveillance (PMS) planning, reporting, and vigilance. Annex I specifies a number of activities required for addressing device security, including:

  • Device performance
  • Risk reduction
  • Risk management system
  • Risk control measures
  • Minimization of foreseeable risks, and any undesirable side effects
  • Combination / connection of devices / systems
  • Interaction between software and the IT environment
  • Interoperability and compatibility with other devices or products
  • Repeatability, reliability, and performance
  • Development and manufacture in accordance with the state of the art, taking into account the principles of the development life cycle and risk management, including information security, verification, and validation
  • Minimum IT requirements
  • Unauthorized access
  • Lay persons
  • Labeling: warnings or precautions
  • Instructions for use: residual risks, contraindications and any undesirable side effects, and minimum IT requirements


Perform Verification and Validation Testing

MDR Annex I states that devices shall be “developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.” Verification and validation testing are pre- and postmarket requirements to be performed along with risk assessments and benefit-risk analysis. According to the guidance, testing can include (but is not limited to) security feature testing, fuzz testing, vulnerability scanning, and penetration testing.

What Is “State of the Art”?

“State of the art” is often used to describe emerging technologies. But, in this context, it refers to products that are developed and commonly used in the marketplace (e.g., devices that have CE Marking and established intended use across the healthcare industry). Features, functions, and technologies that are established would be considered state of the art as long as they optimize benefits to the patient. Read our blog post on state of the art for a better understanding.


Key Medical Device Cybersecurity Concepts

The MDR directs manufacturers to set minimum requirements concerning hardware, IT network characteristics, and IT security measures, including protection against unauthorized access. The guidance emphasizes three key cybersecurity concepts on which manufacturers should focus their efforts:

  • IT security: protection of computer systems from adverse effects on assets that disrupt or misdirect the services they provide
  • Operation security: protection against the intentional corruption of procedures or workflows, producing unintended results
  • Information security: protection against the threat of theft, deletion, or alteration of stored or transmitted data within a cyber system

The guidance also advises that devices be developed using a layered “defense in depth” method. The defense in depth strategy comprises eight security practices that map to the phase of the device life cycle, from installation to maintenance:

  • Security management
  • Specification of security requirements
  • Secure by design
  • Secure implementation
  • Security verification and validation testing
  • Management of security-related issues
  • Security update management
  • Security guidelines


Emphasis on Operational Requirements

Under the MDR, manufacturers are responsible for establishing minimum IT requirements for their product and communicating them to users. This includes establishing IT network characteristics, security measures, and configuration requirements based on the findings from your risk assessment. These requirements and instructions must be clearly described in your instructions for use (IFU). When you’re dealing with a changing technology landscape, however, you must anticipate and communicate changes to your product’s IT requirements and expedite these changes to users. You must also consider the different roles within the healthcare organization that may interact with your product: integrator, operator, and of course providers and patients.


Balancing Security and Safety with Effectiveness

Weak device security is an obvious safety concern. You can imagine a number of dramatic scenarios, such as a hacker disrupting the functioning of a connected device. However, most cybersecurity risks are less nefarious but still very high-stakes. Any security risk that causes a device not to function as intended carries varying degrees of risk, depending on the device type. These risks could include exposing private patient information (a serious legal and privacy liability) or software crashing at a critical moment because its operating conditions are poorly defined.

While manufacturers must factor security into their risk assessments, more security doesn’t always make a device safer. Depending on the device type, characteristics, etc., security measures that are too restrictive could interfere with the device’s functionality and intended use. It is crucial to design security measures with a deep understanding of the scenarios in which the device will be used (or misused) and the individual roles using or accessing the device. For instance, healthcare professionals may need access to a device to administer emergency care, even if that device needs strong security measures under normal conditions.


Want to Learn More?

Cybersecurity must be a top priority for all devices seeking CE Marking. Between unpacking requirements in the MDR and all of the other security and data privacy regulations one must adhere to, complying with cybersecurity requirements in the EU isn’t getting any easier. Oriel STAT A MATRIX offers several training classes that can level up your understanding of security risk management. Our ISO 14971 training classes are among our most popular, along with our cybersecurity training course. And, when you’re ready, our risk consultants are available to help as well.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530