Guidance on Cybersecurity for medical devices
The Medical Device Coordination Group (MDCG) published new guidance on 6th January 2020 for manufacturers on how to fulfil all the relevant essential requirements of Annex I to the Medical Devices Regulation (MDR) and In-vitro Diagnostic Medical Devices Regulation (IVDR) with regard to cybersecurity.
The two Regulations enhance the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. In this respect, the new texts lay down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.
Cybersecurity requirements listed in Annex I of the Medical Devices Regulations, deal with both pre-market and post-market aspects.
In conclusion, the Medical Devices Regulations request manufacturers of medical devices to consider the state of the art when designing, developing and upgrading medical devices across their life cycle. Manufacturers should demonstrate state-of-the-art within their decisions (based on applicable standards, guidance, their own proprietary knowledge and publicly available scientific / technical information) while demonstrating appropriateness to proportionally address security risk.