The Medical Device Regulation: Strengthening Cybersecurity for Medical Devices in the EU 

Cybersecurity has become a growing concern within the medical device industry in recent years. The advancement of wireless technology has been the driving force behind a significant period of medical innovation and growth. This has brought us to where we are today, with a huge amount of connected medical devices that are able to generate, collect, analyse and transmit data faster and more effectively.  

While connected medical devices have completely revolutionised the medical industry, the increased connectivity means that the healthcare sector is increasingly vulnerable to cybersecurity risks. This has led to a need to completely re-examine security laws, regulations and processes. 

We previously discussed how the United States of America has been placing a much greater emphasis on medical device cybersecurity and strengthening cybersecurity posture. We spoke of the impact of Joe Biden’s Cybersecurity Executive Order and some of the healthcare cybersecurity standards and best practices that have been launched in the US.  

But how has Europe compared? 

Medical Device Regulation in Europe 

There are many reasons why cybersecurity is now a top consideration for medical device manufacturers and healthcare institutions.  

                        • To protect patient safety; 
                        • To avoid privacy fines under new GDPR regulations; 
                        • To prevent disclosure of personal patient data and health information; 
                        • To reduce the possibly of reputational damage due to a breach. 

With all this in mind, it is imperative that medical device manufacturers place emphasis on cybersecurity and are able to design and manufacture products that are safe, secure and continually monitoring against cyber risks.  

The EU regulatory landscape has evolved to reflect these new concerns and considerations. The EU medical device legislation is currently undergoing a number of significant changes. In 2017, it was decided that three former directives would be replaced by two new regulations: the Medical Device Regulation (MDR) 2017/745 [1] and the In Vitro Diagnostic Medical Device Regulation (IVDR) 2017/746 [2]. While previous directives mentioned cybersecurity sparingly. The issue of cybersecurity is now front and centre. 

Cybersecurity-related GSPRs in MDR and IVDR 

For medical device manufacturers it appears that the keystone for compliance is conformity with the ‘General Safety and Performance Requirements (GSPRs), or Annex 1 of the MDR.  On January 6th, 2020, The Medical Device Coordination Group (MDCG) published new guidance on cybersecurity for medical devices. This guidance was published to help manufacturers fulfil all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR). This guidance document once again reflected upon the changing nature of the industry, with the focus strongly being placed on cybersecurity.   
Below is an extract from that guidance document.   

“Among the many novelties introduced, the two Regulations enhance the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. In this respect, the new texts lay down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.” 

The Path to Greater Cybersecurity 

Given the amount of change within the EU regulatory landscape, it can be quite difficult for medical device manufacturers to know where to even begin. When it comes to the EU Medical Device Regulation, the best approach is to understand and conform with the critical standards first. These include: 

Regulatory Requirements 

Medical Device Regulation (MDR) 2017/745 [1]  

MDCG 2019-16: Guidance on Cybersecurity for Medical Devices 

EU MDR Annex I 

Risk Management Best Practices  

IMDRF: Principles and Practices for Medical Device Cybersecurity 

AAMI TIR-57: Principles for Medical Device Security-Risk Management# 

ISO 14971-2019: Risk management to medical devices 

Key Takeaway from EU Medical Device Regulation: 

The security risk management process involves the same practices as a traditional safety risk management process. A good approach is to extend existing risk management methodology and requirements from ISO 14971 utilizing AAMI TIR-57.  

Security risk management is a critical part of overall product security management. Risk management is part of evaluating new vulnerabilities and deciding whether action is necessary. It serves to document vulnerabilities, threats, and controls. This activity is part of the total product lifecycle, serving as a foundation both for design and development as well as post-market monitoring and management.  

SelectEvidence® is designed with security risk management as the central core of the platform. A key aspect in performing a security risk assessment begins with threat modeling to identify, understand and share potential threats to medical device assets.   

Source: MDCG 2019-16: Guidance on Cybersecurity for Medical Devices Figure 6: Information flow in safety and security risk management for MDs

The First Step Towards Compliance 

At Nova Leah, we believe that a great first step towards compliance comes through focusing on the MDCG 2019-16: Guidance on Cybersecurity. As we mentioned above, this guidance was published to help manufacturers fulfil all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR).  

This guidance urges medical device manufacturers to “consider the state of the art when designing, developing and upgrading medical devices across their life cycle.” Furthermore, medical device manufacturers are expected to conduct clinical evaluations, compile technical documentation, and apply conformity assessment procedures. Manufacturers are also required to have strict processes in place for both risk management and quality management.  

The EU medical device landscape has undergone considerable change in recent years but the overall goal is simple – to create a more robust, transparent, and sustainable regulatory framework, that improves clinical safety and creates fair market access for manufacturers and healthcare professionals. For medical device manufacturers this means moving away from testing and patching approach to monitoring vulnerabilities and considering security throughout the entire product lifecycle.

Learn more about how Nova Leah can help you do this by visiting our solutions page