Regulatory Focus™ > News Articles > 2019 > New Guidance Targets Device Cybersecurity Under MDR, IVDR

New Guidance Targets Device Cybersecurity Under MDR, IVDR

Posted 06 January 2020 | By Zachary Brennan 

New Guidance Targets Device Cybersecurity Under MDR, IVDR

The Medical Device Coordination Group (MDCG) on Monday unveiled new guidance to help manufacturers fulfill all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).

The 47-page guidance, which aligns with cybersecurity guidance from the International Medical Device Regulators Forum, explains both the premarket and postmarket requirements to help companies ensure an adequate balance between the benefits and risks during all of a device’s possible operation modes.
MDCG notes that manufacturers should foresee or evaluate the potential exploitation of cyber vulnerabilities that may be a result of “reasonably foreseeable misuse.”

“This, however, may depend on the specific situation. For example, using an unsecured memory-stick to enter data into a medical IT system can be considered ‘reasonably foreseeable misuse’, while the input of x-ray images via a CD may be considered ‘intended use’. Due to the huge variety of use environments, this decision may even depend on the specific installation and use environment,” the guidance says.

MDCG also calls for companies to include security issues in the risk assessment, even in cases where security is not stated explicitly in the regulations’ requirements.

“Security issues may be of both weak and/or restrictive security: a) Weak security: for example, weak access control may allow malicious modification of the operation of an implanted cardiac device. b) Restrictive security: the use of too restrictive security measures that provide a high level of protection may have a safety impact, especially if the security functionalities are not well designed. For example, during an emergency, the medical personnel must be able to access an implanted cardiac device without restrictions, but strong security measures need to be in place under normal operating conditions,” the guidance says.

On the postmarket side, the guidance also further discusses how manufacturers will need to share and disseminate cybersecurity information and vulnerabilities, and respond to vulnerabilities and incidents. Annex II of the guidance distinguishes between incidents and serious incidents from the point of view of cybersecurity.

For example, an unauthorized person’s ability to overwhelm a pacemaker with requests and cause premature battery depletion would be considered a serious incident.

New Notified Body Designations and Rolling Plan

In addition to the new guidance, the European Commission also listed Germany’s notified body (NB) Medcert as designated under MDR. Medcert is the ninth NB to be designated and the fourth from Germany.

BSI in the Netherlands was also designated under IVDR before the holiday break, which makes it the third NB to be designated under both MDR and IVDR. European Commissioner for Health Stella Kyriakides said last month that 20 NBs will be designated by the first quarter of 2020.

Also in December, the European Commission updated its MDR/IVDR implementation rolling plan, noting that in Q1 of this year, new implementing acts will be coming on the reprocessing of single-use devices, common specifications for Class D IVDs and the rules to facilitate the fulfillment of tasks by EU reference laboratories.

Other implementing acts are also expected by Q2 (Eudamed) and Q4 (fees for expert panel services).

MDCG 2019-16 - Guidance on Cybersecurity for medical devices

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe