Introduction: Cybersecurity Requirements and EU MDR 2017/745

In the last decade, the role of cybersecurity substantially increased in the medical device sector; new guidelines to define cybersecurity requirements appeared, first by FDA and then by EU following the publication of EU MDR 2017/745.

In this post we want to focus on cybersecurity requirements form medical devices in relation EU MDR 2017/745. Annex I of the regulation contains cybersecurity related requirements both for pre-marked and post-market aspects. Below there is a summary of these requirements:

Cybersecurity requirements

The guideline provides then on overview of all the main cybersecurity requirements for medical devices related to the MDR. I want, in this post to focus specifically on two concepts which are the most important ones:

  • Security by Design
  • Security Risk Management

Security by design is one of the item that contributes to the so-called security management, which includes:

  • Guidelines about security
  • V&V Testing to ensure security
  • Security By Design
  • Specification of Security Requirements
  • Secure Implementation

The goal of security by design is to make sure that the product is secure from IT point of view.

The security risk management process has the same elements as safety risk management process, all documented in a security risk management plan. The process elements are the standard elements of any risk management process. This includes security risk analysis, security risk evaluation, security risk control, evaluation of residual security risk and reporting.

When a security risk or control measure can have an impact on safety and effectiveness, then it is included in the safety risk assessment. Similarly, any safety risk control or consideration that can have an impact on security is included in the security risk analysis.

The application of security risk management is summarised with the scheme below:

Security Risk Management

The guidelines report in details all the aspects related to cybersecurity for medical devices according to EU MDR 2017/745. This is of fundamental importance, especially considering that increased number of digital medical device.

In the upcoming posts we will discuss as well the cybersecurity requirements guidelines provided by FDA and by other regulatory agency.

In conclusion, cybersecurity requirements plays an important role in the medical devices sector and particularly in the new medical device regulation, including the general regulation for QMS. In fact, it makes sense to include review of cybersecurity incidents within the management review and perform internal Audit according for cybersecurity management.

For companies where the information security plays a major role, the ISO 27001 certification process shall be obtained to have a high level of compliance for data security related topics.

Subscribe to 4EasyReg Newsletter

4EasyReg is an online platform dedicated to Quality & Regulatory matters within the medical device industry. Connect with us on LinkedIn and Twitter to stay informed about the latest news in regulatory affairs.

As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.

Do not hesitate to subscribe to our Newsletter!

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

4EasyReg will use the information you provide on this form to be in touch with you and to provide updates and marketing.