Introduction: Cybersecurity Requirements and EU MDR 2017/745
In the last decade, the role of cybersecurity substantially increased in the medical device sector. New guidelines to define cybersecurity requirements appeared, first by FDA and then by EU following the publication of EU MDR 2017/745.
In this post I want to focus on cybersecurity requirements related to EU MDR. Annex I of the regulation contains cybersecurity related requirements both for pre-marked and post-market aspects. Below there is a summary of these requirements:
The guideline provides then on overview of all the main cybersecurity requirements related to the MDR. I want, in this post to focus specifically on two concepts which are the most important ones:
- Security by Design
- Security Risk Management
EU MDR Requirements related to Security By Design
Security by design is one of the item that contributes to the so-called security management, which includes:
- Guidelines about security
- V&V Testing to ensure security
- Security By Design
- Specification of Security Requirements
- Secure Implementation
The goal of security by design is to make sure that the product is secure from IT point of view.
EU MDR Requirements related to Security Risk Management
The security risk management process has the same elements as safety risk management process, all documented in a security risk management plan. The process elements are the standard elements of any risk management process. This includes security risk analysis, security risk evaluation, security risk control, evaluation of residual security risk and reporting.
When a security risk or control measure can have an impact on safety and effectiveness, then it is included in the safety risk assessment. Similarly, any safety risk control or consideration that can have an impact on security is included in the security risk analysis.
The application of security risk management is summarised with the scheme below:
The guidelines report in details all the aspects related to cybersecurity according to EU MDR 2017/745. This is of fundamental importance, especially considering that increased number of digital medical device.
In the upcoming posts we will discuss as well the cybersecurity requirements guidelines provided by FDA and by other regulatory agency.
In conclusion, cybersecurity requirements plays an important role in the medical device sector and particularly in the new medical device regulation, including the general regulation for QMS. In fact, it makes sense to include review of cybersecurity incidents within the management review.