Medical devices and IVDs cybersecurity

Undergoing tests is a critical step in the process of transforming an innovative design into a reliable and marketable product

Undergoing tests is a critical step in the process of transforming an innovative design into a reliable and marketable product

Why is the cybersecurity of medical devices / IVDs important? 

There are regulatory, ethical and financial reasons why cybersecurity must be considered and ensured in medical devices, IVDs and their accessories. For example:

  • Compliance to regulatory requirements are the prerequisite to access the medical device markets in all major regions such as USA, EU, China, Australia and UK. Among those are the European Medical Device Regulation (MDR) and In Vitro Diagnostics Medical Device Regulation (IVDR), which defines several cybersecurity requirements in annex I of the regulation under the “general safety and performance requirements”.  The United States Food and Drugs Administration (FDA) on the other hand provides guidance documents, such as the “Postmarket Management of Cybersecurity in Medical Devices”, which explains how to fulfil the respective cybersecurity requirements. 

  • Unauthorized access to a medical device might lead to severe consequences. Attacks against a medical device can put at risk the safety of the patient, with fatal consequences in certain cases. If cybersecurity risks are not effectively minimized or managed, it could potentially result in patient harm such as injury or death, for instance by intentional malfunction of a medical device or its unavailability and delayed treatment.
  • Connected medical devices bring new opportunities to medical devices, however, they also rise data privacy challenges in light of the global data protection regulations. These devices store and transmit very sensitive medical information that requires protection, as dictated by the European (GDPR), US (e.g. CFR 164.312) or UK (DPA18) laws and provisions.
  • Breaches could lead to expensive vigilance activities and field safety actions; negative publicity can damage trust and cost millions in regulatory penalties

Regulatory bodies guidelines

Globally, there is an increasing awareness of cybersecurity for medical devices from the regulatory bodies. For example, the FDA, the European Commission and Health Canada have published guidelines on how to meet cybersecurity regulations. These guidelines rise awareness on the necessity to carry out vulnerability scans, penetration tests or other security tests throughout the whole life cycle of a medical devices. Securing a medical device starts in the design stages and includes

  • a secure development lifecycle process,
  • security risk management process,
  • tests to verify and validate the “security implantations” and “security risk mitigation measures” and
  • a security post market process.

The primary means for the verification and validation tasks are penetration testing, vulnerability scanning and fuzz testing, security feature testing and source code review. Additional tests can be performed to identify components with known issues.

Stay updated on the latest developments with our Frequently Asked Questions

Our services to test and assess the cybersecurity of medical devices

Our testing labs, supported by a global team of over 750 healthcare and medical device testing experts, offer a comprehensive range of services to test and assess the cybersecurity of your medical devices. TÜV SÜD security tests are performed under accreditation according to IEC/TR 60601-4-5 ensuring the highest possible competence and expertise in medical device penetration testing. These services include:

  • Cybersecurity Trainings

    Trainings are provided to bring awareness and understanding of cybersecurity in medical devices. The objective of the training is to understand requirements defined in regulatory frameworks such as:

    • European requirements such as MDCG 2019-16
    • US FDA requirements such as
      • FDA QSR
      • Pre-Market Management of Cybersecurity
      • Post-Market Management of Cybersecurity
      • Cybersecurity for networked medical devices
    • Chinese NMPA
    • On Demand trainings for local frameworks such as Japanese, Singaporean, Brazil and Korean

     Furthermore, trainings can be provided to understand the implementation of Cybersecurity in medical devices according to international standards such as:

    • IEC TR 60601-4-5 Medical device Cybersecurity
    • ISO 14971:2019 Medical device Risk Management
    • ISO 62443-3-2 Security for industrial automation

  • Concept evaluations

    The concept evaluations aim to identify cybersecurity GAPs by assessing against international/harmonized standards, cybersecurity state-of-the art and regulatory requirements such as:

    • IEC TR 60601-4-5 Medical device Cybersecurity
    • IEC 81001-5-1 Security - Activities in the product life cycle
    • ISO 62443-3-2 Security for industrial automation
    • MDCG 2019-16 Medical device cybersecurity
    • Pre-Market Management of Cybersecurity
    • Post-Market Management of Cybersecurity
    • Cybersecurity for networked medical devices

     

  • Vulnerability Scans / Assessment and Static / dynamic code analysis

    The objective of vulnerability scans is to identify and detect known weaknesses in computers, networks or applications (programs). The aim is to perform remediation activities once critical vulnerabilities are identified by the manufacturer. The benefit of this approach is to close Vulnerability Gaps and maintain strong security in medical devices 

    The services include:

    • Vulnerability scans (e.g., Network scanning, Web-Application Scanning, Firmware/software scanning) with documentation and grading of the identified vulnerabilities in a vulnerability assessment report.
    • Static and dynamic code analysis including a dedicated test report with grading of the vulnerabilities
  • Penetration Tests and fuzz testing

    The objective of a penetration test is to simulate a cyber attack to evaluate the security status of the medical device/software. The aim is to identify unknown weaknesses found during manual tests. Test report results can be used as an objective evidence for the effectiveness of cybersecurity in a medical device (similar to a 60601-1 report being used as an objective evidence for the safety of a medical device).

    The services include:

    • Penetration tests at TÜV Süd are performed according to the best practice from all major frameworks (such as OSSTM, PTES, NIST 800-115, ISSAF and OWSAP)
    • Penetration testing and fuzz testing are performed under DAkkS accreditation for medical device cybersecurity according to IEC/TR 60601-4-5 considering the basic safety and essential performance of a medical device.
    • Identification of extra testing requirements not covered by the standards listed above
    • Development of product-specific testing methods
    • Assessment of provider-specific security solutions

EXPLORE

Cyber security for medical devices
Webinar

Cyber security of medical devices

Managing the challenges and risks relating to cyber security

Learn more

IEC 81001-5-1 cybersecurity for medical device
White paper

IEC 81001-5-1 for Medical Device Cybersecurity

Understand the state of medical device cybersecurity and requirements of IEC 81001-5-1, and how TÜV SÜD can support manufacturers in product development activities.

Learn More

AI in medical devices

Artificial Intelligence in Medical Devices

Verifying and validating AI-based medical devices

Learn More

VIEW ALL RESOURCES

Next Steps

Site Selector