Identify cybersecurity vulnerabilities and ensure compliance with global regulations
Identify cybersecurity vulnerabilities and ensure compliance with global regulations
Compliance to medical device and IVDs cybersecurity regulatory requirements is the prerequisite to access the medical device and IVDs markets in all major regions such as USA, EU, China, Australia and UK. Independent form the regions, there is an increasing awareness of cybersecurity for medical devices and IVDs by the regulatory bodies. Consequently, they have published guidelines on how to meet cybersecurity regulations, which include the necessity to carry out vulnerability scans, penetration tests, or other security tests throughout a medical device’s or IVD medical device’s entire life cycle.
Securing a medical device or IVD medical device must therefore start during the design stage and includes:
Security testing is the primary means to fulfil these verification and validation tasks. This includes vulnerability scanning, source code review, fuzz testing and medical device penetration testing. Additional tests can also be performed to identify components with known issues.
It is vital that during security testing the medical intended use is fully understood and considered. This is particularly important as security requirements often contradict the clinical performance of a medical device and IVDs. For example, a defibrillator with two-factor authentication for the shock provision would reduce the clinical performance and usability of the medical device. To successfully perform security tests on medical devices and IVDs, both a deep cybersecurity and medical understanding is therefore necessary.
The growth of digital innovation has increased the attack surface of a connected medical device and IVD medical device and hence the importance of cybersecurity. It is therefore essential that manufacturers consider state of the art and relevant standards such as IEC 81001-5-1 and IEC TR 60601-4-5
It is also important to remember that security testing is a dynamic process that continues to evolve. While a device might be secure, concerning vulnerabilities that have been part of the security test at a specific point in time, this may change rapidly due to newly emerging security vulnerabilities or new attack vectors. Likewise, after software updates, a vulnerability scan or penetration test should be repeated at least partly. Security-related tests regarding changes and regression tests, that show your change did not negatively impact the cybersecurity of your device, are also vital.
TÜV SÜD’s medical device and IVD medical device security testing services include:
Vulnerability scanning will enable you to understand the known vulnerabilities of your medical device or IVDs, so you can take action to mitigate against them. By implementing a proactive approach that closes cybersecurity gaps, you can maintain the security of your medical devices and IVDs, as mandated by the Medical Device Regulation, In Vitro Diagnostic Regulation, MDCG 2019-16, and the FDA’s cybersecurity guidance documents.
Static/dynamic code analysis enables a manufacturer to implement support for secure coding by creating an automated feedback loop in the early development stages. Prompt detection and remediation of weaknesses reduce the likelihood of changes being required in the later product development phases and minimises costs.
Fuzzing covers many vulnerabilities that might be exploited by hackers and determines if the medical device or IVD medical device can handle such unexpected inputs, as well as identifying serious defects and vulnerabilities that would be missed by human eyes. This gives assurances that a manufacturer has considered the primary technique used by hackers to identify software vulnerabilities.
Medical device penetration testing identifies previously unknown vulnerabilities in a medical device or IVDs. A report provides manufacturers with independent evidence of the effectiveness of their cybersecurity risk mitigation measures. These can be part of the technical file given to notified bodies and regulators.
TÜV SÜD has more than 20 years of experience in medical device and IVD medical device cybersecurity. Our testing laboratories, supported by a global team of over 750 healthcare and medical device testing experts, offer a comprehensive range of services to test and assess the cybersecurity of your medical devices and IVDs. We provide a one-stop solution for medical device and IVDs manufacturers, including electrical safety testing, software assessment, biocompatibility and EMC services.
As experts in IT security and data protection, we perform security tests under accreditation according to ISO/IEC 17025 and IEC TR 60601-4-5. Our teams of cyber security specialists also ensure that they remain up to date with the latest cybersecurity breaches and hacking techniques, helping you future-proof your devices.
Understand the cybersecurity requirements and standards under the MDR & IVDR from a Notified Body’s perspective.
Learn More
Verifying and validating AI-based medical devices
Learn More
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa