Medical device cyber security

Why is medical device cyber security testing important?

There are multiple regulatory, ethical and business reasons to ensure that all digital healthcare and medical devices are thoroughly tested and secure, including:

• Compliance with regulatory requirements such as the In Vitro Diagnostic Medical Device Regulation (IVDR), the In Vitro Diagnostic Medical Device Directive (IVDD), the Medical Device Regulation (MDR), Medical Device Directive (MDD), and the Active Implantable Medical Device Directive (AIMDD) in the EU; as well as the regional requirements of the US FDA, China FDA and the Japan Ministry of Health and Welfare
• Unauthorised access to medical devices could result in death or severe injury, so manufacturers and medical device procurement teams must ensure the technology is secure
• Privacy is extremely important for patient confidentiality – a breach would undermine that privacy

Failing to ensure medical device cyber security could lead to significant reputational damage for device manufacturers and healthcare organisations that use insecure technology 

Vulnerability scans and penetration tests: What you need to know

The FDA, EU and Health Canada are working on standards and guidance documents that will indicate the need to consider vulnerability scans and penetration tests during the development of medical devices. To prevent the need for rework; some of the requirements should be tested early in the process. We address some frequently asked questions here to keep you informed on the latest developments.

TÜV SÜD’S medical device cyber security testing and assessment services

TÜV SÜD’s test labs offer you a comprehensive set of assessment and testing activities related to the cyber security of your medical device. These include:

Concept assessment

• Assessment of the cyber security concept against requirements from UL-2900-2-1, IEC 62443-4-2 or TÜV SÜD Johner checklist
• Written report covering the concept
• Optional vulnerability scan

Compliance assessments

• Validate compliance standard(s)
  • UL 2900-2-1
  • IEC 62443-4-2 (the basis of the upcoming IEC/TR 60601-4-5)
• Detailed test report
• Optional: report against FDA pre-market-requirements
• Compliance audit
• Vulnerability scan including manual tests
• Penetration tests based on OWASP IoT (e.g. insufficient privacy protection, lack of secure update mechanism, insecure network services, insecure data transfer and storage)

Customised solutions

• Identify additional requirements for the products that are not covered in the standards
• Develop customised test methods
• Assess vendor specific security solutions e.g. for hospitals

Contact TÜV SÜD to secure your networked medical device 

TÜV SÜD is a world leader in cybersecurity testing and has worked with medical device manufacturers around the world to assess the quality and safety of their devices. We have extensive experience of conducting testing on a wide range of networked medical devices. Our assessments are based on IEC 62443-4-2, UL-2900-2-1 (based on UL-2900-1), a TÜV SÜD internal checklist and the FDA guidance; thus aiding your compliance to regulations and access to global markets.

Have questions?

Read the top frequently asked questions on cyber security of medical devices.