Does a Vulnerability Scan and Penetration Test That Do Not Reveal Any Findings Indicate That My Device is Secure?

No, the lack of findings does not indicate that the device is secure. Keep in mind that cyber security must be based on a well-structured development process plus tests.

Is There a Law That Requires a Vulnerability Scan To Be Conducted?

No, there are no laws that requires it to be conducted. However, most guidance documents and standards indicate that such a scan should be considered. This means that you should have good arguments in the event you decide to skip it. The same applies for penetration tests.

Do I Have to Repeat a Vulnerability Scan Or Penetration Test After Each Software Change?

You must consider security related tests regarding to the change as well as regression tests which show that your change did not have a negative effect on the cyber security of your device. In most cases a vulnerability scan or penetration test should be repeated; at least partly.

Can I Conduct The Vulnerability Scan and Penetration Test On My Own?

Yes, you can conduct these tests on your own but you need to have the appropriate competences within your organization. Nonetheless, it helps to have a second pair of eyes on your devices.

Why Should I Use a 3rd Party For a Cyber Security Assessment?

The most important argument for a 3rd party assessment is the impartiality of the 3rd party provider. Depending on the provider you choose; you may also benefit from a provider with a broader knowledge.

Cybersecurity Requirements for Medical Devices

Why Cybersecurity is Important for Medical devices

There are regulatory, ethical and financial reasons to ensure the cyber security of medical devices and their accessories. For example:

Regulatory requirements have to be met before medical products can be launched in different markets. This includes both European regulatory requirements such as the In Vitro Diagnostic Regulation (IVDR), the Medical Device Regulation (MDR), the In Vitro Diagnostic Directive (IVDD), the Medical Devices Directive (MDD) and the active implantable medical devices directive (AIMDD), as well as non-European regulatory requirements set by the United States Food and Drugs Administration (FDA), the Chinese National Medical Products Administration (NMPA), the Canadian Health Ministry (Health Canada) and the Japanese Ministry of Health, Labor and Welfare (MHLW).

Cybersecurity for Medical Devices Within an IoT System

If unauthorized access is gained to a medical device, there can be severe consequences. That is why it's crucial for cybersecurity risks to be considered both during both the development phase as in the procurement and installation of medical devices.
Patient privacy within the framework of the doctor-patient relationship is extremely important and could be compromised in a data breach.

Device manufacturers and health organizations that use unsecure technology and fail to guarantee the cyber security of their medical devices pay heavy penalties, both financially and in terms of their reputation.

Our services to test and assess the cybersecurity of medical devices

Globally, there is an increasing awareness of cybersecurity for medical devices from the regulatory organizations. For example, the FDA, the European Commission and Health Canada have published guidelines on how to meet cybersecurity regulations. These guidelines specify whether it is necessary to carry out vulnerability scans or penetration tests during the development of medical devices. It is better to implement the cybersecurity requirements early in the development process rather than having to include and integrate these requirements to the finished product.

Our testing labs offer a comprehensive range of services to test and assess the cybersecurity of your medical devices.

These Include:

System testing
- Assessment of the cybersecurity system against MDCG 2019-16 (MDR, IVDR), the UL 2900-2-1 or IEC/TR 60601-4-5 standards or an internal TÜV SÜD checklist
- Optional vulnerability scan
Compliance assessments
- Testing against the standards
  - UL 2900-2-1
  - IEC/TR 60601-4-5
- Detailed test report
- Optional: report on compliance with FDA pre-market requirements or MDCG 2019-16 guidelines
- Compliance audit
- Vulnerability scan including manual tests
- Penetration tests in accordance with OWASP IoT (e.g. insufficient privacy protection, security risks in updating systems, unsecure network services, unsecure data transfer and storage)
Tailor-made cyber security tests
- Identification of extra testing requirements not covered by the standards listed above
- Development of product-specific testing methods
- Assessment of provider-specific security solutions

FREQUENTLY ASKED QUESTIONS ABOUT CYBERSECURITY FOR MEDICAL DEVICES

Does a Vulnerability Scan and Penetration Test That Do Not Reveal Any Findings Indicate That My Device is Secure?

No, the lack of findings does not indicate that the device is secure. Keep in mind that cyber security must be based on a well-structured development process plus tests.
Is There a Law That Requires a Vulnerability Scan To Be Conducted?

No, there are no laws that requires it to be conducted. However, most guidance documents and standards indicate that such a scan should be considered. This means that you should have good arguments in the event you decide to skip it. The same applies for penetration tests.
Do I Have to Repeat a Vulnerability Scan Or Penetration Test After Each Software Change?

You must consider security related tests regarding to the change as well as regression tests which show that your change did not have a negative effect on the cyber security of your device. In most cases a vulnerability scan or penetration test should be repeated; at least partly.
Can I Conduct The Vulnerability Scan and Penetration Test On My Own?

Yes, you can conduct these tests on your own but you need to have the appropriate competences within your organization. Nonetheless, it helps to have a second pair of eyes on your devices.
Why Should I Use a 3rd Party For a Cyber Security Assessment?

The most important argument for a 3rd party assessment is the impartiality of the 3rd party provider. Depending on the provider you choose; you may also benefit from a provider with a broader knowledge.