Cybersecurity in medical Devices

Technological innovations in medical devices bring new opportunities. However, they also raise data privacy and security challenges. These devices store and transmit very sensitive medical information that requires protection. In addition, any device that allows for data transfer via LAN/WLAN, USB or proprietary interface is potentially a cybersecurity risk.

Therefore, there are regulatory, ethical, and financial reasons why you must ensure cybersecurity in your medical devices. Unauthorised access to a medical device might lead to severe consequences. Attacks against a medical device can put a patient's safety at risk, fatally in some cases.

As a result, prior to submitting the medical device, it is essential to conduct a thorough assessment of potential cybersecurity risks, meticulously analyse identified vulnerabilities, and implement the necessary mitigations to ensure comprehensive security compliance.

This is a prerequisite to access all major medical device markets such as USA, EU, China, Australia UK etc. Among the relevant regulations are the European Medical Device Regulation (MDR) and In Vitro Diagnostics \ Medical Device Regulation (IVDR), which defines several cybersecurity requirements in Annex I of the regulation under the “general safety and performance requirements”.

Similarly, the United States Food and Drugs Administration (FDA) provides guidance documents, such as the “Post market Management of Cybersecurity in Medical Devices”, which explain how to fulfil the respective cybersecurity requirements. Laws to protect sensitive data include GDPR in Europe, CFR 164.312, and others in the US, and DPA18 in the UK.

In light of all the above regulatory requirements, TÜV SÜD provides a comprehensive range of cybersecurity services, ranging from training to concept evaluation to testing & assessing regulatory compliance.

The threat landscape is fast evolving with new threats emerging rapidly. If manufacturers do not effectively minimise or manage cybersecurity risks, compromised medical devices could cause patient harm such as injury or death. For instance, a bad action can intentionally cause malfunction of a medical device, or its unavailability and delayed treatment. Misdiagnoses and improper treatments may also arise. 

For this reason, regulatory guidelines raise awareness on the need to carry out vulnerability scans, penetration tests and other security tests throughout the whole life cycle of medical devices. While regulators in every major medical device marked increase their awareness and focus on these risks. 

Cybersecurity breaches could lead to expensive vigilance activities and field safety actions. Negative publicity can damage the trust and cost a lot in regulatory penalties. Thorough due diligence in regard to cybersecurity and implementation of the appropriate actions, can avoid these complications and build trust in your products.

TÜV SÜD’s testing labs are supported by a global team of experts from the fields of healthcare regulation, medical device development, and cyber security testing. Prior to working at TÜV SÜD, most of our experts have been working in the industry and know first-hand what is relevant for secure processes in organisations to create products that are cyber secure. We offer a comprehensive range of knowledge and services to test and assess the cybersecurity of your medical devices. 

Our services span every stage of the medical device lifecycle from concept evaluation during product design and development, to penetration testing and fuzzing with the final product increment.  

All our cybersecurity services follow the relevant cybersecurity standards for medical devices, guidance papers, and the state of the art. This ensures a high competence and knowledge in medical device cybersecurity. 

Our testing and evaluation services ensure that your medical devices comply with the latest standards, guidance, and state of the art, for cybersecurity in medical devices, can ensure regulatory compliance and security in a rapidly changing landscape.

We provide a variety of services to ensure the safety, security, and assessing regulatory compliance of your medical devices.

TÜV SÜD's certification and testing services are independent of each other and do not impact one another. Our certification services are delivered by TÜV SÜD's recognized Certification Bodies, while our testing services are conducted through TÜV SÜD Testing Labs. 

Penetration tests and fuzz testing 

A penetration test simulates a cyber-attack to evaluate the security status of the medical device/software. The aim is to identify unknown weaknesses found during manual tests.

You can use the TÜV SÜD pen-test report as objective evidence for the cybersecurity in your medical device. If required you can further use this evidence in your technical documentation for your medical device submission. 

The services include:  

• Penetration tests performed according to the best practice from all major frameworks (such as OSSTM, PTES, NIST 800-115, ISSAF and OWSAP).
• Broad variety of possible test protocols, interfaces and platforms for Fuzzing and Penetration testing.   
• Identification of extra testing requirements not covered by the standards listed above.   
• Development of product-specific testing methods. 

Assessment of provider-specific security solutions.

Cybersecurity trainings

We provide trainings to bring awareness and understanding of cybersecurity in medical devices. We equip development and engineering teams with the knowledge to design, build, and maintain secure medical devices that adhere to requirements defined in regulatory frameworks such as:  

• European requirements such as MDCG 2019-16. 

• EU MDR/IVDR Security Requirements.
• US FDA requirements such as FDA QSR.
• Pre-market management of cybersecurity.
• Post-market management of cybersecurity.
• Cybersecurity for networked medical devices.

Furthermore, trainings can be provided to understand the implementation of cybersecurity in medical devices according to international standards such as:  

• IEC TR 60601-4-5 Medical device cybersecurity. 
• ISO 14971:2019 Medical device risk management.  

Concept evaluations 

We provide thorough evaluations of device designs and concepts, ensuring security is integrated from the earliest stages of development, minimising risks as devices move through production. The concept evaluations aim to identify cybersecurity gaps by assessing against international/harmonised standards, cybersecurity state-of-the art and regulatory requirements such as:  

• IEC TR 60601-4-5 Medical device cybersecurity. 
• ISO 14971:2019 Medical device risk management.  
• IEC 81001-5-1 Security – Activities in the product life cycle. 
• MDCG 2019-16 Medical device cybersecurity. 
• US FDA requirements such as: 
• FDA QSR
• Pre-market management of cybersecurity.
• Post-market management of cybersecurity.
• Cybersecurity for networked medical devices

Vulnerability scans and static/dynamic code analysis 

The objective of vulnerability scans is to identify and detect known weaknesses in computers, networks or applications (programs). The aim is to perform remediation activities once critical vulnerabilities are identified by the manufacturer. The benefit of this approach is to close vulnerability gaps and maintain strong security in medical devices.  

The services include: 

• Vulnerability scans (e.g., network scanning, web-application scanning, firmware/software scanning) with documentation and grading of the identified vulnerabilities in a vulnerability assessment report. 
• Static and dynamic code analysis.