Medical device cyber security(英語)



Why is the cybersecurity of medical devices / IVDs important? 

There are regulatory, ethical and financial reasons why cybersecurity must be considered and ensured in medical devices, IVDs and their accessories. For example:

  • Compliance to regulatory requirements are the prerequisite to access the medical device markets in all major regions such as USA, EU, China, Australia and UK. Among those are the European Medical Device Regulation (MDR) and In Vitro Diagnostics Medical Device Regulation (IVDR), which defines several cybersecurity requirements in annex I of the regulation under the “general safety and performance requirements”.  The United States Food and Drugs Administration (FDA) on the other hand provides guidance documents, such as the “Postmarket Management of Cybersecurity in Medical Devices”, which explains how to fulfil the respective cybersecurity requirements. 

Medical devices within IoT System

  • Unauthorized access to a medical device might lead to severe consequences. Attacks against a medical device can put at risk the safety of the patient, with fatal consequences in certain cases. If cybersecurity risks are not effectively minimized or managed, it could potentially result in patient harm such as injury or death, for instance by intentional malfunction of a medical device or its unavailability and delayed treatment.
  • Connected medical devices bring new opportunities to medical devices, however, they also rise data privacy challenges in light of the global data protection regulations. These devices store and transmit very sensitive medical information that requires protection, as dictated by the European (GDPR), US (e.g. CFR 164.312) or UK (DPA18) laws and provisions.
  • Breaches could lead to expensive vigilance activities and field safety actions; negative publicity can damage trust and cost millions in regulatory penalties

Regulatory bodies guidelines

Globally, there is an increasing awareness of cybersecurity for medical devices from the regulatory bodies. For example, the FDA, the European Commission and Health Canada have published guidelines on how to meet cybersecurity regulations. These guidelines rise awareness on the necessity to carry out vulnerability scans, penetration tests or other security tests throughout the whole life cycle of a medical devices. Securing a medical device starts in the design stages and includes

  • a secure development lifecycle process,
  • security risk management process,
  • tests to verify and validate the “security implantations” and “security risk mitigation measures” and
  • a security post market process.

The primary means for the verification and validation tasks are penetration testing, vulnerability scanning and fuzz testing, security feature testing and source code review. Additional tests can be performed to identify components with known issues.

Stay updated on the latest developments with our Frequently Asked Questions

Our services to test and assess the cybersecurity of medical devices

Lifecycle of medical devices

Our testing labs, supported by a global team of over 750 healthcare and medical device testing experts, offer a comprehensive range of services to test and assess the cybersecurity of your medical devices. TÜV SÜD security tests are performed under accreditation according to IEC/TR 60601-4-5 ensuring the highest possible competence and expertise in medical device penetration testing. These services include:


In-Vitro Diagnostic Medical Device









IEC 61326-2-6:2020 IVD機器の新しいEMC試験で考えるべきこと

IVD機器向けのEMC試験個別規格の最新版「IEC 61326-2-6:2020」が発行され、試験の考え方が旧規格より大幅に変更されました。


Hospital and healthcare

IVDR 体外診断用医療機器の基礎



Healthcare and Medical Devices Essentials

すべての能動型医療機器が対応すべきJIS T 0601-1-2:2018 (Ed.4.0)

国内薬機法において、すべての能動型医療機器は2023年3月より「JIS T 0601-1-2:2018(Ed.4.0)」に適合する必要があります。



IEC 60601 1 2:2014+AMD1:2020(Ed.4.1)

医療機器の EMC 試験実施する上で製造業者が知っておくべきことを解説します。




Site Selector