EMERGO SUMMARY OF KEY POINTS:

• South Korea’s Ministry of Science and ICT has published new guidelines for medical device cybersecurity risk management.
• The guidelines reference UL 2900, US FDA cybersecurity guidance and related standards and recommendations in place in other medical device markets.

In a sign that medical device market regulators are moving toward a uniform approach to cybersecurity risk management, the South Korean government has published new guidelines referencing the UL 2900 cybersecurity standard as well as US Food and Drug Administration recommendations.

The new guidelines (link in Korean), “Cyber Security Guide for Smart Medical Service,” were issued by the South Korean Ministry of Science and ICT. Although the guidelines only provide recommendations to medical device manufacturers and healthcare providers for managing cybersecurity risk, they will likely pave the way for full-blow cybersecurity regulations from the Ministry for Food and Drug Safety (MFDS) and other South Korean agencies.

Same-page approach to medical device cybersecurity management

The guidelines reference the UL 2900 medical device cybersecurity standard, which US FDA now recognizes as a consensus standard for use by US market applicants. By incorporating UL 2900 as well as other established cybersecurity references and standards—ISO/IEC 27002, NIST 800-53 and FDA cybersecurity guidance documents—South Korean regulators are indicating a same-page approach regarding recommendations and requirements for MFDS registrants with network-connected devices as well as hospitals and healthcare providers to manage these vulnerabilities.

Related South Korean medical device regulatory resources:

• South Korea MFDS medical device registration consulting
• South Korea KGMP quality management system compliance
• Cybersecurity testing support for network-connected medical devices and software
•