January 7, 2020
The Medical Device Coordination Group (MDCG) published new guidance on Jan 6, 2020 to help manufacturers fulfill all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR) and In-vitro Diagnostic Medical Devices Regulation (IVDR).
New essential safety requirements
Among the many novelties introduced in the new guidance, the two Regulations enhance the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. In this respect, the new texts lay down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art, taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorized access.
The guidance, covering both premarket and post-market cybersecurity requirements, has been endorsed by the MDCG, which is composed of representatives of all EU Member States and chaired by a representative of the European Commission.
Cybersecurity-related GSPRs in MDR and IVDR
Table 1 of the MDCG guidance provides a listing of all General Safety and Essential Performance Requirements (GSPRs) in MDR Annex I & IVDR Annex I pertaining to cybersecurity. The MDR and IVDR request manufacturers of medical devices to consider the state of the art when designing, developing and upgrading medical devices across their life cycles. Manufacturers should demonstrate state-of-the-art within their decisions (based on applicable standards, guidance, their own proprietary knowledge and publicly available scientific / technical information) while demonstrating appropriateness to proportionally address security risk.
Some key GSPRs idenfitied in MDR Annex I and IVDR Annex I include:
- Device performance
- Risk reduction
- Risk management systems
- Risk control measuers
- Combination/connection of devices and systems
- Interactions between software and IT environments
Key cybersecurity requirements
Although all GSPRs are equally important, key requirements are documented in MDR Annex I Section 17.2 and IVDR Annex I Section 16.2, which require for devices that incorporate software or for software that are devices in themselves, that the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of the development life cycle, risk management, including information security, verification and validation. The guidance notes that the primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing. Additional security testing can be done by using tools for secure code analysis and tools that scan for open source code and libraries used in the product, to identify components with known issues.
The guidance also clarifies that at EU level, the NIS Directive (EU) 2016/1148 and the General Data Protection Regulation (EU) 2016/679 (GDPR) are relevant to the cybersecurity of medical devices or to operators dealing with protecting or processing of personal data stored in medical devices, and might apply in parallel to the MDR/IVDR regulations. Finally, at EU level, the EU Cybersecurity Act (Regulation (EU) 2019/881) that introduces for the first time an EU-wide cybersecurity certification framework for ICT products, services and processes should also be mentioned.
The new MDCG guidance further indicates convergence of cybersecurity requirements for medical devices across markets including the US, Canada, Australia and South Korea, as previously reported by Emergo by UL.
Marco Deuschler is Business Development Manager at UL’s Life & Health Sciences division.