In December 2019, the Medical Device Coordination Group (“MDCG”) issued a new guidance to help medical device manufacturers meet the cybersecurity requirements in the Medical Devices Regulation (“MDR”) and In Vitro Diagnostic Regulation (“IVDR”). The guidance elaborates on both pre-market and post-market requirements to help companies strike an adequate balance between benefit and risk during all possible operation modes of medical devices.
The MDR and IVDR require manufacturers to implement “state of the art” practices throughout the entire production cycle of medical devices. In addition, manufacturers must take into account principles of risk management including information security and IT security.
The guidance introduces and explains basic cybersecurity concepts contained in the MDR and IVDR in relation to IT security, information security and operation security.
Safety, security and effectiveness are integral design features of security mechanisms in both medical devices and in vitro medical devices. They have to be contemplated by manufacturers from the early stages of development, manufacturing and throughout the lifecycle of the medical devices.
The MDCG suggests that manufacturers should evaluate the possible exploitations in the weaknesses in their cybersecurity that may be due to reasonably foreseeable misuse.
Manufacturers have to provide clear instructions for use to users. Instructions should include IT security features and configurations, instructions for the operating environment IT security control, product specifications, compatibilities, recommended IT security measures and IT environment configuration (e.g. traffic control).
Pre-market activities may not suffice to ensure an acceptable benefit-risk level. Manufacturers have to implement a post-market cybersecurity surveillance program to address the evolving cybersecurity risks. It should include operation of the device in the intended environment, sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors, vulnerability remediation and incident response.
The guidance concludes by clarifying that at the EU level, the GDPR ((EU) 2016/679) and NIS Directive ((EU) 2016/1148) are both relevant to the cybersecurity for medical devices. They are also pertinent to operators who protect or process personal data in medical devices. The two legislative acts may apply in parallel to the MDR and IVDR.
Manufacturers are urged to review the cybersecurity requirements of their medical devices and product literature carefully and thoroughly to avoid running foul of the MDR and/or IVDR.
Article co-authored by Qingxiang Toh.