4
min reading time
In the previous articles about MDR (Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices), compliance we’ve explored the topics of MDR from a cybersecurity point of view, the most common causes of vulnerabilities and their prevention and the medical device testing process. Today, in the last segment of the MDR series, we will explain the MDR compliance procedure and its possible complexities that everyone needs to know who has to conform with these regulations and obtain a CE certification. It is important to state that the cybersecurity requirements set by MDR and IVDR are identical, so whenever we write about MDR compliance, it also applies to IVDR in terms of cybersecurity obligations.
In this article we will answer the following questions:
Let’s dive right in!
Even though we’ve elaborated on this topic before in one of the previous articles of the series, let’s recap why affected manufacturers can’t ignore the requirements of the regulation.
Those manufacturers and service providers who don’t comply with the requirements of the MDR (and also IVDR) will not be able to receive the CE certification. However, the CE certification is obligatory for all companies who aim to market their products and services within the European Union. As a result, the question of compliance needs to be among the top items on their priority list, if they don’t want to lose the right of offering their medical devices to European consumers.
The process lies on the responsibilities of two main parties. These are:
If you are looking for the complete list of the notified bodies and their technical competence under the directive of 93/42/EEC for medical devices, check out this official list.
Compliance procedure steps:
The key for a successful, fast, and cost efficient certification process is deliberate preparation.
Although he goal of the certification preparation is to create processes and documentation that will be accepted by accredited notified bodies and result in successful certification there are still some complicating factors in the process:
The regulation sets out expectations for Manufacturers towards Developers, but does not provide guidance on how to make them. For example, according to the best development practices, software can be developed in many ways, but may not be secure enough for Notified Bodies. This can lead to delays or failure of certification, as the Manufacturer / Developer has carried out the implementation and documentation with a different mindset than the Notified Body.
The experience is that although many medical device and/or software Manufacturers or Developers are excellent at making medical devices, many of them are lack of cybersecurity expertise, leading to misunderstandings and not being able to provide evidence for compliance.
A deliberate preparation methodology based on internationally recognised industry standards can provide a strong foundation and confidence that the certification process will go smoothly.
A cost efficient solution to plan and execute preparation for certification is to hire cybersecurity analysts who have years of experience working with internationally recognized cybersecurity standards and certification frameworks. Cybersecurity analysts at CCLab are certified evaluators for Common Criteria, one of the most rigorous assessment framework. They know how notified bodies think, what they are expecting, and how to present information for a compliance assessment.
Medical device Manufacturers and Developers are committed to creating products and services services that help solving people’s health problems, providing them a higher quality of life. It is not their job to become a cybersecurity expert, but it is also in their interest to keep their devices and services secure for both parties.
Let our cybersecurity analysts help you with the cybersecurity perspective in your processes so you can focus on what you are the best in.
If you are looking for the easiest way out from the fairly complicated jungle of MDR compliance, get in touch with CCLab evaluation laboratory, an official partner of the QTICS medical group, to enjoy the advantages of professional guidance, consulting, education, and assessment.
In parallel with the explosive development of digitalization and online work, worrisome statistics regarding cyberattacks are expanding yearly. The outbreak of the pandemic in 2020 significantly increased the wireless security risk and contributed even more to the success of cybercriminals, as many companies had to switch to the home office or hybrid work model almost overnight without any preparation.
6
min reading time
You probably heard about Common Criteria, but you might be unsure what it means and whether you should get your product or system certified. We will go into detail about this topic so that, in the end, the concept of Common Criteria is going to be perfectly clear.
9
min reading time
According to Cynerio, a healthcare IoT cybersecurity company, 53% of connected medical equipment in hospitals has a known critical cybersecurity vulnerability. A third of bedside connected devices used in healthcare settings have an identified critical risk, which is definitely more worrying in terms of patient safety. This is just one of the many reasons why on 5th April 2017, the European Parliament voted to adopt the awaited Medical Device Regulation (MDR) and In vitro Diagnostic Regulation (IVDR). One of the most critical goals of the new Regulations is to strengthen medical device cybersecurity.
8
min reading time