8
min reading time
According to Cynerio, a healthcare IoT cybersecurity company, 53% of connected medical equipment in hospitals has a known critical cybersecurity vulnerability. A third of bedside connected devices used in healthcare settings have an identified critical risk, which is definitely more worrying in terms of patient safety. This is just one of the many reasons why on 5th April 2017, the European Parliament voted to adopt the awaited Medical Device Regulation (MDR) and In vitro Diagnostic Regulation (IVDR). One of the most critical goals of the new Regulations is to strengthen medical device cybersecurity.
In our article below, we provide a detailed insight into the European Medical Device Regulation and review it from a cybersecurity perspective. In addition, we introduce our comprehensive conformity assessment solutions at CCLab for numerous standards related to medical devices' cybersecurity resilience including MDR.
European Medical Device Regulation (MDR 2017/745) was published on 5 May 2017 and went to effect in May 2021. MDR has replaced the existing Medical Device Directive (MDD) and the Active Implantable Medical Device Directive (AIMD).
With the replacement of previous regulations governing medical devices in the EU by MDR 2017/745, medical device manufacturers are mandated to reassess their products for compliance.
Medical Device Regulation introduces several significant enhancements to medical device conformity evaluation with the aims of:
Besides the numerous new essential components included, MDR increases legislators’ attention on ensuring that devices put on the EU market are ready for the raised technical difficulties associated with cybersecurity risks. MDR establishes new critical security criteria for all medical devices that contain electronic programmable systems and software that are medical devices in themselves within the European Union.
The main reason for such a high priority being placed on cybersecurity is the growing threat of cyber-attacks on digital health services, medical networks, and devices. Furthermore, cyberattacks are becoming not only more common but also highly sophisticated.
MDR covers both premarket and postmarket cybersecurity requirements and has been endorsed by the Medical Device Coordination Group (MDCG), which is formed of representatives of all EU Member States. The Regulation requires medical device manufacturers to develop and produce their devices in line with current best practices, considering risk management concepts such as cybersecurity, and establishing minimum standards for IT security measures.
The former, so called MDD certificates remain valid until their original expiration date but at the latest until May 26, 2024. Whichever comes first. Therefore, manufacturers and vendors can continue to sell MDD-certified equipment latest until May 26, 2024, however, it is crucial to know that this applies only to MDD-certified devices with no substantial changes. In case of a significant modification, the device certificate must be migrated to MDR before launching it on the market.
Note: The EU Health Commissioner, Stella Kyriakides proposed plans to delay the deadline for MDR certification to 2027 for high-risk devices and 2028 for medium and low-risk devices. The European Parliament will most likely decide on the plans in January, 2023.
Describing the implementation of the entire regulation would be extremely long, so we have highlighted the most essential steps from the process, which apply to all medical device manufacturers:
The scope of the processes that these changes will affect the manufacturer or developer depends on the type of network-connected medical device or IoMD/IoMT manufactured or developed. However, it is predicted that significant changes have to be implemented to their compliance process, quality management system, and technical documentation to be able to comply with the standards of the Regulation.
According to MDR, while managing cybersecurity over the whole lifespan of a medical device, the following areas should be the main focus:
The evaluations and testing that companies have to go through to get the MDR Certification required to launch network-connected medical devices on the European market are the following:
Without the above assessments, vendors and manufacturers would be at a higher risk of failure, which would cost them not just money but also stress and disrupted processes.
There are 3 parties involved in an MDR Certification compliance process:
The MDR Certification process is a fairly complicated and complex procedure, therefore we suggest collaborating with a third-party specialist to get professional support.
Besides other network-connected medical device cybersecurity solutions, we are well-prepared and experienced to comprehensively support your MDR project. We can advise instantly and assist you to prepare for your medical device or system’s MDR compliance process in the most effective way possible. Our extensive services include gap analysis, risk assessment, and preparation for certification.
We provide "zero to hero" and integration services to assist you to achieve cybersecurity MDR compliance. As our client, you can receive guidance all the way from product design, and development, to MDR certification based on internationally recognized standards. Our integration services can be built on your existing management system (that complies with relevant industry standards) to be able to utilize your already implemented processes instead of having to develop new ones.
However today’s smart medical devices are technologically robust and sophisticated, they may have cybersecurity issues and vulnerabilities. The majority of security defects are the consequence of insufficient development, incorrect functionality, rare upgrades, or poor user behavior. This is where MDR comes into the picture. One of the most crucial goals of the Regulation is to reduce potential and existing cybersecurity risks while keeping patients and professionals safe.
Complying with MDR may appear difficult at first, but you can count on CCLab’s professional support along the road until successful certification. Contact us if you are looking for a reliable and experienced partner to help with your Medical Device Security project.
Did you know that in the first half of 2021, 33.8% of Industrial Control Systems’ (ICS) computers were attacked, which is 0.4% points (p.p.) higher than in H2 2020? This means that only in the first 6 months of last year, over one-third of ICSs suffered some kind of cyber attack in the world.
7
min reading time