On 6 January, the Medical Device Coordination Group (a European Commission’s Expert Group) released a long-awaited guidance on cybersecurity for medical devices. The document is based on IMDRF work on cybersecurity for medical devices, to which it often refers, specifically the very useful IMDRF’s Principles and Practices for Medical Device Cybersecurity document, which is currently under consultation. The guidance consists of:
- Basic cybersecurity concepts
- Secure design and manufacture
- Documentation and instructions for use
- PMS and vigilance
- Links to other EU and international regulations and guidance
- Annexes with examples and reference material
A lot of software, including software used for medical purposes or as a part of a medical device, was never or is not developed from the ground up with cybersecurity in mind, and certainly not in the context of a good risk management plan that takes into account all the risks related to its use in the environment that it is used in, the hardware it is run on, the dependencies it has on other systems and the relationship with other legislation that also govern software or IT processes, like the EU General Data Protection Regulation (GDPR).
This new guidance applies to all devices governed under the MDR and IVDR, which includes standalone software that is a medical device under these two regulations, see MDCG 2019-11.