Cybersecurity Vulnerabilities in Medical Devices: FDA Alerts on Contec and Epsimed Monitors

Dr Clare Dixon

The FDA recently issued a safety communication to raise awareness of cybersecurity vulnerabilities in the Contec CMS8000 patient monitor and the Epsimed MN-120 patient monitor which may put patients at risk when connected to the internet.

These vulnerabilities, which include a software backdoor, could compromise digital security and pose significant risks to patients when the devices are connected to the internet. As more medical devices become internet-connected, this development underscores the critical importance of robust cybersecurity measures in protecting patient safety and data.

While the FDA’s warning highlights the risks, the EU Medical Device Regulations (MDR) and In-Vitro Diagnostic Medical Device Regulation (IVDR) introduced stricter safety requirements to address such challenges. These regulations apply to medical devices that incorporate electronic programmable systems and software, which are now classified as medical devices themselves. Manufacturers must design and manufacture devices in accordance with the state of the art by applying risk management principles, including information security. Additionally, the regulations establish minimum IT security requirements, including protection against unauthorised access.

In this article we discuss cybersecurity requirements of the EU MDR and IVDR and summarise the Medical Device Coordination Group (MDCG) guidance document - MDCG 2019-16 Rev 1: Guidance on Cybersecurity for medical devices.

What is cybersecurity?

In ISO 81001-1, cybersecurity is defined as:

a state where information and systems are protected from unauthorised activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the life cycle”.

What guidance does the MDCG 2019-16 Rev 1 provide?

The MDCG 2019-16 Rev 1 provides guidance on fulfilling the general safety and performance requirements of Annex I of the EU MDR and IVDR concerning cybersecurity. It emphasises a “secure by design” approach, integrating cybersecurity into every stage of a medical device’s lifecycle. This includes:

  • Security Risk Management: Manufacturers must establish a process to identify, evaluate, and mitigate cybersecurity risks, aligning with the overall risk management system required by the MDR.
  • Security Capabilities: Devices should incorporate essential security features such as authentication, encryption, and malware protection, tailored to their intended use and operational environment.
  • Minimum IT Requirements: Manufacturers must define and communicate the minimum IT security requirements for the device’s operating environment, including hardware and network characteristics, to ensure baseline protection.

The guidance also addresses the complex medical device supply chain, providing supplementary considerations for actors other than manufacturers. Additionally, it includes an annex outlining other EU and global legislation and guidance relevant to cybersecurity.

What are the cybersecurity requirements contained in MDR Annex I?

Basic Cybersecurity Requirements

Annex I of the MDR and IVDR emphasise the importance of cybersecurity in maintaining the general safety and performance requirements of medical devices with a focus on cybersecurity. The requirements are categorised into three key areas:

  • IT Security: Protecting the information technology systems of medical devices is crucial. This includes safeguarding against unauthorised access and ensuring data integrity (referencing sections 17.4, 23.4ab).
  • Operation Security: Devices must operate securely under all conditions. This involves ensuring that the device functions as intended without compromising safety (referencing sections 14.1, 14.2, 17.1).
  • Information Security: Protecting sensitive data is a top priority. Medical devices must ensure that patient data and other critical information are secure from breaches (referencing section 17.2).

Requirements for the Secure Design and Manufacture of Medical Devices

Diagram illustrating the components considered for the cybersecurity of medical devices.
Cybersecurity considerations for the design and manufacturing of medical devices

Cybersecurity must be integrated into every stage of a medical device’s lifecycle. Annex I of the MDR and IVDR highlights several critical aspects of secure design and manufacture:

  • Risk Management: Risks must be identified, assessed, and managed throughout the device’s lifecycle (sections 3, 14.4, 14.5, 19.3).
  • Protection Against Risks: Devices must be designed to protect against risks during both intended use and foreseeable misuse (sections 3c, 8).
  • Unauthorised Access: Measures must be in place to prevent unauthorised access to the device and its data (sections 17.4, 18.8).
  • Threats and Vulnerabilities: Manufacturers must identify and address security threats, vulnerabilities, and risks (section 4b).
  • Risk Control Measures: Effective risk control measures must be established to mitigate identified risks (section 4).
  • Minimum IT Security Requirements: Devices must meet minimum IT security standards to ensure baseline protection (sections 17.4, 14.5).

A key driver of secure design and manufacturing is the state of the art (sections 1, 4, 17.2). Manufacturers should consider the state of the art when designing developing and upgrading medical devices across their life cycle. This involves incorporating the latest advancements, technologies, and best practices into their decision-making processes to address security risks proportionally and appropriately. By aligning with the state of the art, manufacturers can ensure that their devices are not only compliant with regulatory requirements but also resilient against emerging threats, safeguarding patient safety and data security over the long term.

How are the cybersecurity requirements under MDR interrelated to the other relevant EU legislations (Cybersecurity Act, GDPR and NIS)?

Cybersecurity requirements under the MDR are interconnected with other EU legislations, such as the Cybersecurity Act, General Data Protection Regulation (GDPR), and the Network and Information Security (NIS) Directive. While the EU MDR and IVDR focus on the safety and performance of medical devices, these additional legislations address broader aspects of cybersecurity, data protection, and network security. The MDCG 2019-16 Rev 1 guidance provides a detailed discussion of how these requirements overlap and complement each other.

What cybersecurity activities does the manufacturer need to carry out during the lifecycle of a medical device according to MDR?

Pre-market cybersecurity activities include:

  • Secure Design (Annex I)
  • Risk management (Annex I)
  • Establish Risk Control Measures (Annex I)
  • Validation, Verification, Risk Assessment, Benefit Risk Analysis (Annex I)
  • Technical Documentation (Annex II and III)
  • Conformity Assessment (Article 52)
  • Establish a Post-market Surveillance Plan and Post-market Surveillance System (Article 83 and 84)
  • Clinical evaluation process (Chapter VI)

Post-market activities include:

  • Risk management (Annex I)
  • Modify Risk Control Measures /Corrective Actions/Patches (Annex I)
  • Validation, Verification, Risk Assessment, Benefit Risk Analysis (Annex I)
  • Maintain and update a Post-market Surveillance Plan and Post-market Surveillance System (Article 83 and 84)
  • Trend Reporting (Article 88)
  • Analysis of Serious Incidents (Article 89)
  • Post-Market Surveillance Report (Article 85)
  • Periodic Safety Update Report (Article 86)
  • Update Technical Documentation (Annex II and III)
  • Inform the Electronic System on Vigilance (Article 92)

Cybersecurity is a critical aspect of ensuring the safety and performance of medical devices under the EU MDR and IVDR. By adopting a secure-by-design approach, prioritising risk management, and maintaining robust post-market surveillance, manufacturers can protect patients from potential threats and ensure compliance with regulatory standards.

If you need guidance on EU MDR and IVDR requirements or have concerns about cybersecurity compliance for your medical device, contact us today to arrange a free, no-obligation discussion.

Back to top

Related articles

  1. A team of profesional-looking people sit around a table, congratulating themselves.

    Extending the Validity of your IVDD Certificates – Key Dates

    The EU and the MHRA have extended the validity of IVDD certificates, allowing you more time to transition to the IVDR. We explain what this means for manufacturers.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  2. A team of profesional-looking people sit around a table, congratulating themselves.

    GSPR 1: A New Era of Performance with Safety at the Core

    This regulation emphasizes risk management, durable design & biocompatibility to ensure medical devices are safe and effective. GSPR 1 protects users while driving innovation in medical technology.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  3. A futuristic-looking factory full of labelled cardboard boxes.

    Decoding UDI: Your Ultimate Guide to Smarter Medical Device Labelling

    The Unique Device Identifier (UDI) ensures medical device traceability and compliance. We break down its structure, Device Identifier (UDI-DI), Production Identifier (UDI-PI) and its role in EUDAMED.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  4. A scientist uses a pipette to prepare lab samples.

    Understanding Risk-Based Classification of In Vitro Medical Devices Under EU IVDR

    The transition from IVDD replaces list-based classification with a risk-based approach. Manufacturers must thoroughly understand the rules outlined in Annex VIII of the IVDR.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  5. A hospital room full of equipment with futuristic user interfaces.

    IMDRF Sets the Standard: 10 Key Principles for AI-enabled Medical Devices

    Good Machine Learning Practice (GMLP) principles ensure safe devices, covering intended use, clinical evaluation & Human-AI Interaction (HAII).

    Ron Sangal Ron Sangal Lead Medical Writer
  6. A medical team discuss performance data at their desktop computer.

    Key Updates for Navigating EMDN: MDCG 2024-2 Rev.1 & 2021-12 Rev.1

    Release of the updated guidance helps manufacturers navigate the EMDN system for accurate device classification, ensuring market access.

    Ron Sangal Ron Sangal Lead Medical Writer
  7. A lab technician enters samples into a machine.

    From IVDD to IVDR: Ensuring Compliance During the Transitional Period

    Legacy device manufacturers need to manage challenging timelines as well as address transitional provisions and update QMS.

    Shona Richardson Shona Richardson Regulatory Medical Writer
  8. A dated monitor for medical equipment.

    Understanding Clinical Evidence Requirements with MDCG 2020-6

    How can manufacturers ensure legacy devices meet MDR's stringent requirements? Discover how MDCG 2020-6 guidance simplifies the path to compliance.

    Dr Clare Dixon Dr Clare Dixon Regulatory Specialist
  9. A stethoscope laid on a desk of regulatory documentation.

    Clinical benefits of an in vitro diagnostic medical device

    How to determine the clinical benefit of an IVD and successfully incorporate it into regulatory documentation.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  10. EU flags

    Regulation (EU) 2024/1860 - Its impact on EU MDR and IVDR

    How does the recent Regulation (EU) 2024/1860 amendment affect the EU MDR & IVDR?

    Shona Richardson Shona Richardson Regulatory Medical Writer
  11. EU flag

    MDCG 2024-10 - Orphan medical devices

    How to apply MDR pre-market clinical evidence requirements to medical devices intended for limited usage.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  12. Considering a medical device's intended purpose

    A medical device's intended purpose - what is the point?

    How do you define intended purpose, indication for use, intended clinical benefits, and claims?

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  13. Mantra Systems presents EnableChat, your AI-powered MDR & MDCG chatbot

    EnableChat - Your AI-powered MDR and MDCG chatbot

    Search the MDR and MDCG documents in seconds by asking EnableChat your questions.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  14. Searching adverse event databases for vigilance data

    Staying vigilant - A guide to searching for adverse events data

    We discuss the pros and cons of existing adverse event databases for vigilance data searching.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  15. A doctor reading an SSCP document with a patient

    What is Summary of Safety and Clinical Performance (SSCP)?

    We explain what the SSCP is, when you'll need it and what its objectives are.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  16. A woman in a laboratory looking down a microscope

    Scientific Validity Reports – Foundation of the IVDR Performance Evaluation

    Justifying scientific validity is the first step in proving compliance with the IVDR.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  17. A pile of question marks

    Medical Device 'Significant Changes' – Navigating EU MDR Article 120(3) using MDCG 2020-3 rev. 1

    Understand what changes to your medical device are considered 'significant' under EU MDR (2017/745).

    Shen May Khoo Shen May Khoo Junior Regulatory Specialist
  18. A signpost giving unsure directions

    MDR or IVDR - A sibling rivalry?

    A guide to easily understanding whether your device is a medical device or an in vitro diagnostic medical device (IVD).

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  19. An EU and UK flag

    What the latest Brexit U-turn means for CE Marking of medical devices in Great Britain

    Will Great Britain continue to allow the use of the CE mark for medical devices beyond the 2024 deadline?

    Dr Hanna Gul Dr Hanna Gul Lead Medical Writer
  20. A woman writing her own medical device regulation documentation

    Gain confidence, reassurance and control over your EU MDR strategy

    Find out how to build your own technical files within a guided framework while minimising financial outlays.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  21. Racing to achieve MDR compliance

    Still racing to achieve MDR compliance? A transition period update

    On January 6th 2023, the EU commission has adopted the proposal to extend the transition rules of the EU MDR.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  22. A 7-step guide to navigating regulatory requirements for medical device start-ups

    A medical device regulations guide for start-up companies

    We present a 7-step guide to navigating regulatory requirements on a budget.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  23. An update on UKCA Marking of Medical Devices

    UKCA Marking of Medical Devices – An update on the status quo

    We review recently updated requirements for UKCA marking and what it means for your regulatory strategy.

    Dr Hanna Gul Dr Hanna Gul Lead Medical Writer
  24. How to choose a CER writer for your MDR Clinical Evaluation

    Choosing a CER writer for your MDR Clinical Evaluations

    We've compiled a list of considerations that will help you make the right choice when choosing a CER writer.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  25. Achieving MDR Compliance for Class I medical devices

    How to achieve MDR Compliance for Class I medical devices

    We outline a strategy for the regulatory compliance of Class I medical devices.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  26. Literature Search, SOTA Review and Clinical Evaluation

    Literature Search, SOTA Review process and Clinical Evaluation

    We help to demystify the process of systematic search & review of literature for Clinical Evaluation.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  27. Literature Search Protocols & SOTA Reviews for medical devices and what to know before you start

    Literature searches and reviews for medical devices - what to know before you start

    We explain what you should know before beginning a literature search & review for your medical device.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  28. Five useful resources when writing a medical device CER

    Five useful resources when writing a medical device CER

    We outline five of the most useful and trustworthy Clinical Evaluation Report writing resources.

    Dr Victoria Cartwright Dr Victoria Cartwright Relationship Manager
  29. Avoid pitfalls when writing a Clinical Evaluation Report

    Five common pitfalls when writing a Clinical Evaluation Report

    We illustrate five pitfalls when writing CERs and give you some tips to overcome them.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  30. How to make a medical device equivalence claim under the MDR

    Five tips for making a medical device equivalence claim under the MDR

    We'll show you what to keep in mind with regards to equivalance and Clinical Evaluation.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  31. Keeping medical devices in market and maintaining CE-marks - a guide to effective data collection

    Keeping medical devices in market and maintaining CE-marks

    The 4 golden rules to drive regulatory compliance with PMCF and vigilance data collection.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  32. How PMCF goes beyond simple compliance - improving products and engaging customers

    How PMCF goes beyond simple compliance

    The wider benefits of a well-designed PMCF system include improving your products and your relationship with your clients.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  33. PMCF systems for medical devices

    Why you'll almost certainly need a PMCF system for your medical devices

    We tell you what to be aware of under the EU MDR regarding PMCF and your medical devices.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  34. Ensure medical device regulatory compliance of your devices through Brexit

    The impact of Brexit on medical device regulatory compliance

    How to ensure regulatory alignment of your devices in the territories affected by Brexit.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  35. Use medical device regulatory consulting services to supercharge your MDR transition

    Is outside consulting support the answer to your MDR transition?

    Getting ready for the MDR is a demanding process. Outsourcing might be your solution.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  36. Increasing data entry compliance in PMCF studies

    Increasing data entry compliance in PMCF studies

    5 methods every medical device manufacturer should know to improve their Post-Market Clinical Follow-up studies.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  37. Why medical doctors can drive MDR compliance

    Why medical doctors can drive MDR compliance

    Working with the MDR requires knowing how to work with clinical evidence. Medical doctors are perfectly positioned to meet this requirement.

    Dr Victoria Cartwright Dr Victoria Cartwright Relationship Manager
  38. Software as a Medical Device

    Software as a Medical Device

    Unless you have spent time working with medical device legislation in the past, the idea that software could be a medical device may be rather unexpected.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  39. clinical investigator for pmcf eu mdr compliance

    Ensuring that clinical investigations work in practice

    How can medical device manufacturers ensure valid clinical investigations when access to medical expertise remains limited?

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  40. Coronavirus and medical device regulations

    Relaxing medical device regulatory requirements during a healthcare crisis

    During the coronavirus pandemic, how far should we go when relaxing medical device regulatory requirements?

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  41. The new MDR compliance challenge

    The new MDR compliance challenge

    Across the industry, medical device companies are facing challenges in meeting the demands of the new Medical Device Regulations (MDR) 2017/745 framework.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  42. Sources of Real World Evidence for MDR compliance

    Sources of Real World Evidence for MDR compliance

    At Mantra Systems our objective is to make sure that our clients choose the method of real world data harvesting that is right for them.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer

More articles

Do you need support with your medical device approval strategy?

Contact us today