Cybersecurity for Medical Devices
MDACS ยท ISO 14971 ยท IMDRF cybersecurity guidance
Why Cybersecurity Mattersโ
Medical devices that are networked, connected to other systems, or incorporate software face cybersecurity risks that could affect patient safety โ including:
- Unauthorised access or manipulation of device functionality
- Data breaches affecting patient privacy
- Malware affecting device operation
MDACS Cybersecurity Approachโ
The MDD expects cybersecurity risks to be addressed within the risk management process (ISO 14971). Manufacturers should:
- Identify cybersecurity threats โ threat actors and their potential motivations, known or predicted vulnerabilities in the device or its operating environment, and the clinical and operational impact if a threat were realised
- Implement security controls โ authentication, encryption, network segmentation, update mechanisms
- Validate security measures โ penetration testing, vulnerability scanning
- Plan post-market cybersecurity monitoring โ processes for detecting and responding to new vulnerabilities
Relevant Standards and Guidanceโ
| Standard/Guidance | Scope |
|---|---|
| IEC 81001-5-1 | Health software and health IT โ cybersecurity |
| IMDRF N60 | Cybersecurity guidance |
| NIST Cybersecurity Framework | General cybersecurity framework |