Skip to main content

Cybersecurity Requirements for Connected Devices

MFDS has issued guidance for cybersecurity requirements in connected medical devices (covering threat modelling, vulnerability assessment, security controls, testing, and post-market monitoring). These expectations are currently issued as regulatory guidance; MFDS is developing mandatory binding cybersecurity requirements to be incorporated into future regulations.

Which devices are affected?โ€‹

Connected medical devices include:

  • Devices with wireless connectivity (Wi-Fi, Bluetooth, cellular)
  • Devices connected to hospital networks or electronic health record systems
  • Devices with remote monitoring or software update capabilities
  • Implantable devices with external programming interfaces

Current MFDS cybersecurity guidance expectationsโ€‹

AreaExpectation
Threat modellingIdentify cybersecurity threats relevant to the device's connectivity
Vulnerability assessmentAssess risk of identified threats
Security controlsImplement proportionate security controls (encryption, authentication, access control)
Security testingTest cybersecurity controls before market entry
Post-market monitoringMonitor for new cybersecurity vulnerabilities and patch management
Incident responseDefine procedure for responding to a cybersecurity incident
DisclosureDefine how cybersecurity vulnerabilities will be communicated to users/MFDS

Alignment with international frameworksโ€‹

MFDS cybersecurity guidance aligns with:

  • IMDRF Cybersecurity principles and practices
  • FDA cybersecurity guidance (used as a reference)
  • IEC 81001-5-1 (Health software and health IT systems safety, effectiveness, and security)

As of 2024, MFDS cybersecurity expectations remain guidance-level recommendations. Mandatory binding cybersecurity requirements are expected to be finalized in [specific year if known, or state 'forthcoming']. Manufacturers should begin implementing these expectations immediately to ensure compliance when mandatory requirements take effect.