Cybersecurity Requirements
Overviewโ
MedDO Annex I ยง 17.2 requires software-based devices to achieve a level of IT security appropriate to their intended purpose, protecting against unauthorised access that could affect device operation or safety. These requirements apply both pre-market (in technical documentation) and post-market (through PMS and patch management).
Key Standard โ IEC 81001-5-1โ
IEC 81001-5-1:2021 (Health software security activities in the product lifecycle) is the primary harmonised standard. It provides: security risk management integrated with ISO 14971; threat modelling and vulnerability management; security testing requirements; secure communication guidance; post-market monitoring and patch management.
Pre-Market Technical Documentation Requirementsโ
Technical documentation must include: cybersecurity risk assessment integrated with the risk management file; threat modelling outputs; security controls implemented (encryption, authentication, access controls); minimum hardware/software environment description; penetration test results (for connected devices); software bill of materials (SBOM).
Post-Market Cybersecurityโ
Post-market obligations include: monitoring CVE databases for vulnerabilities in third-party components; issuing security patches through the PMS system; reporting cybersecurity incidents that constitute serious incidents to Swissmedic via eVigilance.
Official Sourcesโ
AI-assisted content for navigation only. Always verify against official Swissmedic and Fedlex sources. Not legal or regulatory advice.
Patch Management Timeline Expectations โ While MedDO does not prescribe specific timelines for patch deployment, Swissmedic expects manufacturers to establish and document a patch management process that prioritises critical and high-severity vulnerabilities. MDCG 2019-16 recommends a risk-based approach where critical cybersecurity patches should be available to users within 30โ90 days of discovery, depending on exploit likelihood and device accessibility. The patching strategy must be documented in the Post-Market Surveillance Plan.