A ransomware attack paralyses a hospital’s IT systems. A home care app transmits vital signs to the internet in unencrypted form. Scenarios like these are not science fiction – they are a documented reality. For manufacturers of digital Medical Devices Cybersecurity is therefore no longer a marginal issue, but a key requirement for patient safety and market authorisation.
Who is Affected – and Who Isn’t?
You can’t usually hack a compress. That is why traditional Class I medical devices – such as disposable surgical supplies or simple dressings – are generally exempt from cybersecurity requirements.
The situation is different for digital and connected products: apps for patient support, monitoring solutions in the home care sector, connected diagnostic devices and cloud-based analysis software clearly fall within the scope of application.
The key question is: does the product process or transmit patient data, is it connected to other systems, or does it have a direct influence on clinical decisions through digital data collection? If so, cybersecurity is a must – not an option.
The Regulatory Environment: What are the Current Rules?
The regulatory landscape has become significantly more complex in recent years – particularly with regard to IT security requirements.
Manufacturers today have to keep track of a wide range of regulations. These include:
| Set of Rules | Relevance for Manufacturers |
| EU MDR Annex I | General Safety and Performance Requirements for (digital) medical devices |
| MDCG 2019-16 | European Commission guidance on cybersecurity for medical devices |
| IEC 81001-5-1 | Standard for IT security in medical technology – forming the basis for the requirements of the EU MDR and the MDCG guidelines – also covers standalone and wellness software – harmonisation not expected until 2028 |
| NIS2 Directive | Applies to operators of networked systems in the healthcare sector within the European Union. It clarifies, in particular, vigilance and due diligence obligations as well as responsibilities |
| Cyber Resilience Act | Applies to all digital or connected products on the EU market |
What Manufacturers Need to Do in Practice
An overview of the key areas of focus:
- Security by Design: Cybersecurity measures should be built into the design phase – not added as an afterthought. Retrofitting is expensive, prone to errors and often insufficient for regulatory approval.
- Threat and risk analysis: Methods such as STRIDE or CVSS help to systematically identify and assess potential attack vectors. The results must be documented and integrated into the risk management process in accordance with ISO 14971.
- Software Bill of Materials (SBOM): A complete list of all software components used and their sources is mandatory. This enables a swift response when vulnerabilities in third-party components come to light – and vice versa.
- Post-Market Surveillance: Nach der Zulassung endet die Verantwortung nicht. Hersteller müssen Systeme auch nach derInverkehrbringung laufend überwachen – die Grundlagen von ISO 13485 gelten auch für medizinische Software.
- Reporting Requirements (new): The plan is for manufacturers to report actively exploited vulnerabilities and serious incidents to national authorities (CSIRTs) as well as to ENISA must report.
Starting Early Pays Off
Cybersecurity is now a crucial factor in the regulatory approval of digital medical devices. Manufacturers who only address this issue in the later stages of development risk costly rework, delays with Notified Bodies and, in the worst-case scenario, rejection of the conformity assessment procedure.
The good news is that if you treat cybersecurity as an integral part of product development from the outset – rather than as a compliance exercise at the end – you will create products that are more robust, more trustworthy and sustainably marketable. This isn’t an extra burden. It’s good engineering.
BEO BERLIN supports manufacturers in implementing regulatory requirements in the field of cybersecurity. Please send us your questions or contact us for a free initial consultation.
WEITERFÜHRENDE QUELLEN
• MDCG 2019-16: Guidance on Cybersecurity for medical devices (europa.eu)
• IEC 81001-5-1: Health software – Part 5-1: Safety, effectiveness and security
• BSI: Cybersecurity requirements for network-enabled medical devices (TR-03161)
• EU Cyber Resilience Act – Text of the Regulation (2024/2847)
(1 Rating(s), average: 5.00 out of 5)
Loading...
