Digital protection in medtech is now almost as critical as a pacemaker keeping rhythm – or an insulin pump delivering the correct dose. For manufacturers of medical devices, approved security can be the difference between a successful launch and a product halted at the last minute.
Today’s medical devices may be apps themselves, or they may interact with apps, electronic health records, and cloud services. This opens the door to new treatments and improved care – but also new risks.
Regulations and standards
Behind the requirements are the EU regulations MDR (Medical Device Regulation) and IVDR (In Vitro Diagnostic Medical Device Regulation). They make cybersecurity part of a product’s overall quality. To demonstrate conformity with the regulations, harmonized standards are used. Within the EU, EN 81001-5-1 will be harmonized and must be used by manufacturers to move from risk analysis to technical controls and documentation – thereby proving compliance.
Outside the EU, other requirements apply. In the United States, for example, the Food and Drug Administration (FDA) reviews products and publishes its own cybersecurity guidance documentation.
The same product may therefore require different documentation depending on the market. This means manufacturers should account for both EU and U.S. requirements already in the design and development phases.
Read more about MDR and IVDR hereCybersecurity is tested both in theory and practice
When a medical device is ready for testing, it undergoes penetration testing to uncover security issues that may have arisen during design or implementation, such as:
- Unmonitored API endpoints
- Overly generous privileges
- Information flows that leak more data than intended
- Apps accessing incorrect data
- Risk of users receiving overly high permissions
- Manipulation of patient data or control data
- Analysis of known vulnerabilities (CVEs) and their exploitability
- Review of algorithms and key management
In addition, encryption of patient data and access control in networks are tested. In hospital environments, many devices share networks, and if a product “talks too much to its neighbors,” both the attack surface and risk increase.
“We review the system based on the customer’s risk or threat model and look for design and implementation issues. We can identify problems and suggest changes before it becomes expensive and time-consuming to fix. This makes the entire process more efficient,” says Albin Eldstål-Ahrens, PhD and Security Specialist at Assured.
Read more about how we work with penetration testing hereVerification, validation, and reporting
The results of penetration testing are used in both verification and validation. In the verification phase, security requirements are checked, while the validation phase provides evidence for EU and FDA reviews.
A particular challenge is known vulnerabilities (CVEs) that may exist in a product but are not always clearly exploitable. Companies often struggle to determine the real risk – this is where Assured’s specialists can analyze if a vulnerability is exploitable and how severe it is.
All findings are compiled into reports tailored to industry requirements and included in documentation for CE marking, FDA submissions, and internal risk management. In addition to vulnerabilities, anomalies – deviations that may indicate weaknesses – are also documented.
Responsibility throughout the product lifecycle
Cybersecurity is not something that can be checked off in a single test – the responsibility extends throughout the entire product lifecycle.
“Often the CISO ends up coordinating the work, but many companies also need to appoint or hire a specialist who ensures compliance at every step,” says Albin.
Risks can be inadvertently designed into the product early on, for example through unclear instructions or overly broad user permissions.
Responsibility continues after launch. The regulations require Post-Market Surveillance (PMS), a continuous monitoring of the product to ensure issues are detected and reported in time. Since PMS involves collecting user data, cybersecurity must also be coordinated with GDPR.
When requirements stop the business
Cybersecurity is a business-critical issue that affects both market access and revenue. If a product fails review, the launch may be halted. This can lead to major costs and delays – or even allow a competitor to reach the market first.
Another pitfall is relying on MDR’s extended deadlines and waiting too long:
“It may work within the EU, but when the product is released on another market, there can be unpleasant surprises. Then it becomes urgent and expensive,” says Albin.
When cybersecurity is built in from the start, the chances of launching on time and achieving commercial success increase.
How do you ensure your cybersecurity?
Assured has extensive experience helping medtech companies build cybersecurity from the beginning and stand strong during regulatory reviews. Whether you need an early design-phase assessment or a full-scale penetration test, we can be your partner throughout the entire process.
How we work – step by step
- Design: risk identification in requirements and specifications
- Architecture: support to build secure systems from the start
- Verification: penetration tests during development
- Validation: testing ahead of regulatory reviews
- Reporting: industry-adapted reports that become part of CE and FDA documentation
Contact us or fill in the form below to discuss how we can help you meet cybersecurity requirements and secure your products.