Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Medical Device Coordination Group guidance on cybersecurity for medical devices

By Cynthia O’Donoghue & Katalina Bateman on June 15, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

Background

In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and 746/2017) (link here). We have summarised below the key points in this Guidance.

Key points

The Guidance is targeted at manufacturers of medical devices. Generally, under the Medical Devices Regulations, manufacturers are required to develop their products in accordance with the state of the art, taking into account risk management principles, including operation, IT and information security.

  • Pre-market and post-market cybersecurity activities: under the Medical Devices Regulations, manufacturers are required to conduct pre-market activities such as establishing risk control measures, secure designs, clinical evaluation processes and conformity assessments. For post-market activities, manufacturers should modify their risk control measures, perform further risk assessments and update their post-market surveillance plans/systems as necessary.
  • Clarification of cybersecurity concepts: the Guidance elaborates in detail on important concepts such as IT security, information security, and operation security. Devices should be safe and effective – any risks associated with the operation of medical devices must be acceptable so as to enable a high level of protection of health and safety. In addition, manufacturers should consider cybersecurity requirements in accordance with the nature of the device, including the device type and intended use of communication technologies; anticipate any reasonably foreseeable misuse; and, lastly, work with other stakeholders such as integrators, operators, and users to ensure effective implementation.
  • Secure design and manufacture – ‘secure by design’: manufacturers must consider safety, security and effectiveness at an early stage of development and throughout the entire life cycle. A security/safety risk management process should be in place, documenting and evaluating all the security risks, and stating its impact on security as part of the risk assessment. The Guidance also provides an indicative list of security capabilities for medical devices, such as automatic logoff and emergency access. It is also an explicit requirement under Annex I of the Medical Devices Regulations to carry out an overall benefit risk analysis.
  • Documentation and instructions for use: manufacturers should provide technical documentation containing information that demonstrates conformity with the general safety and performance requirements in Annex I of the Medical Devices Regulations. This includes information to be provided to health care providers regarding the intended use environment. In addition, the documentation should be updated with information raised through the manufacturers’ post-market surveillance system related to the handling and remediation of cybersecurity incidents and vulnerabilities.
  • Post-market surveillance and vigilance: lastly, as cybersecurity vulnerabilities change and evolve, manufacturers should have in place a post-market surveillance programme, which they should regularly update. The Guidance recommends addressing the following in the programme: operation of the device in the intended environment; sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; vulnerability remediation; and incident response.

Commentary

The Guidance provides a useful illustration of how manufacturers should comply with their obligations under the Medical Devices Regulations, and will be of great importance to modern manufacturers intending to incorporate new technology in their products.

Photo of Cynthia O’Donoghue Cynthia O’Donoghue
Read more about Cynthia O’DonoghueEmail
Photo of Katalina Bateman Katalina Bateman
Email
  • Posted in:
    Technology
  • Blog:
    Technology Law Dispatch
  • Organization:
    Reed Smith LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo