Daniel Schifferdecker
Medical devices
In the ever-evolving landscape of healthcare technology, the importance of cyber security has taken center stage. With a slew of regulatory developments and emerging threats, it is crucial for both existing and potential players in the industry to be well-versed in the cyber security domain.
The EU’s Medical Device Regulation (MDR) is making big changes to how we think about cyber security for medical devices. A significant shift is coming in 2024 with the harmonization of IEC 81001-5-1, and it is not just a small adjustment – it is a strong move to make medical devices more resilient against new cyber threats.
Even in 2023, we observed a growing trend among our customers, noting an increased focus and scrutiny during audits. Manufacturers should be ready for closer inspections. Paying attention to things like threat and risk analysis, security by design and keeping a detailed Software Bill of Materials (SBOM) is not just about following rules; it’s about proactively integrating cyber security into the entire development process.
Dr. Joachim Wilke, Cyber Security Specialist Healthcare, ITK Engineering
In the United States, the FDA has been a leader in pushing for better cyber security in the medical device world. As the rules keep evolving, following FDA guidelines is not an easy part, but crucial to ensure medical devices are safe and secure.
Even though the EU Cyber Resilience Act (CRA) excludes medical devices, its effects reach far and wide into the Healthcare world. It touches everything from apps to cloud services that are also part of many medical device’s ecosystems. This Act, made to boost cyber resilience in important areas, now requires such non-medical components to reach similar quality regarding cyber security activities.
At the same time, the updated Network and Information Security Directive sets a higher standard for everyone operating networked devices in its business, including hospitals and other players in the healthcare market. As a manufacturer of medical devices, one must make sure to provide customers with helpful documentation to integrate medical devices in the customer’s network without putting cyber security at risk.
The regulatory shifts outlined above in combination with upcoming EU regulations not directly targeting medical products, make certain activities mandatory for Healthcare companies either developing a medical product or not, in the regulatory sense.