EU group offers guidance on meeting MDR's cybersecurity standards

Dive Brief:

The European Commission’s Medical Device Coordination Group published guidance Monday aimed at preparing manufacturers to meet both premarket and postmarket cybersecurity requirements under the EU’s new medical device regulations.
Among the updates in the regulatory overhaul are new safety requirements for all devices that incorporate electronic programmable systems and software. The new rules also require device makers to follow state-of-the-art risk management principles and to establish minimum thresholds for internet technology security measures, including protection against unauthorized access.
The 47-page document incorporates pieces from other EU and global legislation and guidance that address the domain of cybersecurity for medical devices.

Dive Insight:

A sweeping overhaul of European Union medical device regulations many years in the making will take effect May 26, 2020. The regulations reclassify many devices to a higher risk level, necessitating notified body review. The companion In Vitro Diagnostic Regulation takes effect two years later.

The MDCG advisory body, created under Article 103 of the new Medical Device Regulation, is tasked with harmonizing implementation of the new medical device rules. It is made up of representatives of all EC member states.

The purpose of the new guidance document is to help manufacturers fulfill all essential cybersecurity requirements of the MDR and IVDR. The new regulations ask device makers to incorporate updated practices as they design, develop and upgrade products across their life cycle. They must take into account principles of risk management including information security, verification and validation.

Device makers will need to demonstrate they’ve used state-of-the-art information to make decisions on managing cybersecurity risks based on applicable standards, guidance, their own proprietary knowledge, and publicly available scientific and technical data.

MDR provisions for cybersecurity cover the following areas: privacy and data protection, clinical investigations conducted to show conformity of devices, conformity assessment procedures, postmarket surveillance systems, plans and reports, periodic safety update reports, reporting and analysis of serious incidents and field safety corrective actions, trend reporting, technical documentation, clinical evaluation and postmarket follow-up.

The MDCG document states that other EU and international legislation and guidance relevant to cybersecurity "might apply in parallel" to the new MDR structure. Specifically, the MDCG points to legal measures to boost the overall level of cybersecurity in the EU as provided in the NIS Directive (the directive on security of network and information systems that took effect in late 2016), as well as the General Data Protection Regulation (GDPR) covering individuals’ personal data, and the EU Cybersecurity Act, which introduces a certification framework.

The group's guidance also states the importance of referring to the Medical Device Cybersecurity Guide, developed by a working group of the International Medical Device Regulators Forum, that seeks a harmonized approach to cybersecurity on a worldwide level.