Medical Device Regulation - a brief overview from a cybersecurity perspective

According to Cynerio, a healthcare IoT cybersecurity company, 53% of connected medical equipment in hospitals has a known critical cybersecurity vulnerability. A third of bedside connected devices used in healthcare settings have an identified critical risk, which is definitely more worrying in terms of patient safety. This is just one of the many reasons why on 5th April 2017, the European Parliament voted to adopt the awaited Medical Device Regulation (MDR) and In vitro Diagnostic Regulation (IVDR). One of the most critical goals of the new Regulations is to strengthen medical device cybersecurity. 

In our article below, we provide a detailed insight into the European Medical Device Regulation and review it from a cybersecurity perspective. In addition, we introduce our comprehensive conformity assessment solutions at CCLab for numerous standards related to medical devices' cybersecurity resilience including MDR.

What is the new European Medical Device Regulation?

European Medical Device Regulation (MDR 2017/745) was published on 5 May 2017 and went to effect in May 2021. MDR has replaced the existing Medical Device Directive (MDD) and the Active Implantable Medical Device Directive (AIMD).  

With the replacement of previous regulations governing medical devices in the EU by MDR 2017/745, medical device manufacturers are mandated to reassess their products for compliance.

‍

Medical Device Regulation introduces several significant enhancements to medical device conformity evaluation with the aims of:

• Increasing vigilance and market supervision of medical devices
• Enhancing the safety, reliability, and quality of medical devices sold in Europe.
• Boost transparency related to medical devices for customers and users.

MDR for better medical device cybersecurity

Besides the numerous new essential components included, MDR increases legislators’ attention on ensuring that devices put on the EU market are ready for the raised technical difficulties associated with cybersecurity risks. MDR establishes new critical security criteria for all medical devices that contain electronic programmable systems and software that are medical devices in themselves within the European Union. 

The main reason for such a high priority being placed on cybersecurity is the growing threat of cyber-attacks on digital health services, medical networks, and devices. Furthermore, cyberattacks are becoming not only more common but also highly sophisticated.

MDR covers both premarket and postmarket cybersecurity requirements and has been endorsed by the Medical Device Coordination Group (MDCG), which is formed of representatives of all EU Member States. The Regulation requires medical device manufacturers to develop and produce their devices in line with current best practices, considering risk management concepts such as cybersecurity, and establishing minimum standards for IT security measures. 

Important deadlines related to the Regulation

The former, so called MDD certificates remain valid until their original expiration date but at the latest until May 26, 2024. Whichever comes first.  Therefore, manufacturers and vendors can continue to sell MDD-certified equipment latest until May 26, 2024, however, it is crucial to know that this applies only to MDD-certified devices with no substantial changes. In case of a significant modification, the device certificate must be migrated to MDR before launching it on the market.

Note: The EU Health Commissioner, Stella Kyriakides proposed plans to delay the deadline for MDR certification to 2027 for high-risk devices and 2028 for medium and low-risk devices. The European Parliament will most likely decide on the plans in January, 2023.

How to implement the new Regulation?

Describing the implementation of the entire regulation would be extremely long, so we have highlighted the most essential steps from the process, which apply to all medical device manufacturers:

1. Read the Regulation - more than once if needed - to make sure you understand its content
2. Determine which set of regulations applies to your device based on the nature of the device itself.  Examine and update your Quality Management and Risk Management Systems based on MDR Article 10 and ISO 13485:2016. It’s important to know that class I device manufacturers are also included in this requirement. 
3. Reevaluate your device’s portfolio based on the new categorization changes and the availability of appropriate clinical evidence.  Annex VIII of the Medical Device Regulation (MDR) helps you to classify your device as either Class I, IIa, IIb, or Class III, according to the associated risks.
4. Make sure that your device's technical documentation complies with Annex II and Annex III of the MDR, and the MDR 2017/745 regulation. The technical documentation should include the Device/Product description with unique identification of the device(s) which belong to the product, User manual, Development description, Risk Management documentation, andthe Design Verification and Validation report.
5. Check your CER (clinical evaluation report) to ensure that it’s aligned with MDR Article 61 and Annex XIV.
6. Install a Unique Device Identifier (UDI) system and assign basic UDI-DI (Device Identifier) to your devices.
7. Check if your chosen Notified Body (NB) is accredited under the new MDR.
8. Contract a professional Authorized Representative if your business is based outside of the EU.
9. Register yourself at the EUDAMED portal and get an SRN (Single Registration. Number).
10. Hire a professional who will be responsible for Regulatory Compliance.
11. Revise whether there are any adjustments needed to your device's labeling, IFUs (Instruction for Use), and advertising materials.
12. Make sure that your device complies with the post-market management regulation detailed in MDR Articles 83-92.
13. Obtain liability insurance from a reliable insurance company.

Regulations for network-connected medical device

The scope of the processes that these changes will affect the manufacturer or developer depends on the type of network-connected medical device or IoMD/IoMT  manufactured or developed. However, it is predicted that significant changes have to be implemented to their compliance process, quality management system, and technical documentation to be able to comply with the standards of the Regulation.  

According to MDR, while managing cybersecurity over the whole lifespan of a medical device, the following areas should be the main focus:

• Risk management
• Information security
• Labeling
• IT security
• Operation security
• Informing users
• Regular updates
• Secure design
• Verification
• Validation
• Documentation

‍

The evaluations and testing that companies have to go through to get the MDR Certification required to launch network-connected medical devices on the European market are the following:

1. Conformance evaluation: The MDR gap analysis is the initial stage in the medical device cybersecurity testing procedure. This comprehensive evaluation investigates whether or not the business and its medical products meet the standards of the MDR. 
2. Risk assessment: Following MDR - Chapter II., 17.2, the second step of the medical device cybersecurity testing process is risk assessment. Throughout this process, accredited evaluation laboratories, like CCLab, use the Information Technology Infrastructure Library (ITIL), a risk matrix method to uncover potential cybersecurity risks, to categorize their severity and the possibility of their occurrence. 
3. Mandatory cybersecurity testing: this step has 2 main components: vulnerability assessment and penetration testing. A vulnerability assessment is a methodical examination of an information system's security flaws. It determines whether the system is vulnerable to any known potential risks, provides severity ratings to those vulnerabilities, and suggests remedy or mitigation when necessary. A penetration test, also known as a pen test, simulates a cyber attack on an IT system (in this case on a medical device or system) in order to identify exploitable vulnerabilities. 

Without the above assessments, vendors and manufacturers would be at a higher risk of failure, which would cost them not just money but also stress and disrupted processes.

Who is involved in the MDR compliance process?

There are 3 parties involved in an MDR Certification compliance process:

• The vendor or manufacturer/developer who wants to receive the certification for the medical device.
• The notified Body (NB), who issues the MDR certificate based on MDR compliance.
• An accredited evaluation laboratory supporting the vendor or manufacturer/developer in finding the smoothest way to get MDR-complied.

The MDR Certification process is a fairly complicated and complex procedure, therefore we suggest collaborating with a third-party specialist to get professional support.

How can CCLab support your MDR certification process?

Besides other network-connected medical device cybersecurity solutions, we are well-prepared and experienced to comprehensively support your MDR project. We can advise instantly and assist you to prepare for your medical device or system’s MDR compliance process in the most effective way possible. Our extensive services include gap analysis, risk assessment, and preparation for certification. 

We provide "zero to hero" and integration services to assist you to achieve cybersecurity MDR compliance. As our client, you can receive guidance all the way from product design, and development, to MDR certification based on internationally recognized standards. Our integration services can be built on your existing management system (that complies with relevant industry standards) to be able to utilize your already implemented processes instead of having to develop new ones. 

Summary

However today’s smart medical devices are technologically robust and sophisticated, they may have cybersecurity issues and vulnerabilities. The majority of security defects are the consequence of insufficient development, incorrect functionality, rare upgrades, or poor user behavior. This is where MDR comes into the picture. One of the most crucial goals of the Regulation is to reduce potential and existing cybersecurity risks while keeping patients and professionals safe. 

Complying with MDR may appear difficult at first, but you can count on CCLab’s professional support along the road until successful certification. Contact us if you are looking for a reliable and experienced partner to help with your Medical Device Security project.