Skip to content

MDCG 2019-16 Medical Device Coordination Group: Guidance on Cybersecurity for medical devices

Medical Device Coordination Group (MDCG) issued the Guidance on Cybersecurity for medical devices to help manufacturers meet the requirements of the European Union Regulations on Medical Devices and In Vitro Medical Devices. The document focuses on how to interpret what is stated in the MDR and IVDR regarding cybersecurity with specific examples.

Issuer: Medical Device Coordination Group

The key points of this guidance are:

  • Secure design: the guidance emphasizes the importance of incorporating security features and functionalities into the design of medical devices. Manufacturers should use secure coding practices and implement security controls such as encryption and access controls.
  • Security risk management throughout the device's lifecycle: manufacturers should conduct a risk assessment to identify cybersecurity threats and vulnerabilities and implement appropriate security measures to mitigate the risks.
  • IT requirements: such as the GDPR, physical security and patch management.
  • Documentation and instructions for use: the guidance requires manufacturers to document the cybersecurity features and functionalities of their devices.
  • Post-market surveillance and vigilance: including measures for investigating and reporting cybersecurity incidents and taking appropriate corrective actions.

Guidelines:

GL1: Intended use and intended operational environment of use

Description: Manufacturers determine design inputs associated with cybersecurity requirements to ensure safety and effectiveness of products against cybersecurity risks and threats.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL2: Intended use and intended operational environment of use

Description: Cybersecurity requirements should be considered in accordance with the nature of the device, including the device type and intended communication technologies usage.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL3: Intended use and intended operational environment of use

Description: A medical device should be designed in a layered defence in depth approach and therefore should not rely on security controls in the operating environment.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL4: Reasonably foreseeable misuse

Description: Medical device manufacturers should ensure that a medical device is designed and manufactured in a way that ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimised.

Relevant requirements from MDR: MDR Art. 7, Annex I, Chapter 1, Section 4 MDR, Annex I Chapter 1, 3. (b)

Relevant NEMECYS tools:

GL5: Reasonably foreseeable misuse

Description: During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those vulnerabilities that may be a result of reasonably foreseeable misuse

Relevant requirements from MDR: MDR, Annex I Chapter 1, 3. (b)

Relevant NEMECYS tools:

GL6: Reasonably foreseeable misuse

Description: During the product security risk management process, the manufacturers need to distinguish two important areas: * Safety risk management normally covered in the overall product risk management, and * Security risk, which is not associated to safety.

Relevant requirements from MDR: MDR Art. 7, Annex I, Chapter 1, Section 4 MDR, Annex I Chapter 1, 3. (b)

Relevant NEMECYS tools:

GL7: Operating Environment

Description: Healthcare providers should adopt a risk management process adhering to general cybersecurity best practices to maintain the healthcare provider's overall security status, among others, as follows: * Good physical security to prevent unauthorised physical access to medical device or network access points * Access control measures (e.g. role based) to ensure only authenticated and authorised personnel are allowed access to network elements, stored information, services and applications * Network access controls, such as segmentation, to limit medical device communication * General patch management practices that ensure timely security patch updates * Malware protection to prevent unauthorised code execution * Security awareness training. * Auditability that supports non-repudiation, i.e. the ability to reliability determine who made what changes to the system and when to assist with forensics

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL8: Joint Responsibility - Specific expectations from other

stakeholders

Description: Ιt is important to recognise the roles and expectations of all stakeholders, such as manufacturers, suppliers, healthcare providers, patients, integrators, operators and regulators.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL9: Joint Responsibility - Specific expectations from other

stakeholders

Description: Modification of a medical device, e.g. the installation or enabling of third-party software including software patching, should always be under explicit published guidance of the manufacturer.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL10: Integrator

Description: The main responsibility of the integrator is the installation and configuration of the system and the integration into the operator's environment. The integrator should ensure that the system is configured in such a way that it can operate securely in the health and medical service target environment

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL11: Operator

Description: Devices should be used as intended by the manufacturer, following the instructions for use provided with the devices.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL12: Operator

Description: The operator needs to contact the manufacturer if an appropriate set of security information is not available, e.g. security information in the Instructions for Use or provided in separate documents such as the Manufacturers Disclosure Statement for Medical Device Security (MDS2), installation guides or any other form of documentation.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL13: Operator

Description: The operator is responsible for the procurement and should ensure that security is maintained during the operation and application of the system (medical device), and particularly not compromised by changes in the environment of by user interaction. * Ensure required level of security for operational environment (network, physical) * Provide required infrastructure (network, physical) * Ensure that personnel are properly trained and available in case of security issues * Ensure that system is used as proscribed by manufacturer guidelines (e.g. no physical access by unauthorized users, password policies kept, network security measures) * Ensure that prescribed maintenance is done as required, including installation of security patches * Notify the manufacturer without delay of any suspected security event.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL14: Users including healthcare & medical professionals, patients &

consumers

Description: Patients and consumers are encouraged to employ cyber smart behaviour, such as paying attention to privacy, being aware of suspicious messaging, and browsing responsibly.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL15: Users including healthcare & medical professionals, patients &

consumers

Description: Instruction for Use should include the necessary information so that patients and consumers can be up-to-date with the latest version of software, protect the device throughout its lifespan, use sufficiently complex passwords, turn off features that are not used, secure the computer or tablet devices, use backups and protection of their healthcare data.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL16: Secure Design and Manufacture

Description: Safety, security and effectiveness are critical aspects that need to be considered by the manufacturers from an early stage of development and manufacturing process and throughout the entire life cycle

Relevant requirements from MDR: * Section 3 of MDR Annex I Annex I Section 4 of MDR * Annex I Section 17 (MDR) * Annex I Sections 17.4 and 18.8 (MDR) * Annex I Sections 22.1 (MDR)

Relevant NEMECYS tools:

GL17: Secure by design - Security Management

Description: The security management practice is applied throughout all the secure by design practices to ensure that these practices are being followed and managed. The purpose of the security management practice is to ensure that the security-related activities are adequately planned, documented, and executed throughout the product's lifecycle.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL18: Secure by design - Specification of security requirements

Description: The processes specified by this practice are used to identify the security capabilities that are required for appropriate protection of confidentiality, integrity and availability of data, function and services of the medical device along with the specified product security context. Security capabilities can include such items as authentication, authorisation, encryption, auditing, and other security capabilities a product needs to include. The product security context can include items such as physical security level, protection of external interfaces via a firewall, etc. These security requirements can be defined at the product-level, or they may supplement product-level requirements.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL19: Secure by design

Description: The processes specified by this practice are used to ensure that the product is secure by design including defence in depth.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL20: Secure by design - Secure implementation

Description: The processes specified by this practice are used to ensure that the product features are implemented securely. Requirements in this practice apply to all hardware and software components in the product with the exception of externally provided components. For externally provided components, requirements of MDCG-GL-01 apply instead.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL21: Secure by design - Security verification and validation testing

Description: The processes specified by this practice are used to document the security testing required to ensure that all the security requirements have been met for the product and that security of the product is maintained when the product is used as intended. Security testing should be aligned to other product test activities and can be performed at various times by various personnel during the total security lifecycle based on the type of testing and the development model used by the vendor.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL22: Secure by design - Management of security-related issues

Description: The processes specified by this practice are used for handling security-related issues of a product.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL23: Secure by design - Security update management

Description: The processes specified by this practice are used to ensure that security updates and security patches associated with the product are tested for regressions and made available to product users in a timely manner.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL24: Secure by design - Security guidelines

Description: The processes specified by this practice are used to provide and maintain user documentation that describes how to integrate, configure, and maintain the defence in depth strategy of the product in accordance with its product security context.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL25: Security Risk Management

Description: The security risk management process has the same elements as safety risk management process, all documented in a security risk management plan. The process elements are security risk analysis, security risk evaluation, security risk control, evaluation of residual security risk and reporting. When a security risk or control measure could have a possible impact on safety and effectiveness, then it should be included in the safety risk assessment. Similarly, any safety risk control or consideration that might have an impact on security should be included in the security risk analysis

Relevant requirements from MDR: * Annex I, section 17.1 (MDR) * Medical Devices Regulations Annex I, Section 3 * Annex IV of MDR for a descriptive illustration of this concept

Relevant NEMECYS tools:

GL26: Risk analysis for safety

Description: A product risk analysis for safety should therefore consider the effects of security vulnerabilities to the essential functioning of the product. The safety risk assessment might list generic security related hazards identified for the product, such as but not limited to: denial of service, execute code, memory corruption, gain information, gain privilege, etc. This is to avoid detailing every possible security attack vector which does not result in a different hazard for the product.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL27: Security Capabilities

Description: The list of known vulnerabilities and attack vectors is the basis for specifying the security capabilities, depending on the risk management, required for appropriate protection of confidentiality, integrity, availability of data, function and services of the medical device along with the specified product security context. Security capabilities may be determined as suitable risk-control measures. An indicative list of security capabilities which can be used to protect the device and establish a means for appropriate communication with the operator is provided. 1. Automatic Logoff 2. Audit Controls 3. Authorization 4. Configuration of Security Features 5. Cybersecurity Product Upgrades 6. Personal Data De-Identification 7. Data Backup and Disaster Recovery 8. Emergency Access 9. Personal Data Integrity and Authenticity 10. Malware Detection / Protection 11. Node Authentication 12. Person Authentication 13. Physical Locks 14. System and OS Hardening 15. Security and Privacy Guides 16. Personal Data Storage Confidentiality 17. Transmission Confidentiality 18. Transmission Integrity

Relevant requirements from MDR: Annex I, sections 17.2 (MDR)

Relevant NEMECYS tools:

GL28: Security Capabilities

Description: Where there is an impact on safety or effectiveness, manufacturers shall select the most appropriate risk control solution, in the following order of priority:

a. Eliminate or reduce risks as far as possible through safe design and manufacture. b. Where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated. c. Provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to users.

For security, a similar approach can be taken:

a. Eliminate or reduce security risks as far as feasible through secure design and manufacture. b. Where appropriate, take adequate protection measures, including security notifications if necessary, in relation to risks that cannot be eliminated. c. Provide information for security (warnings/precautions/contra-indications) including information on measures that the user is required to take in the operating environment to reduce the likelihood of exploitation.

Relevant requirements from MDR:

  • Annex I section 4 of the Medical Devices Regulations.

Relevant NEMECYS tools:

GL29: Security Capabilities

Description: When determining security capabilities, the manufacturer should demonstrate for each security measure that not only the goals of safety and effectiveness are maintained with the implementation of a specific capability, but also performance requirements and the existing risk control measures remain effective as specified.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL30: Security Risk Assessment

Description: The manufacturer should consider the device's intended clinical use and intended operational environment when determining the appropriate balance of safety, effectiveness and security. Threat Modelling techniques are a systematic approach for analysing the security of an item in a structural way such that vulnerabilities can be identified, enumerated, and prioritised, all from a hypothetical attacker's point of view. Threat modelling can be applied to software, devices, systems, networks, distributed systems, business processes, etc. Threat modelling typically employs a systematic approach to identify attack vectors and assets most desired by an attacker. This leads to a decomposition of the item (software, device, system, etc.) to look at each possible attack vector and asset individually and determine to which kind of attacks they are vulnerable. From this, a list of vulnerabilities can be created and ordered in terms of risk, potential to affect safety and effectiveness, or any other criteria deemed appropriate.

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL31: Security Benefit Risk Analysis

Description: It shall be noted that the Benefit Risk Analysis is not executed for every individual security risk. Instead, an overall Benefit Risk Analysis is to be executed based on the intended use and possible safety and performance impact using the safety risk assessment, which includes the security-related hazard categories. Risk acceptance criteria should be established by the manufacturer and documented to guide the appropriate measures for mitigating security risks. Those criteria relate to the intended purpose and operational environment.

Relevant requirements from MDR: Medical Devices Regulations Annex I, sections 1, 2, 3e and 8.

Relevant NEMECYS tools:

GL32: Minimum IT Requirements

Description: Need for medical device manufacturers to set out the minimum relevant IT security requirements and communicate them effectively to the users.

  • It is the manufacturers' responsibility to determine the minimum requirements for the operating environment as regards IT network characteristics and IT security measures that could not be implemented through the product design.
  • IT security measures may refer to any applicable technical and/or organisational measures for managing IT security risks related to the operating environment.

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL33: Minimum IT Requirements

Description: The manufacturer shall provide clear documentation of the device's instructions for use, including IT security features/configurations (if applicable), and clear instructions for the IT security controls related to the operating environment, including product specifications, compatibilities, recommended IT security measures, IT environment configuration (e.g. traffic control), etc. Due to frequent changes in the threat landscape, it might be advisable to maintain security information in an electronic form that allows for dynamic updates as needed.

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL34: Minimum IT Requirements - Basic principles for the operating

environment

Description: Any minimum requirements concerning hardware, IT networks characteristics and IT security measures for the operating environment should be defined on the basis of the following principles:

  • Any proposed IT security requirement for the operating environment should be based on the risk assessment conducted for the medical device.
  • The medical device should be as autonomous as possible in terms of IT security and sole reliance on the existence of any IT security requirements on the operating environment should be kept to a minimum and reflect the manufacturer's assumptions on the baseline environment security for the secure operation of the medical device.
  • The manufacturer's assumptions regarding the IT security of the operating environment shall be clearly documented in the instructions for use and may refer to best practice security standards.
  • In accordance with the principle of layered security, IT security measures foreseen for the operating environment in general should not serve the purpose of compensating security controls for medical device vulnerabilities, unless there is sufficient justification. In cases where the medical device relies on the operating environment to provide important IT security controls, this should be stated in the accompanying technical documentation.

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL35: Minimum IT Requirements - IT security requirements for the

operating environment

Description: The medical device manufacturer should determine the IT security requirements for the operating environment on the basis of the MDCG-GL-34. The relevant security requirements may include any combination of technical and organisational measures that affect the IT security of the operating environment of the medical device. The operating environment is defined as the sum of IT assets (software, hardware, network components) within which the medical device operates and with which the medical device interacts.

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL36: Minimum IT Requirements - General security requirements for

operating environment

Description: The security measures listed below should be viewed as a non-exhaustive and non-mandatory list of possible security controls for the operating environment. Moreover, they include IT security practices that are beneficial for the overall IT security posture of the operator's IT environment (good practices) but may not necessarily be considered mandatory as regards to the suitability of the operating environment. The exact requirements should be defined by the medical device manufacturer on a per case basis, since not all security measures are systematically applicable in all contexts.

  • The operator must be in line with national and EU regulations (e.g. GDPR).

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL37: Minimum IT Requirements - General security requirements for

operating environment

Description: The security measures listed below should be viewed as a non-exhaustive and non-mandatory list of possible security controls for the operating environment. Moreover, they include IT security practices that are beneficial for the overall IT security posture of the operator's IT environment (good practices) but may not necessarily be considered mandatory as regards to the suitability of the operating environment. The exact requirements should be defined by the medical device manufacturer on a per case basis, since not all security measures are systematically applicable in all contexts.

  • The operating environment must provide physical security for the medical device via security measures such as:
    • Regulated and authenticated physical access enforced via suitable technical measures (e.g. badges).
    • Physical security policy defining roles and access rights, including for physical access to the medical device.
    • Use of segregated, secure areas with appropriate access controls.

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL38: Minimum IT Requirements - General security requirements for

operating environment

Description: The security measures listed below should be viewed as a non-exhaustive and non-mandatory list of possible security controls for the operating environment. Moreover, they include IT security practices that are beneficial for the overall IT security posture of the operator's IT environment (good practices) but may not necessarily be considered mandatory as regards to the suitability of the operating environment. The exact requirements should be defined by the medical device manufacturer on a per case basis, since not all security measures are systematically applicable in all contexts.

  • The operating environment must include appropriate security controls such as:
    • User access management (credentials for accessing software applications or devices, user access policy, etc.)
    • Antivirus / anti-malware software
    • Firewall
    • Application whitelisting / system hardening
    • Exclusive use of genuine software and ban of all illegitimate software and applications.
    • Session management measures (e.g. session timeouts)

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL 39: Minimum IT Requirements - General security requirements for

operating environment

Description: The security measures listed below should be viewed as a non-exhaustive and non-mandatory list of possible security controls for the operating environment. Moreover, they include IT security practices that are beneficial for the overall IT security posture of the operator's IT environment (good practices) but may not necessarily be considered mandatory as regards to the suitability of the operating environment. The exact requirements should be defined by the medical device manufacturer on a per case basis, since not all security measures are systematically applicable in all contexts.

  • The operating environment must provide control and security of network traffic via appropriate measures, such as:
    • Network segmentation
    • Traffic filtering
    • Data encryption

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL40: Minimum IT Requirements - General security requirements for

operating environment

Description: The security measures listed below should be viewed as a non-exhaustive and non-mandatory list of possible security controls for the operating environment. Moreover, they include IT security practices that are beneficial for the overall IT security posture of the operator's IT environment (good practices) but may not necessarily be considered mandatory as regards to the suitability of the operating environment. The exact requirements should be defined by the medical device manufacturer on a per case basis, since not all security measures are systematically applicable in all contexts.

  • Specifically for the workstations connected to the medical device, appropriate security measures may include:
    • Operating system hardening and application whitelisting
    • Memory protection measures to block arbitrary code execution
    • Compatibility of medical device management software with security solutions that counter malicious code
    • Use of strong passwords
    • Install only software programmes necessary for the intended use of the operating environment.

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL41: Minimum IT Requirements - General security requirements for

operating environment

Description: The security measures listed below should be viewed as a non-exhaustive and non-mandatory list of possible security controls for the operating environment. Moreover, they include IT security practices that are beneficial for the overall IT security posture of the operator's IT environment (good practices) but may not necessarily be considered mandatory as regards to the suitability of the operating environment. The exact requirements should be defined by the medical device manufacturer on a per case basis, since not all security measures are systematically applicable in all contexts.

  • For cases when the operating environment is a complex system integrating multiple medical devices and other systems, appropriate measures to limit the propagation of an attack may include:
    • Partitioning mechanisms and network / traffic segmentation
    • Software integrity checks and device authentication mechanisms

Relevant requirements from MDR:

  • 17.4 MDR/16.4 IVDR
  • 23.4ab MDR/20.4 ah IVDR

Relevant NEMECYS tools:

GL42: Minimum IT Requirements - General security requirements for

operating environment

Description:

Relevant requirements from MDR:

Relevant NEMECYS tools:

GL..: To be added

Description:

Relevant requirements from MDR:

Relevant NEMECYS tools:

Medical Device Regulation (MDR) Regulation (EU) 2017/745 on medical devices