Navigating Cybersecurity Challenges in MedTech

Consumer CompactElectrical and ElectronicsJan 21, 2025

Digital technologies play a crucial role in the medical landscape, offering significant benefits for both healthcare providers and patients. However, they also introduce a growing risk: cyberattacks. With the rising frequency and sophistication of cyberattacks, regulations are increasingly mandating stricter security measures. Meeting these security requirements in the realm of medical technologies (MedTech) presents challenges, particularly when it comes to navigating the complex array of standards and regulations that must be followed.

What is MedTech?

MedTech refers to the application of technology in medical interventions to enhance diagnosis, monitoring, treatment and patient care. It encompasses a wide range of products, including pacemakers, insulin pumps, magnetic resonance imaging (MRI) machines, patient monitors and software as a medical device (e.g. cardiovascular analysis software), and is reshaping the way we deliver healthcare. Key benefits include enhanced safety, increased efficiency, better accessibility, improved health outcomes and greater patient autonomy.

Cybersecurity threats

Our reliance on MedTech comes with significant risks, as the threat of cyberattacks continues to rise. In 2023, the Identity Theft Resource Center reported 2,365 cyberattacks across all connected technologies, affecting 343,338,964 victims. This marks a 72% increase in data breaches compared to 2021, which was itself a record.¹

The US Cyber Threat Intelligence Integration Center further highlights the growing danger for MedTech, noting that worldwide ransomware attacks targeting the healthcare sector have nearly doubled since 2022.² As the frequency of cyberattacks escalates, medical records are increasingly targeted, and vital equipment is either disrupted or manipulated, putting patients’ lives at serious risk.

Regulations

Countering this threat led to stricter MedTech device regulations. In the EU, medical devices and in vitro medical devices are regulated under Regulation (EU) 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR), respectively.

These require:

Ch 17.2 of MDR: For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured per the latest standards, taking into account the principles of development life cycle and risk management, including information security, verification and validation
Ch 17.4 of MDR: Manufacturers shall set out minimum requirements concerning hardware, IT network characteristics and IT security measures, including protection against unauthorized access, necessary to run the software as intended

To support the fulfillment of these requirements, medical device manufacturers must consider the Guidance on Cybersecurity for medical devices (MDCG 2019-16 Rev.1) and the harmonized standards.

In May 2024, the European Commission issued a decision to delay the deadlines for standard harmonization under both the MDR and IVDR until 2028. This includes IEC 81001-5-1 – a cybersecurity process standard that outlines life cycle requirements covering the entire span of health software – which complements safety-focused standards like IEC 62304. However, harmonization postponement is only a delay and taking a proactive approach to compliance is still the recommended route for forward-thinking MedTech businesses.

This is true for several reasons. Firstly, influential bodies such as the Association of German Notified Bodies (IGNB) and Team NB, representing various European notified bodies, strongly recommend early adoption. Secondly, IEC 81001-5-1 has already been embraced in global markets such as the USA and Japan. In the US, it has been recognized as a consensus standard since 2022 and the Food and Drug Administration’s (FDA) latest guidance (2023) recommends it as a framework for secure product development and maintenance.³ In Japan, medical device manufacturers have been required to demonstrate conformity to JIS T 81001-5-1 (IEC 81008-5-1) since April 1, 2024.⁴

While medical device manufacturers focus on MDR and IEC 81001-5-1, the suppliers of software and hardware components should also consider the provisions in the EU Cyber Resilience Act (CRA), which came into force in December 2024 with a transition period of 36 months. This is the EU’s response to the threat of cyberattacks on products with digital elements. It will impact the healthcare sector through a variety of non-medical devices, such as apps and cloud services, which are component parts of many medical device ecosystems. They will face similar requirements to medical devices regarding security risk management, life cycle security and security by design principles.

In summary, ensuring conformity to recognized standards for safety and security will help manufacturers and suppliers of MedTech confirm regulatory compliance, reduce liability and differentiate their products in competitive markets.

Brightsight solution

Brightsight, an SGS company, offers comprehensive training, testing, evaluation and certification services to support the MedTech industry in the supply of safe and secure products. Our scope encompasses the entire product life cycle – from design to post-market.

Services include:

Training and workshops
Pre-evaluation testing on specific components of the full product
Technical documentation review
Conformance testing: vulnerability scans, penetration testing, source code review, etc.
Certification

We cover all relevant global standards and internationally recognized certification schemes, including:

IEC TR 60601-4-5
IEC 81001-5-1
Association for the Advancement of Medical Instrumentation® (AAMI)
Cybersecurity Labelling Scheme for Medical Devices (CLS (MD))
DTSec - Cybersecurity Standard for Connected Diabetes Devices
Security Evaluation Standard for IoT Platforms (SESIP)
PSA Certified
SGS Cybersecurity Mark

With a global network of state-of-the-art facilities, Brightsight is the first choice when seeking compliance with regional requirements, such as those enforced by the US FDA, China National Medical Products Administration (NMPA) and EU.

Learn more about our medical device services.