Cybersecurity Requirements for Medical Device Software Under EU MDR and MDCG Guidance

Avatar of I3CGlobal

Published On - June 12, 2025

I3CGlobal Uncategorized

The European Medical Device Regulation (MDR) started new, more demanding requirements for medical device cybersecurity, to ensure that medical device software is adequately secured at every stage of its lifecycle.

EU MDR 2017/745, which comprises the Medical Device Regulation of the European Union, and the MDCG guidance provide a framework for addressing cybersecurity risks in medical device software (MDSW). The MDR incorporates cybersecurity requirements throughout the regulation, even though it does not have a separate section devoted to cybersecurity. MDCG guidance documents, particularly MDCG 2019-16, which cover software qualification and classification, cybersecurity for legacy devices, and post-market surveillance, serve to reinforce and clarify these

In the modern medical field, cybersecurity becomes important in order to make the healthcare system patient-safe and life-saving. With more complex medical devices depending on interconnectivity and advanced systems like AI, the threat of cyber-attacks is growing exponentially. Cyber threats are not merely an IT problem—they’re a patient safety issue. Unauthorized access, data tampering, or service disruption can lead to clinical risks, violating safety and performance requirements under EU MDR. In clinics and hospitals, it keeps patients from becoming victims of ransomware attacks.

Key Documents Addressing Cybersecurity for Medical Devices

Medical device cybersecurity rules are complicated and derived from a variety of laws and guidelines. One of the most crucial references is Annex I of the EU MDR, which establishes general safety and performance standards (GSPRs) for devices that make use of software and electrical systems. Any device that is connected to or reliant on IT systems must meet these specifications.

The General Safety and Performance Requirements (GSPRs) in Annex I of the EU MDR specifically address cybersecurity issues:

  • GSPR clause 17.2: Devices must be designed to reduce IT security threats.
  • GSPR clause 17.4: Risks related to cyber-attacks be minimized throughout the device’s lifecycle.
  • GSPR clause 23.4: Instructions for use must include information about cybersecurity-related safeguards and Users should be informed of security measures.

The Medical Device Coordination Group (MDCG) released guidelines to help manufacturers comply with the MDR’s cybersecurity requirements. Along with details on the software design process and risk assessment, this guideline provides insight into pre-market and post-market cybersecurity requirements.

In addition to the MDR, manufacturers must also consider other regulations like:

  • GDPR (General Data Protection Regulation): This law regulates how personal data of EU residents must be handled, with a focus on securing sensitive health information.
  • NIS 2 Directive: This EU-wide law, effective since 2023, sets cybersecurity standards for critical sectors, including healthcare.
  • EU AI Act (2024/1689): This legal framework regulating artificial intelligence ensures that AI systems placed on the EU market are safe, transparent, and respect fundamental rights, while promoting innovation.

 

Key Cybersecurity Requirements

MDCG 2019-16 provides important guidelines on “Medical device cybersecurity.” Key cybersecurity requirements for medical device software are established by the MDR and MDCG guidelines as follows:

  1. Risk Management and Design Controls (Annex I, MDR)

A risk management procedure is necessary for manufacturers to recognize and reduce any cybersecurity threats.  Risk management must be incorporated by manufacturers at every stage of the product lifecycle. This involves identifying the software’s risks, hazards, and vulnerabilities and taking measures to mitigate them through safe design and manufacturing, as stated in Annex I, Chapter I, Section 3.

The risk analysis should incorporate cybersecurity-specific hazards including ransomware attacks, data breaches, and illegal access. Here, ISO/IEC 80001 for networked medical devices is frequently used along with ISO/IEC 14971 for risk management in medical devices.

  1. Security by Design and Default (MDCG 2019-16)

Security aspects must be incorporated from the beginning by manufacturers when designing and developing software for medical devices. With so many regulations to follow, it’s important to think about cybersecurity right from the start when developing a medical device. The most secure and compliant products are those built with security in mind from day one—a concept known as secure by design. This means manufacturers need to consider cybersecurity not just during development, but throughout the entire life of the device. This includes the design and development phases, risk management processes, clinical evaluations, and ongoing post-market surveillance activities.

MDCG guidance emphasizes “security by design”, meaning cybersecurity must be considered from the early stages of product development. This includes the use of secure communication protocols, encryption, and secure coding techniques.

  1. Software Lifecycle Processes (IEC 62304)

Medical device software must comply with IEC 62304, which provides the requirements for the software development lifecycle. The standard emphasizes software maintenance, problem resolution, and configuration management—each with direct implications for cybersecurity.

Updates, patches, and vulnerability disclosures must be managed by developers using a systematic change control procedure and documented secure coding principles.

  1. Post-Market Surveillance and Vigilance (Articles 83–86, MDR)

Manufacturers must establish a post-market surveillance system that includes monitoring for cybersecurity vulnerabilities, handling security incidents, and implementing timely corrective actions like patches or software updates. A PMS system consists of actively and routinely gathering user experience from publicly available devices (including third-party software and hardware components), reviewing them, and promptly implementing any necessary corrective action while taking the device’s risks and nature into consideration.

This includes:

  • Tracking cybersecurity incidents and near-misses
  • Monitoring new vulnerabilities (e.g., via Common Vulnerabilities and Exposures (CVE) databases)
  • Reporting serious incidents to national competent authorities within timelines defined under Article 87
  1. Software Updates and Legacy Device Considerations

Manufacturers must provide regular security updates and maintenance to ensure that the software remains secure and up to date.

The MDCG guidelines acknowledge the difficulty of updating security measures for legacy devices that are already on the market. Manufacturers are still expected to reduce known cybersecurity risks, though, by updating software, changing labels, or communicating risks

 

Key Cybersecurity Testing Activities Required by MDR

Device development must adhere to the “state of the art,” according to MDR guidelines. Here, “state of the art” refers to generally recognized technologies rather than the newest advancements that improve patient benefits.

Throughout the device’s life cycle, manufacturers are expected to proactively address potential threats and vulnerabilities. Before and after a device is put on the market, verification and validation (V&V) testing is necessary as part of the development process. This testing guarantees that devices fulfill the required safety standards and aid in identifying security flaws. To assess a device’s security, techniques like

  1. Security Feature Testing: Ensure that features like access controls, encryption, and authentication function as intended.
  2. Fuzz Testing: Sending unexpected or random data to the system to see how it reacts with the system to find possible weak points or crash conditions.
  3. Penetration testing: Evaluates how easily an attacker could exploit vulnerabilities by simulating actual cyberattacks
  4. Vulnerability scanning: This process finds known flaws in software configurations or components using automated tools.

As part of continuous post-market surveillance, these tests are crucial both before and after the device is put on the market. To maintain compliance and patient safety, the MDR mandates that manufacturers keep an eye on, evaluate, and react to new cybersecurity threats.

 

 

Key Cybersecurity Concepts in Medical Device Development

MDCG guidance highlights three main areas of cybersecurity that manufacturers should focus on:

  1. IT Security: Protecting devices from interference or tampering that disrupts their operation.
  2. Operational Security: Ensuring that workflows and procedures are protected from intentional disruption.
  3. Information Security: Safeguarding sensitive data against unauthorized access or theft.

Manufacturers are advised to adopt a defense-in-depth strategy, which involves multiple layers of security across the device’s lifecycle, from installation to maintenance. This includes practices like secure design, regular security updates, and robust testing to catch vulnerabilities early.

 

Operational Considerations and User Communication

Manufacturers must specify and convey the minimal IT specifications required to run their devices securely through Instructions for Use (IFU) of the device. It should also contain instructions on how to manage security risks and the IT environment in which the device will be used. However, the field of cybersecurity in the healthcare industry is always changing. Manufacturers must continue to be flexible and ready to update their software and inform patients and medical professionals about these changes. It’s crucial to ensure that everyone using the software is aware of the security features and their responsibilities in maintaining them, as different people will use the device in different ways.

Balancing Cybersecurity with Device Usability

The usability and efficacy of a device must be considered by manufacturers, even though robust cybersecurity measures are essential. Healthcare professionals may find it challenging to use the device when necessary, particularly in emergency situations, if security measures are too stringent.
It’s crucial to take the risks into consider in order to achieve the ideal balance. The purpose of the device and the different users interacting with it should be clearly understood when designing security controls. For example, even if a device normally requires robust security measures, healthcare providers may need quick access to it in order to provide urgent care

Conclusion

Cybersecurity is now a crucial part of medical device safety under EU MDR. Manufacturers are required to incorporate cybersecurity into all phases of the product lifecycle in addition to making sure that the MDR and MDCG guidelines are followed. Manufacturers can successfully negotiate complicated regulations, guarantee patient safety, and protect their devices from changing threats by adhering to secure-by-design principles and keeping a proactive, adaptable approach.

 

Sinu Susan Jacob (M. Tech)

Sr. Consultant, MDR Technical Expert

Recent Posts
Quick Contact