MDR & Cybersecurity: What Your Technical File Needs to Prove

What is cybersecurity?

Cybersecurity is the practice of protecting digital systems, networks, software, and data from unauthorized access, attacks, or damage. It is built on three pillars:

• People: Trained users practicing secure behaviors.
• Processes: Policies, incident response plans, and secure development lifecycles.
• Technology: Encryption, firewalls, authentication systems, and more.

Ignoring cybersecurity can lead to severe consequences:

• Exposure of sensitive patient data
• Financial losses
• Significant reputational damage
• Legal implications due to breaches

…and for manufacturers specifically:

• Forced rollback/disablement of software functionalities or entire devices (to contain a breach)
• Delayed releases and costly patch cycles
• Regulatory non‑compliance (e.g., MDR/FDA) risking market withdrawal or recalls
• Product liability claims and contract penalties

The growing cybersecurity threat

The frequency and sophistication of cyberattacks continue to increase, illustrated by high-profile cases:

• Global incidents such as WannaCry and NotPetya attacks
• Major breaches involving Equifax, Yahoo, and healthcare providers like Fresenius and DaVita
• Recent large-scale incidents affecting millions of individuals in the healthcare sector

MDR cybersecurity requirements: GSPR Annex I

The MDR explicitly mandates cybersecurity measures, notably in Annex I:

• 14.2(d): Devices should minimize risks associated with possible negative interactions between software and the IT environment in which they operate and interact.
• 17.1: Devices that incorporate electronic programmable systems, including software, or software that is a device in itself, shall be designed to ensure repeatability, reliability, and performance in line with their intended use. In the event of a single fault condition, appropriate means shall be adopted to eliminate or reduce, as far as possible, the consequent risks or impairment of performance.
• 17.2: Devices should minimize risks associated with possible negative interactions between software and the IT environment.
• 17.4: Manufacturers must set out minimum requirements concerning hardware, IT network characteristics, and IT security measures, including protection against unauthorized access, necessary to run the software as intended.
• 18.8: Devices must be designed and manufactured in such a way as to protect, as far as possible, against unauthorized access that could hamper the device from functioning as intended.

Common cybersecurity pitfalls during MDR audits

Manufacturers often encounter the following pitfalls:

• Vague threat models: Generic statements without specific scenarios or mitigations
• Weak patch policies: Lack of clarity on software updates and security patch handling
• Penetration testing, vulnerability testing that is missing or performed by non-independent testers
• Insufficient risk documentation: Cybersecurity risks not clearly integrated into the overall risk management file
• Insufficient post-market follow-up: Cybersecurity should remain a focus after market approval, pursuant to ISO 81001-5-1

Best practices for cybersecurity integration

To proactively address cybersecurity within your medical device lifecycle:

• Integrate cybersecurity early in product design and align development processes with standards like ISO 81001-5-1, ISO 14971, and IEC 62304
• Ideally, pursue ISO 27001 certification
• Embrace secure-by-design and secure coding practices
• Document cybersecurity threats, vulnerabilities, and mitigations comprehensively
• Maintain post-market vigilance through regular penetration testing and vulnerability monitoring

The crucial role of regulatory professionals

Regulatory professionals serve as critical bridges between regulation and product development. They must ensure:

• Cybersecurity requirements are clearly defined in design inputs
• Risks are thoroughly addressed in risk documentation
• Alignment with MDR, IVDR, FDA guidelines, and relevant international standards

Key regulations to understand

To ensure full compliance, regulatory professionals must be familiar with several major regulations:

• GDPR: EU regulation for data privacy
• Regulation 2023/2841: EU regulation on cybersecurity across critical sectors
• HIPAA: U.S. regulation protecting medical information

FDA guidance on cybersecurity

Did you know the FDA has released an updated guidance?

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

This guidance underscores the growing regulatory convergence around cybersecurity expectations.

MDR cybersecurity: an organizational imperative

Cybersecurity compliance is not just IT’s responsibility—it’s an organizational imperative. Awareness and proactive prevention are critical and significantly more cost-effective than recovery after breaches.

Ensure your device documentation meets—and exceeds—regulatory expectations.

Your patients, your business, and your reputation depend on it.